|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
IE shutting down
I seem to have picked up something that is causing my browser which is IE to generate an error message and then it shuts down...
Here is my hijack this log... Logfile of HijackThis v1.99.1 Scan saved at 6:25:52 PM, on 12/19/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\winnt\System32\smss.exe C:\winnt\system32\winlogon.exe C:\winnt\system32\services.exe C:\winnt\system32\lsass.exe C:\winnt\system32\svchost.exe C:\winnt\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\winnt\system32\nvsvc32.exe C:\winnt\system32\regsvc.exe C:\winnt\system32\MSTask.exe C:\winnt\system32\stisvc.exe C:\winnt\System32\WBEM\WinMgmt.exe C:\winnt\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\winnt\Explorer.EXE C:\winnt\system32\wuauclt.exe C:\winnt\System32\svchost.exe C:\Program Files\PAL SPYREM\spyrem.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\northernrambler2\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe O2 - BHO: SPlugin Class - {25A9EBDD-C786-418c-BD29-D2564A6161AD} - C:\winnt\BANNER~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing) O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...4/sdcregie.cab O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/latest/bannerads.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124672640723 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124673215672 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\winnt\system32\HPZipm12.exe O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\ALLTEL~1\SMARTB~1\SBHookSvc.exe |
#2
|
|||
|
|||
SmitFraudFix v2.120
Scan done at 18:38:42.04, Tue 12/19/2006 Run from C:\Documents and Settings\northernrambler2\Desktop\SmitfraudFix OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\winnt »»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\system »»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\northernrambler2 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\northernrambler2\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\NORTHE~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys HKLM\SOFTWARE\SHUDDERLTD FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End |
#3
|
||||
|
||||
Howdy breezie,
Looks like you have downloaded some bogus software, and from the request history here this doesn't appear to be the first time. See here for info on SpyRemover, which is of the same ilk as that SpyRem software running there. Let's see about removal and repairs now. If you haven't already tried, Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel. PAL SPYREM Then Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them. C:\Program Files\PAL SPYREM (the entire folder) Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF). If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. Then reboot, and Disable your antivirus program and go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here. Next Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please copy/paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. And Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with the BitDefender log, the ComboFix log and a new HijackThis scan please. You can use separate posts here if needed. |
#4
|
|||
|
|||
BitDefender Online Scanner
Scan report generated at: Fri, Dec 22, 2006 - 14:24:15 Scan path: A:\;C:\;D:\; Statistics Time 01:20:57 Files 239410 Folders 3229 Boot Sectors 2 Archives 2868 Packed Files 29347 Results Identified Viruses 7 Infected Files 13 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 13 Engines Info Virus Definitions 355745 Engine build AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42) Scan plugins 14 Archive plugins 38 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047 Detected with: Application.Adware.NewDotNet.B.Dropper C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047 Deleted C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe Update failed C:\Documents and Settings\northernrambler2\Recent\clipartfree.lnk=> C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047 Detected with: Application.Adware.NewDotNet.B.Dropper C:\Documents and Settings\northernrambler2\Recent\clipartfree.lnk=> C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047 Deleted C:\Documents and Settings\northernrambler2\Recent\clipartfree.lnk=> C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE g) Infected with: Trojan.Puper.X C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE g) Disinfection failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 2g) Infected with: Trojan.Puper.X C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 2g) Disinfection failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 2g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 4g) Infected with: Dropped:Trojan.Puper.W C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 4g) Disinfection failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 4g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 5g) Infected with: Trojan.Puper.W C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 5g) Disinfection failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 5g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 6g) Infected with: Trojan.Puper.X C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 6g) Disinfection failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 6g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy=>(Embedded EXE g) Infected with: Trojan.Fakealert.J C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy=>(Embedded EXE g) Disinfection failed C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy=>(Embedded EXE g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-14-10-50.xpy=>(Embedded EXE g) Infected with: Trojan.Agent.FF C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-14-10-50.xpy=>(Embedded EXE g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-14-10-50.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE g) Infected with: Trojan.Agent.FF C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE 2g) Infected with: Trojan.Agent.FF C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE 2g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy Update failed C:\Program Files\XoftSpy\Quarantine\Quarantine22-08-2005-19-46-42.xpy=>(Embedded EXE g) Infected with: Trojan.Agent.FF C:\Program Files\XoftSpy\Quarantine\Quarantine22-08-2005-19-46-42.xpy=>(Embedded EXE g) Deleted C:\Program Files\XoftSpy\Quarantine\Quarantine22-08-2005-19-46-42.xpy Update failed C:\WINNT\backup\T\50227000.DAT=>(Embedded EXE g) Infected with: Trojan.Rootkit.H C:\WINNT\backup\T\50227000.DAT=>(Embedded EXE g) Deleted C:\WINNT\backup\T\50227000.DAT Update failed |
#5
|
|||
|
|||
northernrambler2 - Fri 12/22/2006 14:36:56.77 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\northernrambler2\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-11-22 to 2006-12-22 )))))))))))))))))))))))))))))))))) 2006-12-22 08:59 <DIR> d-------- C:\WINNT\BDOSCAN8 2006-12-21 20:58 <DIR> d-------- C:\Program Files\eAcceleration 2006-12-21 20:58 <DIR> d-------- C:\Program Files\Acceleration Software 2006-12-21 20:58 <DIR> d-------- C:\Documents and Settings\northernrambler2\Application Data\eAcceleration 2006-12-21 20:57 <DIR> d-------- C:\Program Files\Common Files\eAcceleration 2006-12-19 18:54 <DIR> d-------- C:\SDFix (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2006-12-22 14:32 -------- d-------- C:\Program Files\Mozilla Firefox 2006-12-21 20:57 -------- d-a------ C:\Program Files\Common Files 2006-12-19 18:38 1330 --a------ C:\WINNT\system32\tmp.reg 2006-11-11 21:07 -------- d-------- C:\Program Files\RegCure 2006-11-11 16:42 -------- d-------- C:\Program Files\RegCleaner 2006-11-11 16:25 -------- d-------- C:\Program Files\RegistrySmart 2006-11-11 14:43 -------- d-------- C:\Program Files\Windows Media Player 2006-11-11 13:46 -------- d-a------ C:\Program Files\Grisoft 2006-11-08 16:18 443 --a------ C:\WINNT\system32\comcsi5.dll 2006-11-08 16:18 4 --ah----- C:\WINNT\system32\srvswc2.dll 2006-11-08 16:18 32 --a------ C:\WINNT\system32\comcb2.dll 2006-11-07 16:49 -------- d-------- C:\Program Files\NoAdware3 2006-11-06 18:11 76560 --a------ C:\WINNT\system32\drivers\tmcomm.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\winnt\\system32\\NvCpl.dll,NvStartup" "Synchronization Manager"="mobsync.exe /logon" "SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup" "webscan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000003 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00 ,80,02,00,00,38,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f ,00,00,00,80,00,00,00,76,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run] "Win Drivers SSL"="hpws.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runservices] "Win Drivers SSL"="hpws.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000095 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload] "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] "item"="!AVG Anti-Spyware" "command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adaptec DirectCD] "item"="Adaptec DirectCD" "command"="C:\\PROGRA~1\\Adaptec\\DirectCD\\direct cd.exe" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "item"="HP Software Update" "command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "item"="NvCplDaemon" "command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "item"="nwiz" "command"="nwiz.exe /install" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition] "item"="PopUpStopperFreeEdition" "command"="\"C:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe\"" "hkey"="HKEY" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart] "item"="RegistrySmart" "command"="\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot] "item"="SpywareBot" "command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager] "item"="Synchronization Manager" "command"="mobsync.exe /logon" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "item"="TkBellExe" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "hkey"="HKLM" "key"="Run" [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" Contents of the 'Scheduled Tasks' folder C:\winnt\tasks\MP Scheduled Scan.job C:\winnt\tasks\RegCure.job C:\winnt\tasks\XoftSpy.job Completion time: Fri 2006-12-22 14:38:10.73 C:\ComboFix.txt ... 06-12-22 14:38 |
#6
|
|||
|
|||
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup" [MS] "Synchronization Manager" = "mobsync.exe /logon" [MS] "SoftwareStation" = ""C:\Program Files\eAcceleration\Station\station.exe" /b Startup" ["eAcceleration Corp."] "webscan" = ""C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k" ["eAcceleration Corp"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {25A9EBDD-C786-418c-BD29-D2564A6161AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "SPlugin Class" \InProcServer32\(Default) = "C:\winnt\BANNER~1.DLL" [empty string] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL" -> {HKLM...CLSID} = "SmartFTP Shell Extension DLL" \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension" -> {HKLM...CLSID} = "FTP Explorer Shell Extension" \InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."] "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}" = "StopSignRCS" -> {HKLM...CLSID} = "StopSignRCS" \InProcServer32\(Default) = "C:\Program Files\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS] <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ "System" = (value not set) HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] StopSignRCS\(Default) = "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}" -> {HKLM...CLSID} = "StopSignRCS" \InProcServer32\(Default) = "C:\Program Files\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {HKLM...CLSID} = "RtClkCtxMenu Class" \InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] StopSignRCS\(Default) = "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}" -> {HKLM...CLSID} = "StopSignRCS" \InProcServer32\(Default) = "C:\Program Files\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {HKLM...CLSID} = "RtClkCtxMenu Class" \InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Documents and Settings\Default User\My Documents\konoctisidtaylorbroodpen.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\northernrambler2\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" Enabled Scheduled Tasks: ------------------------ "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] "RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data] "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {HKLM...CLSID} = "Web Browser Applet Control" \InProcServer32\(Default) = "C:\WINNT\System32\msjava.dll" [MS] {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\AIM\aim.exe" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] NVIDIA Display Driver Service, NVSvc, "C:\winnt\system32\nvsvc32.exe" ["NVIDIA Corporation"] Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ EPSON BiD Monitor1\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] EPSON BiD Monitor1(1)\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] EPSON BiD Monitor1(2)\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] EPSON BiD Monitor1(3)\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 63 seconds, including 13 seconds for message boxes) |
#7
|
|||
|
|||
Logfile of HijackThis v1.99.1
Scan saved at 2:57:38 PM, on 12/22/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\winnt\System32\smss.exe C:\winnt\system32\winlogon.exe C:\winnt\system32\services.exe C:\winnt\system32\lsass.exe C:\winnt\system32\svchost.exe C:\winnt\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\winnt\system32\nvsvc32.exe C:\winnt\system32\regsvc.exe C:\winnt\system32\MSTask.exe C:\winnt\system32\stisvc.exe C:\winnt\System32\WBEM\WinMgmt.exe C:\winnt\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\winnt\Explorer.EXE C:\winnt\system32\wuauclt.exe C:\Documents and Settings\northernrambler2\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe O2 - BHO: SPlugin Class - {25A9EBDD-C786-418c-BD29-D2564A6161AD} - C:\winnt\BANNER~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing) O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...4/sdcregie.cab O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/latest/bannerads.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124672640723 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124673215672 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\winnt\system32\HPZipm12.exe O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\ALLTEL~1\SMARTB~1\SBHookSvc.exe |
#8
|
||||
|
||||
Looks like some newer infection variants there, so we'll have to do some checking to see how much. Also possible rootkit activity along with that.
Confusing the cleaning is the presence of Paretologic and it's software like Xoft and NoAdware3 and eAcceleration and it's software like Stop Sign/SoftwareStation - all have the dubious honor of being listed here in the past. And SpywareBot that I just noticed in your logs. With all the other good software available, including free trial software, I do not recommend anything with that listing as beneficial to have. If you decide to remove them through Add/Remove Programs you will need to uninstall any Paretologic listings first. For here the other software from this group would be all the RegCure, RegCleaner, RegistrySmart items. If you decide to remove all that stuff, you will first need to re-enable all the startups of those disabled in msconfig there. I would like you to do some info check steps here, and if you plan to uninstall those questionable softwares please go to Start - Run, type msconfig (and Enter), and under the Startup tab click Enable All. Then allow the reboot. With the information you post back next I can suggest steps to remove those items. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Go to this SITE. Click on the Browse button, and navigate to the following hilighted file(s), upload and submit it. Copy the results with the notepad and copy/paste them back here. C:\WINNT\system32\comcsi5.dll C:\WINNT\system32\srvswc2.dll C:\WINNT\system32\comcb2.dll Also I would like to check those files. Just zip a copy of it, and send it to jintan@cfl.rr.com as an attachment. Please place "Submitted Files - breezie" as the email Subject. Then Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder When you have done this, doubleclick on Gmer.exe to run it and click on Settings. Check the first five settings (see below) System Protection and Tracing Processes Save created processes to the log Drivers Save loaded drivers to the log You will be prompted to restart your computer. Please do so. Run Gmer again and click on the Rootkit tab. Look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. Warning! Please do not select the "Show all" checkbox during the scan. Also Open HijackThis again. Click Config - Misc Tools. Then check "List also minor sections (full)" and also check "List empty sections (complete)" and then click on "Generate Startup List Log" Copy the log and post it back in this thread. It will be a large logfile. |
#9
|
|||
|
|||
comcsi5.dll
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 File to upload & scan: Virus Service Service load: 0% 100% File: comcsi5.dll Status: OK MD5 3ba5236e9eb4be88b3464469029ff3bd Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing VirusBuster Found nothing VBA32 Found nothing Powered by images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/virusbuster.gif images/vba32.png Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all. Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all! Statistics Last file scanned at least one scanner reported something about: CheckSQL-Inject.exe (MD5: 85d5ef7ab0888a85c653560f381dec2d), detected by: Scanner Malware name AntiVir SPR/Ardamax.K.Gen riskware ArcaVir X Avast X AVG Antivirus X BitDefender X ClamAV X Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus X Fortinet X Kaspersky Anti-Virus Trojan-Spy.Win32.Ardamax.e NOD32 X Norman Virus Control X VirusBuster X VBA32 Trojan-Spy.Win32.Ardamax.b You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Frequently asked questions - Feedback - Privacy policy Debian Page generated by JTPL Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org> |
#10
|
|||
|
|||
srvswc2.dll
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 File to upload & scan: Virus Service Service load: 0% 100% File: srvswc2.dll Status: OK MD5 f03db4cb37d604e9f2cb658f7b705848 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing VirusBuster Found nothing VBA32 Found nothing Powered by images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/virusbuster.gif images/vba32.png Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all. Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all! Statistics Last file scanned at least one scanner reported something about: JustinsLagger2.zip (MD5: 6cc954807cf7876371ac16ac0e9165e2), detected by: Scanner Malware name AntiVir SPR/YFlood.A.2 riskware ArcaVir X Avast X AVG Antivirus X BitDefender X ClamAV X Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus X Fortinet X Kaspersky Anti-Virus X NOD32 X Norman Virus Control X VirusBuster X VBA32 Flooder.VB.1 (paranoid heuristics) You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Frequently asked questions - Feedback - Privacy policy Debian Page generated by JTPL Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org> |
#11
|
|||
|
|||
comcb2.dll
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 File to upload & scan: Virus Service Service load: 0% 100% File: comcb2.dll Status: INCONCLUSIVE (scan still in progress) MD5 349823b9f62b233e884080e8ffaec497 Packers detected: Analyzing... Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Scanning, please wait... Norman Virus Control Scanning, please wait... VirusBuster Scanning, please wait... VBA32 Scanning, please wait... Powered by images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/virusbuster.gif images/vba32.png Disclaimer This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service. Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita. Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware. Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample. Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all. Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all! Statistics Last file scanned at least one scanner reported something about: JustinsLagger2.zip (MD5: 6cc954807cf7876371ac16ac0e9165e2), detected by: Scanner Malware name AntiVir SPR/YFlood.A.2 riskware ArcaVir X Avast X AVG Antivirus X BitDefender X ClamAV X Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus X Fortinet X Kaspersky Anti-Virus X NOD32 X Norman Virus Control X VirusBuster X VBA32 Flooder.VB.1 (paranoid heuristics) You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Frequently asked questions - Feedback - Privacy policy Debian Page generated by JTPL Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org> |
#12
|
|||
|
|||
zipped files just sent to you as per your request.
|
#13
|
|||
|
|||
Just an additional note, my add/remove section of this computer does not work, it generates a script error message, I removed 3 programs via the system settings and in the file area, I know that it doesn't remove all the remnants of the software.
And on the 2nd scan of GMER I am getting this message. GMER hasn't found any system modification Last edited by breezie; December 23rd, 2006 at 03:18 PM. |
#14
|
|||
|
|||
have to post this in 3 parts because of its size...
StartupList report, 12/23/2006, 9:16:06 AM StartupList version: 1.52.2 Started from : C:\Documents and Settings\northernrambler2\Desktop\HijackThis.EXE Detected: Windows 2000 SP4 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\winnt\System32\smss.exe C:\winnt\system32\winlogon.exe C:\winnt\system32\services.exe C:\winnt\system32\lsass.exe C:\winnt\system32\svchost.exe C:\winnt\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\winnt\system32\nvsvc32.exe C:\winnt\system32\regsvc.exe C:\winnt\system32\MSTask.exe C:\winnt\system32\stisvc.exe C:\winnt\System32\WBEM\WinMgmt.exe C:\winnt\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\winnt\Explorer.EXE C:\winnt\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\northernrambler2\Desktop\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\northernrambler2\Start Menu\Programs\Startup] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] *No files* Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\winnt\system32\Userinit.exe [HKLM\Software\Microsoft\Windows\CurrentVersion\Win logon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Win logon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run NvCplDaemon = RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup Synchronization Manager = mobsync.exe /logon SoftwareStation = "C:\Program Files\eAcceleration\Station\station.exe" /b Startup webscan = "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /s -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\winnt\system32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\winnt\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = "C:\winnt\system32\shmgrate.exe" OCInstallUserConfigIE [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = "C:\winnt\system32\shmgrate.exe" OCInstallUserConfigOE [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.N T [{6A5110B5-E14B-4268-A065-EF89FF33C325}] * StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\winnt\system32\Rundll32.exe C:\winnt\system32\mscories.dll,Install [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl -------------------------------------------------- Last edited by breezie; December 23rd, 2006 at 03:24 PM. |
#15
|
|||
|
|||
--------------------------------------------------
Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\winnt\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\winnt\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\winnt\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\winnt\Explorer\Explorer.exe: not present C:\winnt\System\Explorer.exe: not present C:\winnt\System32\Explorer.exe: not present C:\winnt\Command\Explorer.exe: not present C:\winnt\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\winnt - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\winnt\BANNER~1.DLL - {25A9EBDD-C786-418c-BD29-D2564A6161AD} (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} -------------------------------------------------- Enumerating Task Scheduler jobs: MP Scheduled Scan.job RegCure.job XoftSpy.job -------------------------------------------------- Enumerating Download Program Files: [DirectAnimation Java Classes] CODEBASE = file://C:\WINNT\Java\classes\dajava.cab OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd [Microsoft XML Parser for Java] CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd [ppctlcab] CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab OSD = C:\WINNT\Downloaded Program Files\OSD406.OSD [{00000130-9980-0010-8000-00AA00389B71}] CODEBASE = http://codecs.microsoft.com/codecs/i386/ACELPACM.CAB [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [Windows Genuine Advantage] InProcServer32 = C:\winnt\system32\LegitCheckControl.dll CODEBASE = http://go.microsoft.com/fwlink/?link...67&clcid=0x409 [Stamps.com Secure Postal Account Registration] InProcServer32 = C:\winnt\Downloaded Program Files\SdcRegIE.dll CODEBASE = https://secure.stamps.com/download/u...4/sdcregie.cab [{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}] CODEBASE = http://66.194.67.102/banner/latest/bannerads.cab [{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}] CODEBASE = http://download.mcafee.com/molbin/sh...4/mcinsctl.cab [BDSCANONLINE Control] InProcServer32 = C:\winnt\DOWNLO~1\oscan8.ocx CODEBASE = http://download.bitdefender.com/reso...an8/oscan8.cab [WUWebControl Class] InProcServer32 = C:\winnt\system32\wuweb.dll CODEBASE = http://update.microsoft.com/windowsu...?1124672640723 [MUWebControl Class] InProcServer32 = C:\winnt\system32\muweb.dll CODEBASE = http://update.microsoft.com/microsof...?1124673215672 [HouseCall Control] InProcServer32 = C:\winnt\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab [Java Plug-in 1.5.0_02] InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab [cpbrkpie Control] InProcServer32 = C:\winnt\cpbrkpie.ocx CODEBASE = http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab [{9F1C11AA-197B-4942-BA54-47A8489BB47F}] CODEBASE = http://v4.windowsupdate.microsoft.co...7862.211712963 [MsnMessengerSetupDownloadControl Class] InProcServer32 = C:\winnt\Downloaded Program Files\MsnMessengerSetupDownloader.ocx CODEBASE = http://messenger.msn.com/download/Ms...Downloader.cab [{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}] CODEBASE = http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab [FotkiUploader Control] InProcServer32 = C:\winnt\DOWNLO~1\FOTKIU~1.OCX CODEBASE = http://images.fotki.com/activex/FotkiUploader.cab [Java Plug-in 1.3.1_03] InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\npjava131_03.dll CODEBASE = http://java.sun.com/products/plugin/...131_03-win.cab [Java Plug-in 1.4.2_08] InProcServer32 = C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll CODEBASE = http://java.sun.com/products/plugin/...ndows-i586.cab [Java Plug-in 1.5.0_02] InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab [SecurityManager Class] InProcServer32 = c:\program files\common files\motive\BJAXSecurityManager.dll CODEBASE = https://care.alltel.com/lwp/static/i...ller_3-0-0.cab [Shockwave Flash Object] InProcServer32 = C:\winnt\system32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [{D27CDB6E-AE6D-11CF-96B8-444553542500}] CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [ConnectivityTester Class] InProcServer32 = c:\PROGRA~1\COMMON~1\motive\ACTIVE~1.DLL CODEBASE = https://care.alltel.com/lwp/static/i...ELControls.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\winnt\System32\rnr20.dll NameSpace #2: C:\winnt\System32\winrnr.dll Protocol #1: C:\winnt\system32\msafd.dll Protocol #2: C:\winnt\system32\msafd.dll Protocol #3: C:\winnt\system32\msafd.dll Protocol #4: C:\winnt\system32\rsvpsp.dll Protocol #5: C:\winnt\system32\rsvpsp.dll Protocol #6: C:\winnt\system32\msafd.dll Protocol #7: C:\winnt\system32\msafd.dll Protocol #8: C:\winnt\system32\msafd.dll Protocol #9: C:\winnt\system32\msafd.dll Protocol #10: C:\winnt\system32\msafd.dll Protocol #11: C:\winnt\system32\msafd.dll Protocol #12: C:\winnt\system32\msafd.dll Protocol #13: C:\winnt\system32\msafd.dll Protocol #14: C:\winnt\system32\msafd.dll Protocol #15: C:\winnt\system32\msafd.dll -------------------------------------------------- |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
XP Shutting Down | TheSlash | Windows XP | 5 | March 18th, 2008 08:31 AM |
xp keeps shutting down | black mirror | Windows XP | 22 | June 12th, 2006 11:57 PM |
not shutting down | valley114 | Windows XP | 2 | June 8th, 2006 12:49 AM |
Shutting down my NIC | Feldon | Hardware | 3 | April 5th, 2005 04:45 PM |
PC is shutting down :( | peachiebratt | Windows NT, 2000, 2003, 2008, 2012 | 9 | October 17th, 2004 02:50 PM |
All times are GMT +1. The time now is 12:17 PM.