Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old December 20th, 2006, 12:28 AM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
Question IE shutting down

I seem to have picked up something that is causing my browser which is IE to generate an error message and then it shuts down...

Here is my hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 6:25:52 PM, on 12/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\wuauclt.exe
C:\winnt\System32\svchost.exe
C:\Program Files\PAL SPYREM\spyrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\northernrambler2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe
O2 - BHO: SPlugin Class - {25A9EBDD-C786-418c-BD29-D2564A6161AD} - C:\winnt\BANNER~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...4/sdcregie.cab
O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/latest/bannerads.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124672640723
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124673215672
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\winnt\system32\HPZipm12.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\ALLTEL~1\SMARTB~1\SBHookSvc.exe
Reply With Quote
  #2  
Old December 20th, 2006, 12:40 AM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
SmitFraudFix v2.120

Scan done at 18:38:42.04, Tue 12/19/2006
Run from C:\Documents and Settings\northernrambler2\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\winnt


»»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\winnt\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\northernrambler2


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\northernrambler2\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\NORTHE~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

HKLM\SOFTWARE\SHUDDERLTD FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Reply With Quote
  #3  
Old December 22nd, 2006, 06:35 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Howdy breezie,


Looks like you have downloaded some bogus software, and from the request history here this doesn't appear to be the first time. See here for info on SpyRemover, which is of the same ilk as that SpyRem software running there. Let's see about removal and repairs now.



If you haven't already tried, Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.

PAL SPYREM




Then Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them.

C:\Program Files\PAL SPYREM (the entire folder)



Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.



Then reboot, and Disable your antivirus program and go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.



Next Download combofix.exe.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.



And Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with the BitDefender log, the ComboFix log and a new HijackThis scan please. You can use separate posts here if needed.
Reply With Quote
  #4  
Old December 22nd, 2006, 08:35 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
BitDefender Online Scanner

Scan report generated at: Fri, Dec 22, 2006 - 14:24:15


Scan path: A:\;C:\;D:\;







Statistics

Time
01:20:57

Files
239410

Folders
3229

Boot Sectors
2

Archives
2868

Packed Files
29347




Results

Identified Viruses
7

Infected Files
13

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
13




Engines Info

Virus Definitions
355745

Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047
Deleted

C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe
Update failed

C:\Documents and Settings\northernrambler2\Recent\clipartfree.lnk=> C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\Documents and Settings\northernrambler2\Recent\clipartfree.lnk=> C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe=>wise0047
Deleted

C:\Documents and Settings\northernrambler2\Recent\clipartfree.lnk=> C:\Documents and Settings\northernrambler2\My Documents\clipartfree.exe
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE g)
Infected with: Trojan.Puper.X

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 2g)
Infected with: Trojan.Puper.X

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 2g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 2g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 4g)
Infected with: Dropped:Trojan.Puper.W

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 4g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 4g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 5g)
Infected with: Trojan.Puper.W

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 5g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 5g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 6g)
Infected with: Trojan.Puper.X

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 6g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy=>(Embedded EXE 6g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-21-36.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy=>(Embedded EXE g)
Infected with: Trojan.Fakealert.J

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy=>(Embedded EXE g)
Disinfection failed

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine07-07-2005-09-26-54.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-14-10-50.xpy=>(Embedded EXE g)
Infected with: Trojan.Agent.FF

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-14-10-50.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-14-10-50.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE g)
Infected with: Trojan.Agent.FF

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE 2g)
Infected with: Trojan.Agent.FF

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy=>(Embedded EXE 2g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine21-08-2005-17-36-51.xpy
Update failed

C:\Program Files\XoftSpy\Quarantine\Quarantine22-08-2005-19-46-42.xpy=>(Embedded EXE g)
Infected with: Trojan.Agent.FF

C:\Program Files\XoftSpy\Quarantine\Quarantine22-08-2005-19-46-42.xpy=>(Embedded EXE g)
Deleted

C:\Program Files\XoftSpy\Quarantine\Quarantine22-08-2005-19-46-42.xpy
Update failed

C:\WINNT\backup\T\50227000.DAT=>(Embedded EXE g)
Infected with: Trojan.Rootkit.H

C:\WINNT\backup\T\50227000.DAT=>(Embedded EXE g)
Deleted

C:\WINNT\backup\T\50227000.DAT
Update failed
Reply With Quote
  #5  
Old December 22nd, 2006, 11:27 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
northernrambler2 - Fri 12/22/2006 14:36:56.77 Service Pack 4
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\northernrambler2\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-22 to 2006-12-22 ))))))))))))))))))))))))))))))))))


2006-12-22 08:59 <DIR> d-------- C:\WINNT\BDOSCAN8
2006-12-21 20:58 <DIR> d-------- C:\Program Files\eAcceleration
2006-12-21 20:58 <DIR> d-------- C:\Program Files\Acceleration Software
2006-12-21 20:58 <DIR> d-------- C:\Documents and Settings\northernrambler2\Application Data\eAcceleration
2006-12-21 20:57 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2006-12-19 18:54 <DIR> d-------- C:\SDFix


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-12-22 14:32 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-21 20:57 -------- d-a------ C:\Program Files\Common Files
2006-12-19 18:38 1330 --a------ C:\WINNT\system32\tmp.reg
2006-11-11 21:07 -------- d-------- C:\Program Files\RegCure
2006-11-11 16:42 -------- d-------- C:\Program Files\RegCleaner
2006-11-11 16:25 -------- d-------- C:\Program Files\RegistrySmart
2006-11-11 14:43 -------- d-------- C:\Program Files\Windows Media Player
2006-11-11 13:46 -------- d-a------ C:\Program Files\Grisoft
2006-11-08 16:18 443 --a------ C:\WINNT\system32\comcsi5.dll
2006-11-08 16:18 4 --ah----- C:\WINNT\system32\srvswc2.dll
2006-11-08 16:18 32 --a------ C:\WINNT\system32\comcb2.dll
2006-11-07 16:49 -------- d-------- C:\Program Files\NoAdware3
2006-11-06 18:11 76560 --a------ C:\WINNT\system32\drivers\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\winnt\\system32\\NvCpl.dll,NvStartup"
"Synchronization Manager"="mobsync.exe /logon"
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"webscan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00 ,80,02,00,00,38,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,1f ,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Win Drivers SSL"="hpws.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runservices]
"Win Drivers SSL"="hpws.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"item"="!AVG Anti-Spyware"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adaptec DirectCD]
"item"="Adaptec DirectCD"
"command"="C:\\PROGRA~1\\Adaptec\\DirectCD\\direct cd.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"item"="HP Software Update"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"item"="NvCplDaemon"
"command"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"item"="nwiz"
"command"="nwiz.exe /install"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"item"="PopUpStopperFreeEdition"
"command"="\"C:\\Program Files\\Panicware\\Pop-Up Stopper Free Edition\\PSFree.exe\""
"hkey"="HKEY"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]
"item"="RegistrySmart"
"command"="\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
"item"="SpywareBot"
"command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
"item"="Synchronization Manager"
"command"="mobsync.exe /logon"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"item"="TkBellExe"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"hkey"="HKLM"
"key"="Run"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\winnt\tasks\MP Scheduled Scan.job
C:\winnt\tasks\RegCure.job
C:\winnt\tasks\XoftSpy.job

Completion time: Fri 2006-12-22 14:38:10.73
C:\ComboFix.txt ... 06-12-22 14:38
Reply With Quote
  #6  
Old December 22nd, 2006, 11:28 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SoftwareStation" = ""C:\Program Files\eAcceleration\Station\station.exe" /b Startup" ["eAcceleration Corp."]
"webscan" = ""C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k" ["eAcceleration Corp"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{25A9EBDD-C786-418c-BD29-D2564A6161AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SPlugin Class"
\InProcServer32\(Default) = "C:\winnt\BANNER~1.DLL" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {HKLM...CLSID} = "FTP Explorer Shell Extension"
\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}" = "StopSignRCS"
-> {HKLM...CLSID} = "StopSignRCS"
\InProcServer32\(Default) = "C:\Program Files\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
StopSignRCS\(Default) = "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}"
-> {HKLM...CLSID} = "StopSignRCS"
\InProcServer32\(Default) = "C:\Program Files\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
StopSignRCS\(Default) = "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}"
-> {HKLM...CLSID} = "StopSignRCS"
\InProcServer32\(Default) = "C:\Program Files\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Default User\My Documents\konoctisidtaylorbroodpen.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\northernrambler2\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINNT\System32\msjava.dll" [MS]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
NVIDIA Display Driver Service, NVSvc, "C:\winnt\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON BiD Monitor1\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON BiD Monitor1(1)\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON BiD Monitor1(2)\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON BiD Monitor1(3)\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 63 seconds, including 13 seconds for message boxes)
Reply With Quote
  #7  
Old December 22nd, 2006, 11:29 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
Logfile of HijackThis v1.99.1
Scan saved at 2:57:38 PM, on 12/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\wuauclt.exe
C:\Documents and Settings\northernrambler2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\winnt\system32\Userinit.exe
O2 - BHO: SPlugin Class - {25A9EBDD-C786-418c-BD29-D2564A6161AD} - C:\winnt\BANNER~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...4/sdcregie.cab
O16 - DPF: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - http://66.194.67.102/banner/latest/bannerads.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124672640723
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124673215672
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - https://care.alltel.com/lwp/static/i...ELControls.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\winnt\system32\HPZipm12.exe
O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\ALLTEL~1\SMARTB~1\SBHookSvc.exe
Reply With Quote
  #8  
Old December 23rd, 2006, 04:18 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Looks like some newer infection variants there, so we'll have to do some checking to see how much. Also possible rootkit activity along with that.

Confusing the cleaning is the presence of Paretologic and it's software like Xoft and NoAdware3 and eAcceleration and it's software like Stop Sign/SoftwareStation - all have the dubious honor of being listed here in the past. And SpywareBot that I just noticed in your logs. With all the other good software available, including free trial software, I do not recommend anything with that listing as beneficial to have. If you decide to remove them through Add/Remove Programs you will need to uninstall any Paretologic listings first. For here the other software from this group would be all the RegCure, RegCleaner, RegistrySmart items.

If you decide to remove all that stuff, you will first need to re-enable all the startups of those disabled in msconfig there.

I would like you to do some info check steps here, and if you plan to uninstall those questionable softwares please go to Start - Run, type msconfig (and Enter), and under the Startup tab click Enable All. Then allow the reboot. With the information you post back next I can suggest steps to remove those items.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Go to this SITE. Click on the Browse button, and navigate to the following hilighted file(s), upload and submit it. Copy the results with the notepad and copy/paste them back here.

C:\WINNT\system32\comcsi5.dll
C:\WINNT\system32\srvswc2.dll
C:\WINNT\system32\comcb2.dll


Also I would like to check those files. Just zip a copy of it, and send it to jintan@cfl.rr.com as an attachment. Please place "Submitted Files - breezie" as the email Subject.



Then Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, doubleclick on Gmer.exe to run it and click on Settings. Check the first five settings (see below)

System Protection and Tracing
Processes
Save created processes to the log
Drivers
Save loaded drivers to the log


You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab. Look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Warning! Please do not select the "Show all" checkbox during the scan.



Also Open HijackThis again. Click Config - Misc Tools. Then check "List also minor sections (full)" and also check "List empty sections (complete)" and then click on "Generate Startup List Log" Copy the log and post it back in this thread. It will be a large logfile.
Reply With Quote
  #9  
Old December 23rd, 2006, 02:44 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
comcsi5.dll


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: comcsi5.dll
Status:
OK
MD5 3ba5236e9eb4be88b3464469029ff3bd
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
Statistics
Last file scanned at least one scanner reported something about: CheckSQL-Inject.exe (MD5: 85d5ef7ab0888a85c653560f381dec2d), detected by:

Scanner Malware name
AntiVir SPR/Ardamax.K.Gen riskware
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus Trojan-Spy.Win32.Ardamax.e
NOD32 X
Norman Virus Control X
VirusBuster X
VBA32 Trojan-Spy.Win32.Ardamax.b


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Feedback - Privacy policy

Debian

Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>
Reply With Quote
  #10  
Old December 23rd, 2006, 02:45 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
srvswc2.dll


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: srvswc2.dll
Status:
OK
MD5 f03db4cb37d604e9f2cb658f7b705848
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
Statistics
Last file scanned at least one scanner reported something about: JustinsLagger2.zip (MD5: 6cc954807cf7876371ac16ac0e9165e2), detected by:

Scanner Malware name
AntiVir SPR/YFlood.A.2 riskware
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
VirusBuster X
VBA32 Flooder.VB.1 (paranoid heuristics)


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Feedback - Privacy policy

Debian

Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>
Reply With Quote
  #11  
Old December 23rd, 2006, 02:46 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
comcb2.dll


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: comcb2.dll
Status:
INCONCLUSIVE (scan still in progress)
MD5 349823b9f62b233e884080e8ffaec497
Packers detected:
Analyzing...
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Scanning, please wait...
Norman Virus Control
Scanning, please wait...
VirusBuster
Scanning, please wait...
VBA32
Scanning, please wait...

Powered by
images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
Statistics
Last file scanned at least one scanner reported something about: JustinsLagger2.zip (MD5: 6cc954807cf7876371ac16ac0e9165e2), detected by:

Scanner Malware name
AntiVir SPR/YFlood.A.2 riskware
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
VirusBuster X
VBA32 Flooder.VB.1 (paranoid heuristics)


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Feedback - Privacy policy

Debian

Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>
Reply With Quote
  #12  
Old December 23rd, 2006, 02:50 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
zipped files just sent to you as per your request.
Reply With Quote
  #13  
Old December 23rd, 2006, 03:05 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
Just an additional note, my add/remove section of this computer does not work, it generates a script error message, I removed 3 programs via the system settings and in the file area, I know that it doesn't remove all the remnants of the software.

And on the 2nd scan of GMER I am getting this message.

GMER hasn't found any system modification

Last edited by breezie; December 23rd, 2006 at 03:18 PM.
Reply With Quote
  #14  
Old December 23rd, 2006, 03:20 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
have to post this in 3 parts because of its size...

StartupList report, 12/23/2006, 9:16:06 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\northernrambler2\Desktop\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\northernrambler2\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\northernrambler2\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\winnt\system32\Userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Win logon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Win logon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup
Synchronization Manager = mobsync.exe /logon
SoftwareStation = "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
webscan = "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /s

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\winnt\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\winnt\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\winnt\system32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\winnt\system32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.N T

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\winnt\system32\Rundll32.exe C:\winnt\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Last edited by breezie; December 23rd, 2006 at 03:24 PM.
Reply With Quote
  #15  
Old December 23rd, 2006, 03:22 PM
breezie breezie is offline
Member
 
Join Date: Nov 2006
Posts: 66
--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\winnt\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\winnt\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\winnt\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\winnt\Explorer\Explorer.exe: not present
C:\winnt\System\Explorer.exe: not present
C:\winnt\System32\Explorer.exe: not present
C:\winnt\Command\Explorer.exe: not present
C:\winnt\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\winnt
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\winnt\BANNER~1.DLL - {25A9EBDD-C786-418c-BD29-D2564A6161AD}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job
RegCure.job
XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[ppctlcab]
CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
OSD = C:\WINNT\Downloaded Program Files\OSD406.OSD

[{00000130-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/ACELPACM.CAB

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Windows Genuine Advantage]
InProcServer32 = C:\winnt\system32\LegitCheckControl.dll
CODEBASE = http://go.microsoft.com/fwlink/?link...67&clcid=0x409

[Stamps.com Secure Postal Account Registration]
InProcServer32 = C:\winnt\Downloaded Program Files\SdcRegIE.dll
CODEBASE = https://secure.stamps.com/download/u...4/sdcregie.cab

[{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]
CODEBASE = http://66.194.67.102/banner/latest/bannerads.cab

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/sh...4/mcinsctl.cab

[BDSCANONLINE Control]
InProcServer32 = C:\winnt\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/reso...an8/oscan8.cab

[WUWebControl Class]
InProcServer32 = C:\winnt\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsu...?1124672640723

[MUWebControl Class]
InProcServer32 = C:\winnt\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsof...?1124673215672

[HouseCall Control]
InProcServer32 = C:\winnt\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[cpbrkpie Control]
InProcServer32 = C:\winnt\cpbrkpie.ocx
CODEBASE = http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.co...7862.211712963

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\winnt\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/Ms...Downloader.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab

[FotkiUploader Control]
InProcServer32 = C:\winnt\DOWNLO~1\FOTKIU~1.OCX
CODEBASE = http://images.fotki.com/activex/FotkiUploader.cab

[Java Plug-in 1.3.1_03]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\npjava131_03.dll
CODEBASE = http://java.sun.com/products/plugin/...131_03-win.cab

[Java Plug-in 1.4.2_08]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
CODEBASE = http://java.sun.com/products/plugin/...ndows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[SecurityManager Class]
InProcServer32 = c:\program files\common files\motive\BJAXSecurityManager.dll
CODEBASE = https://care.alltel.com/lwp/static/i...ller_3-0-0.cab

[Shockwave Flash Object]
InProcServer32 = C:\winnt\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[{D27CDB6E-AE6D-11CF-96B8-444553542500}]
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[ConnectivityTester Class]
InProcServer32 = c:\PROGRA~1\COMMON~1\motive\ACTIVE~1.DLL
CODEBASE = https://care.alltel.com/lwp/static/i...ELControls.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\winnt\System32\rnr20.dll
NameSpace #2: C:\winnt\System32\winrnr.dll
Protocol #1: C:\winnt\system32\msafd.dll
Protocol #2: C:\winnt\system32\msafd.dll
Protocol #3: C:\winnt\system32\msafd.dll
Protocol #4: C:\winnt\system32\rsvpsp.dll
Protocol #5: C:\winnt\system32\rsvpsp.dll
Protocol #6: C:\winnt\system32\msafd.dll
Protocol #7: C:\winnt\system32\msafd.dll
Protocol #8: C:\winnt\system32\msafd.dll
Protocol #9: C:\winnt\system32\msafd.dll
Protocol #10: C:\winnt\system32\msafd.dll
Protocol #11: C:\winnt\system32\msafd.dll
Protocol #12: C:\winnt\system32\msafd.dll
Protocol #13: C:\winnt\system32\msafd.dll
Protocol #14: C:\winnt\system32\msafd.dll
Protocol #15: C:\winnt\system32\msafd.dll

--------------------------------------------------
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
XP Shutting Down TheSlash Windows XP 5 March 18th, 2008 08:31 AM
xp keeps shutting down black mirror Windows XP 22 June 12th, 2006 11:57 PM
not shutting down valley114 Windows XP 2 June 8th, 2006 12:49 AM
Shutting down my NIC Feldon Hardware 3 April 5th, 2005 04:45 PM
PC is shutting down :( peachiebratt Windows NT, 2000, 2003, 2008, 2012 9 October 17th, 2004 02:50 PM


All times are GMT +1. The time now is 08:36 PM.