 Infected with spyware, Please Help |
Forum Rules
Greetings,
Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum
Failure to follow these instructions will only result in delays of the cleaning and removal process.
If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.
Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.
Thank You
  |
 Dec 12 2005, 06:06 AM
Post
#1
|
|
|
New Member  Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161  |
At the moment I've got quite a few issues on my PC and I think I have a few problems with spyware. It's been running real slow, I keep getting popups linking to spyaxe, spytrooper sites, crashing and lots of messages saying programs I don't know of aren't able to run.
I ran Spybot and found "Smitfraud-C." and I am unable to delete it. I also use Ad-aware, Spycatcher, Noadware, Ccleaner, and a few other anti-spyware as well as etrust and AVG for virus. They aren't picking anything up. Please help me if you can........ Logfile of HijackThis v1.99.1 Scan saved at 6:58:09 p.m., on 12/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\EDSNZ\VPN Client\cvpnd.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\mssearchnet.exe C:\WINDOWS\system32\nvctrl.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\KMaestro\KMaestro.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\mapiicon.exe C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\iPod\bin\iPodService.exe C:\HijackThis.exe C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.nz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpAFD8.tmp O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AllStar\AdShield\maintain.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AllStar\AdShield\suppress.htm O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AllStar\AdShield\restrict.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AllStar\AdShield\settings.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll (file missing) (HKCU) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://www.merchdirect.net O15 - Trusted Zone: http://www.ultimatecarpage.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126758160141 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: interceptor.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EDSNZ\VPN Client\cvpnd.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Thanks. |
 |
|
|
Dec 12 2005, 11:54 AM
Post
#2
|
|
|
GSF mate Group: Member Posts: 362 Joined: 14-August 04 Member No.: 9701 |
Hi mongrel,
Please put Hijackthis.exe in a Permanent folder. Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. This will allow backups to be made and saved By hijackthis in case something goes wrong. Follow this link http://home.planet.nl/~kleyn080/hijackthi-- The nicest hobby on Earth ;) --planation.html if you need help. __________ You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix. Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Please download, install, and update the free version of Ewido Security Suite:
If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates: Ad-Aware SE Setup Again, do NOT run a scan yet. Next, please reboot your computer in Safe Mode by doing the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpAFD8.tmp Now Close all open Windows (have only HJT open) and click "Fix Checked". Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal. Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient. Next, run Ad-aware and perform a full scan. Remove everything found. Now open Ewido Security Suite
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present. Restart your computer in normal mode. Run Panda's online virus scan and perform a full system scan. Then post the log from Panda (this scan won't delete files found). Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt. Let us know if any problems persist. |
|
|
|
|
Dec 13 2005, 04:14 AM
Post
#3
|
|
|
New Member Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161 |
Thanks for the help. Did all actions and found that Spyaxe is still present even after removing it via safe mode. The message still comes up that I have been infected and directs me to download it. My homepage is still changed. I ran panda but first time it froze when I came to saving. It showed it had found 2 viruses and had disinfected them. The second time I was able to save it and this is the result:
Incident Status Location Adware:Adware/SpyAxe Not desinfected C:\WINDOWS\system32\ioctrl.dll Adware:adware/securityerror Not desinfected C:\Documents and Settings\James\Favorites\Antivirus Test Online.url Dialer:Dialer.Gen Not desinfected C:\Documents and Settings\Richard Gorham\Local Settings\Temp\delwbi.tmp Possible Virus. Not desinfected C:\Program Files\Logitech\WingMan Profiler\LWPEvntM.exe Adware:Adware/SpyAxe Not desinfected C:\WINDOWS\system32\ioctrl.dll I am about to reboot and will then show logs of ewido, smitrem and HJT. Thanks. |
|
|
|
|
Dec 13 2005, 06:27 AM
Post
#4
|
|
|
New Member Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161 |
Just ran ewido again to see what might have changed, the Spyaxe icon disappeared and now homepage is back to normal.
Here are the logs from safe mode and smitrem. smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Tue 13/12/2005 The current time is: 10:40:16.27 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! spyaxe uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Security Troubleshooting.url Security Troubleshooting.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ 1024 dir msvol.tlb ld****.tmp mssearchnet.exe ncompat.tlb nvctrl.exe mscornet.exe hp***.tmp logfiles ~~~ Icons in System32 ~~~ ts.ico ot.ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Killing PID 836 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 1:07:38 p.m., 13/12/2005 + Report-Checksum: 70EDC3A7 + Scan result: C:\HJT\backups\backup-20051213-103854-402.dll -> Downloader.Zlob.co : Ignored C:\Documents and Settings\Anna\Cookies\anna@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup C:\Documents and Settings\Anna\Cookies\anna@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Anna\Local Settings\Temporary Internet Files\Content.IE5\GHIJKHMN\starsailornet.tripod[1].htm -> Trojan.WindowBomb.a : Cleaned with backup C:\Documents and Settings\James\My Documents\James' Stuff\New Folder\ski\Setup.dat/sponsor.exe -> Downloader.Swizzor.ag : Cleaned with backup C:\Documents and Settings\James Gorham\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EACDownload\eanth_setup.exe -> Spyware.eAcceleration : Cleaned with backup C:\Program Files\Messenger Plus! 2\Setup.dat/70000011.exe -> Downloader.Swizzor.af : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.2\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.3\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.4\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.5\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.6\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.7\new.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\new.exe -> Dialer.Generic : Cleaned with backup ::Report End Logfile of HijackThis v1.99.1 Scan saved at 7:22:00 p.m., on 13/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\EDSNZ\VPN Client\cvpnd.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\KMaestro\KMaestro.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\mapiicon.exe C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AllStar\AdShield\maintain.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AllStar\AdShield\suppress.htm O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AllStar\AdShield\restrict.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AllStar\AdShield\settings.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\WINDOWS\system32\shdocvw.dll (HKCU) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://www.merchdirect.net O15 - Trusted Zone: http://www.ultimatecarpage.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126758160141 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: interceptor.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EDSNZ\VPN Client\cvpnd.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe I still think something is there as the PC often runs slow. Thanks again. |
|
|
|
|
Dec 13 2005, 08:42 AM
Post
#5
|
|
|
GSF mate Group: Member Posts: 362 Joined: 14-August 04 Member No.: 9701 |
Hi mongrel,
You're welcome. You had a few dialers on your system. Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml leave [X]scan through windows explorer checked, click >> scan >> next. If any items are detected have blacklite rename them except for "wbemtest.exe". Do not rename "wbemtest.exe" its a windows file. The tool will ask if you want to reboot (restart) choose yes. Then post the log from it. Please download the trial version of Spy Sweeper from Here Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so. (This may take several minutes) Click on "Options > Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C". Under "What to Sweep", check every box. Click on Sweep and allow it to fully scan your system. When the sweep has finished, click "Remove". Click "Select All" and then "Next". From 'Results', select the "Session Log" tab. Click Save to File and save the log somewhere convenient. Exit Spy Sweeper. Copy and paste the log into this thread, along with a new HJT log. |
|
|
|
|
Dec 13 2005, 09:48 PM
Post
#6
|
|
|
New Member Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161 |
Thanks again. I ran Blacklite and it found no porblems. As for Spysweeper, I had previously downloaded the trial version so it is expired and I was unable to use it. Is there anything else I can do?
|
|
|
|
|
Dec 13 2005, 11:12 PM
Post
#7
|
|
|
GSF mate Group: Member Posts: 362 Joined: 14-August 04 Member No.: 9701 |
Hi mongrel,
Download Rootkit Revealer, and extract it. http://www.sysinternals.com/Utilities/RootkitRevealer.html Double click on Rootkit Revealer and press "Scan". It will take some time to do a complete scan. When finished press file/save and post the contents of the log please. Please close all open programs and browsers when doing the scan. Make sure no other programs are running. _______ Download 'Autoruns' from here: http://www.sysinternals.com/Utilities/Autoruns.html Unzip to a folder and the double click on autoruns.exe Wait until the program has finished running (the status line will show 'Ready') Under the 'Options' menu, make sure that 'Include Empty Sections' is checked. Wait again until ready. Be sure the 'Everything' tab is selected. Select 'File -> Save' and save the output file. Copy the contents of the Autoruns text file and post its contents in this thread. Please let us know if you have any problems. |
|
|
|
|
Dec 14 2005, 02:34 AM
Post
#8
|
|
|
New Member Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161 |
Thanks again for the help. I ran rootkit and it showed it had a few problems but as I pressed save, it closed and said the program was nonresponsive and would have to close. I tryed again and it just did the same. I did do a scan with autruns. Here is the log:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit + C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell + Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + KeyMaestro c:\kmaestro\kmaestro.exe + NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll + QuickTime Task QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe + Realtime Monitor Computer Associates International, Inc. c:\program files\ca\etrust antivirus\realmon.exe + SpyCatcher Reminder SpyCatcher anti-spyware system from Tenebril Tenebril Inc. c:\program files\spycatcher 2006\spycatcher.exe + Zone Labs Client Zone Labs Client Zone Labs, LLC c:\program files\zone labs\zonealarm\zlclient.exe C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup + ADSL Diagnostic Tools.LNK MapiIcon MFC Application ITeX INC. c:\windows\system32\mapiicon.exe + EPSON Status Monitor 3 Environment Check 2.lnk StatusMonitor3 Environment Check SEIKO EPSON CORPORATION c:\windows\system32\spool\drivers\w32x86\3\e_srcv02.exe C:\Documents and Settings\James\Start Menu\Programs\Startup + Scheduler.lnk Scheduler daemon Tenebril Incorporated c:\program files\spycatcher 2006\scheduler daemon.exe + SpywareGuard.lnk SpywareGuard c:\program files\spywareguard\sgmain.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run + msnmsgr MSN Messenger Microsoft Corporation c:\program files\msn messenger\msnmsgr.exe HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components + Address Book 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe + Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Corporation c:\windows\system32\iedkcs32.dll + Internet Explorer Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe + Internet Explorer Windows Setup API Microsoft Corporation c:\windows\system32\setupapi.dll + Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\windows\system32\ie4uinit.exe + Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe + Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll + NetMeeting 3.01 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll + Outlook Express Windows NT User Data Migration Tool Microsoft Corporation c:\windows\system32\shmgrate.exe + Themes Setup Microsoft© Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe + Windows Desktop Update Microsoft© Register Server Microsoft Corporation c:\windows\system32\regsvr32.exe + Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\windows\inf\unregmp2.exe + Windows Messenger 4.7 ADVPACK Microsoft Corporation c:\windows\system32\advpack.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler + Browseui preloader Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Windows Update c:\windows\system32\ioctrl.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad + CDBurn Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + PostBootReminder Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + SysTray Systray shell service object Microsoft Corporation c:\windows\system32\stobject.dll + WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks + ewido shell guard c:\program files\ewido\security suite\shellhook.dll + shell32.dll Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + SpywareGuard SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + %DESC_PublishDropTarget% Photo Printing Wizard Microsoft Corporation c:\windows\system32\photowiz.dll + &Address Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\windows\system32\cabview.dll + Accessible Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\windows\system32\occache.dll + Address Bar Parser Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Address EditBox Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Administrative Tools Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Audio Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll + Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Auto Update Property Sheet Extension Automatic Updates Control Panel Microsoft Corporation c:\windows\system32\wuaucpl.cpl + AVG7 Find Extension AVG Shell Extension GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgse.dll + AVG7 Shell Extension AVG Shell Extension GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgse.dll + Avi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll + BandProxy Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Briefcase Windows Briefcase Microsoft Corporation c:\windows\system32\syncui.dll + CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Channel File Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll + Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll + Channel Menu Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll + Channel Properties Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll + Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\windows\system32\cdfview.dll + Code Download Agent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + Compatibility Page Compatibility Tab Shell Extension DLL Microsoft Corporation c:\windows\system32\slayerxp.dll + Compressed (zipped) Folder Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll + Compressed (zipped) Folder Right Drag Handler Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll + Compressed (zipped) Folder SendTo Target Compressed (zipped) Folders Microsoft Corporation c:\windows\system32\zipfldr.dll + ConnectionAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll + Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\windows\system32\cryptext.dll + Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Darwin App Publisher Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl + Desktop Explorer NVIDIA Desktop Explorer, Version 52.16 NVIDIA Corporation c:\windows\system32\nvshell.dll + Desktop Explorer Menu NVIDIA Desktop Explorer, Version 52.16 NVIDIA Corporation c:\windows\system32\nvshell.dll + DfsShell Distributed File System shell extension Microsoft Corporation c:\windows\system32\dfsshlex.dll + Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll + Directory Object Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll + Directory Property UI Directory Service Common UI Microsoft Corporation c:\windows\system32\dsuiext.dll + Directory Query UI Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll + Directory Start/Search Find Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll + Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\windows\system32\diskcopy.dll + Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\windows\system32\dskquoui.dll + Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\windows\system32\deskadp.dll + Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\windows\system32\deskmon.dll + Display Panning CPL Extension File not found: deskpan.dll + Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\windows\system32\deskperf.dll + Download Status Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + DS Security Page Directory Service Security UI Microsoft Corporation c:\windows\system32\dssec.dll + E-mail Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Extensions Manager Folder Extensions Manager Microsoft Corporation c:\windows\system32\extmgr.dll + Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Fonts Windows Font Folder Microsoft Corporation c:\windows\system32\fontext.dll + Fonts Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll + FTP Folders Webview Microsoft Internet Explorer FTP Folder Shell Extension Microsoft Corporation c:\windows\system32\msieftp.dll + Fusion Cache Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\windows\system32\mscoree.dll + GDI+ file thumbnail extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll + Get a Passport Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll + Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Help and Support Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + History Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + HTML Thumbnail Extractor Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll + HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll + ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll + ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll + ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll + ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\windows\system32\icmui.dll + IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + In-pane search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + InoShell Computer Associates International, Inc. c:\program files\ca\etrust antivirus\inoshell.dll + Installed Apps Enumerator Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl + Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Internet Name Space Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + InternetShortcut Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + iTunes iTunes Mini Player DLL Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll + Microsoft Agent Character Property Sheet Handler Microsoft Agent Property Sheet Handler Microsoft Corporation c:\windows\msagent\agentpsh.dll + Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\program files\common files\system\ole db\oledb32.dll + Microsoft DocProp Inplace Calendar Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll + Microsoft DocProp Inplace Droplist Combo Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll + Microsoft DocProp Inplace Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll + Microsoft DocProp Inplace ML Edit Box Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll + Microsoft DocProp Inplace Time Control Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll + Microsoft DocProp Shell Ext Microsoft DocProp Shell Ext Microsoft Corporation c:\windows\system32\docprop2.dll + Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Microsoft Office HTML Icon Handler Microsoft Office XP component Microsoft Corporation c:\program files\microsoft office\office10\msohev.dll + Microsoft Outlook Custom Icon Handler Outlook Shell Hook for Start/Find Microsoft Corporation c:\program files\microsoft office\office10\olkfstub.dll + Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Microsoft Url History Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Midi Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll + MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\windows\system32\mmcshext.dll + MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Corporation c:\windows\system32\mmsys.cpl + MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll + MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll + MyDocs Properties My Documents Folder UI Microsoft Corporation c:\windows\system32\mydocs.dll + Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll + Network Connections Network Connections Shell Microsoft Corporation c:\windows\system32\netshell.dll + NTFS Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll + Offline Files Folder Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll + Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll + Offline Files Menu Client Side Caching UI Microsoft Corporation c:\windows\system32\cscui.dll + OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\windows\system32\docprop.dll + PlusPack CPL Extension Windows Theme API Microsoft Corporation c:\windows\system32\themeui.dll + Portable Media Devices Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll + Portable Media Devices Menu Portable Media Devices Shell Extension Microsoft Corporation c:\windows\system32\audiodev.dll + PostAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + Previous Versions Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll + Previous Versions Property Page Previous Versions property page Microsoft Corporation c:\windows\system32\twext.dll + Print Ordering via the Web Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll + Printers Security Page Security Shell Extension Microsoft Corporation c:\windows\system32\rshx32.dll + Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Remote Sessions CPL Extension Remote Sessions CPL Extension Microsoft Corporation c:\windows\system32\remotepg.dll + RhinoShExt Rhino 3.0 3DM File Extension for Windows Explorer Robert McNeel & Associates c:\windows\system32\rhinoshext.dll + Run... Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll + Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll + Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll + Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll + Scanners & Cameras Imaging Devices Shell Folder UI Microsoft Corporation c:\windows\system32\wiashext.dll + Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll + Search Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Search Band Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll + Sendmail service Send Mail Microsoft Corporation c:\windows\system32\sendmail.dll + Set Program Access and Defaults Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Shell Application Manager Shell Application Manager Microsoft Corporation c:\windows\system32\appwiz.cpl + Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Corporation c:\windows\system32\ntlanui2.dll + Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll + Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\windows\system32\ntshrui.dll + Shell extensions for Windows Script Host Microsoft ® Shell Extension for Windows Script Host Microsoft Corporation c:\windows\system32\wshext.dll + Shell Image Data Factory Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll + Shell Image Property Handler Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll + Shell Image Verbs Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll + Shell properties for a DS object Directory Service Find Microsoft Corporation c:\windows\system32\dsquery.dll + Shell Publishing Wizard Object Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll + Shell Rebar BandSite Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Shell Scrap DataHandler Shell scrap object handler Microsoft Corporation c:\windows\system32\shscrap.dll + SpywareGuard SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll + Subscription Folder Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + Subscription Mgr Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + Summary Info Thumbnail handler (DOCFILES) Windows Picture and Fax Viewer Microsoft Corporation c:\windows\system32\shimgvw.dll + Taskbar and Start Menu Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll + Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Corporation c:\windows\system32\mstask.dll + Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + The Internet Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll + Track Popup Bar Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + TrayAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + TridentImageExtractor Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + TuneUp Shredder Shell Context Menu Extension TuneUp Shredder Shell Extension TuneUp Software GmbH c:\program files\tuneup utilities 2006\sdshelex.dll + User Accounts Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll + User Assist Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + Video Media Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll + Video Thumbnail Extractor Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll + Wav Properties Handler Media File Property Extractor Shell Extension Microsoft Corporation c:\windows\system32\shmedia.dll + Web Folders Microsoft Web Folders Microsoft Corporation c:\program files\common files\microsoft shared\web folders\mson-- The nicest hobby on Earth ;) --t.dll + Web Printer Shell Extension Print UI DLL Microsoft Corporation c:\windows\system32\printui.dll + Web Publishing Wizard Map Network Drives/Network Places Wizard Microsoft Corporation c:\windows\system32\netplwiz.dll + Web Search Shell Browser UI Library Microsoft Corporation c:\windows\system32\browseui.dll + WebCheck Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + WebCheck SyncMgr Handler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + WebCheckChannelAgent Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + WebCheckWebCrawler Web Site Monitor Microsoft Corporation c:\windows\system32\webcheck.dll + Windows Media Player Add to Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll + Windows Media Player Burn Audio CD Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll + Windows Media Player Play as Playlist Context Menu Handler Windows Media Player Launcher Microsoft Corporation c:\windows\system32\wmpshell.dll HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + Web Folders Microsoft Web Folders Microsoft Corporation c:\program files\common files\microsoft shared\web folders\mson-- The nicest hobby on Earth ;) --t.dll HKLM\Software\Classes\Folder\Shellex\ColumnHandlers + PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll + {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + {66742402-F9B9-11D1-A202-0000F81FEDEE} Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks + shdocvw.dll Shell Doc Object and Control Library Microsoft Corporation c:\windows\system32\shdocvw.dll HKLM\Software\Microsoft\Internet Explorer\Extensions + Windows Messenger Windows Messenger Microsoft Corporation c:\program files\messenger\msmsgs.exe Task Scheduler + 1-Click Maintenance.job TuneUp System Optimizer TuneUp Software GmbH c:\program files\tuneup utilities 2006\systemoptimizer.exe HKLM\System\CurrentControlSet\Services + AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + Avg7Alrt AVG Alert Manager GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgamsvr.exe + Avg7UpdSvc AVG Update Service GRISOFT, s.r.o. c:\program files\grisoft\avg free\avgupsvc.exe + BITS Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. Microsoft Corporation c:\windows\system32\svchost.exe + Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + CryptSvc Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + CVPND Cisco Systems VPN Client Cisco Systems, Inc. c:\program files\edsnz\vpn client\cvpnd.exe + DcomLaunch Provides launch functionality for DCOM services. Microsoft Corporation c:\windows\system32\svchost.exe + Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe + dmserver Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + Dnscache Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + EPSONStatusAgent2 EPSON Printer Status Agent SEIKO EPSON CORPORATION c:\program files\common files\epson\ebapi\sagent2.exe + ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\svchost.exe + Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe + ewido security suite control ewido control ewido networks c:\program files\ewido\security suite\ewidoctrl.exe + helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + InoRPC Listens for Admin Server discovery and policy requests Computer Associates International, Inc. c:\program files\ca\etrust antivirus\inorpc.exe + InoRT Provides real-time on-access virus protection Computer Associates International, Inc. c:\program files\ca\etrust antivirus\inort.exe + InoTask Schedules background task such as scan jobs and signature downloads Computer Associates International, Inc. c:\program files\ca\etrust antivirus\inotask.exe + lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe + LogWatch c:\windows\logwatnt.exe + NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc32.exe + PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe + ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe + RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\svchost.exe + SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe + Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\svchost.exe + SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Microsoft Corporation c:\windows\system32\svchost.exe + ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe + Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe + srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\svchost.exe + stisvc Provides image acquisition services for scanners and cameras. Microsoft Corporation c:\windows\system32\svchost.exe + Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\svchost.exe + TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\svchost.exe + UMWdf Enables Windows user mode drivers. Microsoft Corporation c:\windows\system32\wdfmgr.exe + vsmon Monitors internet traffic and generates alerts for disallowed access. Zone Labs, LLC c:\windows\system32\zonelabs\vsmon.exe + W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe + wscsvc Monitors system security settings and configurations. Microsoft Corporation c:\windows\system32\svchost.exe + wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\windows\system32\svchost.exe + WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\svchost.exe HKLM\System\CurrentControlSet\Services + 61883 61883 Device Class Microsoft Corporation c:\windows\system32\drivers\61883.sys + ACPI ACPI Driver for NT Microsoft Corporation c:\windows\system32\drivers\acpi.sys + aec Microsoft Acoustic Echo Canceller Microsoft Corporation c:\windows\system32\drivers\aec.sys + AFD AFD Networking Support Environment Microsoft Corporation c:\windows\system32\drivers\afd.sys + Arp1394 1394 ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\arp1394.sys + AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\windows\system32\drivers\asyncmac.sys + atapi IDE/ATAPI Port Driver Microsoft Corporation c:\windows\system32\drivers\atapi.sys + Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\windows\system32\drivers\atmarpc.sys + audstub AudStub Driver Microsoft Corporation c:\windows\system32\drivers\audstub.sys + Avc AVC Driver Microsoft Corporation c:\windows\system32\drivers\avc.sys + Avg7Core AVG Scanning Engine GRISOFT, s.r.o. c:\windows\system32\drivers\avg7core.sys + Avg7RsW AVG Resident Shield Unload Helper GRISOFT, s.r.o. c:\windows\system32\drivers\avg7rsw.sys + Avg7RsXP AVG Resident Anti-Virus Shield GRISOFT, s.r.o. c:\windows\system32\drivers\avg7rsxp.sys + CCDECODE WDM Closed Caption VBI Codec Microsoft Corporation c:\windows\system32\drivers\ccdecode.sys + Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\windows\system32\drivers\cdrom.sys + CVPNDRV Cisco Systems VPN Client IPSec Driver Cisco Systems, Inc. c:\windows\system32\drivers\cvpndrv.sys + Disk PnP Disk Driver Microsoft Corporation c:\windows\system32\drivers\disk.sys + DM9102 NDIS 5.0 driver CNet Technology, Inc. c:\windows\system32\drivers\dm9pci5.sys + dmio NT Disk Manager I/O Driver Microsoft Corp., Veritas Software c:\windows\system32\drivers\dmio.sys + dmload NT Disk Manager Startup Driver Microsoft Corp., Veritas Software. c:\windows\system32\drivers\dmload.sys + DMusic Microsoft Kernel DLS Synthesizer Microsoft Corporation c:\windows\system32\drivers\dmusic.sys + DNE Deterministic Network Enhancer Deterministic Networks, Inc. c:\windows\system32\drivers\dne2000.sys + drmkaud Microsoft Kernel DRM Audio Descrambler Filter Microsoft Corporation c:\windows\system32\drivers\drmkaud.sys + Fdc Floppy Disk Controller Driver Microsoft Corporation c:\windows\system32\drivers\fdc.sys + Flpydisk Floppy Driver Microsoft Corporation c:\windows\system32\drivers\flpydisk.sys + Ftdisk FT Disk Driver Microsoft Corporation c:\windows\system32\drivers\ftdisk.sys + gameenum Game Port Enumerator Microsoft Corporation c:\windows\system32\drivers\gameenum.sys + GEARAspiWDM CDRom Class Filter Driver GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys + Gpc Generic Packet Classifier Microsoft Corporation c:\windows\system32\drivers\msgpc.sys + HTTP This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\drivers\http.sys + i8042prt i8042 Port Driver Microsoft Corporation c:\windows\system32\drivers\i8042prt.sys + Imapi IMAPI Kernel Driver Microsoft Corporation c:\windows\system32\drivers\imapi.sys + ip6fw Provides intrusion prevention service for a home or small office network. Microsoft Corporation c:\windows\system32\drivers\ip6fw.sys + IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\ipfltdrv.sys + IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\windows\system32\drivers\ipinip.sys + IpNat IP Network Address Translator Microsoft Corporation c:\windows\system32\drivers\ipnat.sys + IPSec IPSEC driver Microsoft Corporation c:\windows\system32\drivers\ipsec.sys + IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\windows\system32\drivers\irenum.sys + isapnp PNP ISA Bus Driver Microsoft Corporation c:\windows\system32\drivers\isapnp.sys + itexadsla2 NDIS 4.0/5.0 ADSL driver ITeX c:\windows\system32\drivers\itexwana.sys + Iviaspi InterVideo ASPI Shell InterVideo, Inc. c:\windows\system32\drivers\iviaspi.sys + Kbdclass Keyboard Class Driver Microsoft Corporation c:\windows\system32\drivers\kbdclass.sys + KeyMaestro Keyboard Filter sample Vireo Software c:\windows\system32\drivers\maestro0.sys + kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\windows\system32\drivers\kmixer.sys + Mouclass Mouse Class Driver Microsoft Corporation c:\windows\system32\drivers\mouclass.sys + ms_mpu401 MPU401 Adapter Driver Microsoft Corporation c:\windows\system32\drivers\msmpu401.sys + MSDV Microsoft DV Camera and VCR Driver Microsoft Corporation c:\windows\system32\drivers\msdv.sys + MSKSSRV MS KS Server Microsoft Corporation c:\windows\system32\drivers\mskssrv.sys + MSPCLOCK MS Proxy Clock Microsoft Corporation c:\windows\system32\drivers\mspclock.sys + MSPQM MS Proxy Quality Manager Microsoft Corporation c:\windows\system32\drivers\mspqm.sys + mssmbios System Management BIOS Driver Microsoft Corporation c:\windows\system32\drivers\mssmbios.sys + MSTEE WDM Tee/Communication Transform Filter Microsoft Corporation c:\windows\system32\drivers\mstee.sys + MTDVC2 Panasonic DVC SERIAL-USB Driver Matsushita Electric Industrial Co., Ltd. c:\windows\system32\drivers\mtdv2ku2.sys + MTDVC2_ENUM Panasonic DVC SERIAL Port Driver Matsushita Electric Industrial Co., Ltd. c:\windows\system32\drivers\mtdv2ks2.sys + NABTSFEC WDM NABTS/FEC VBI Codec Microsoft Corporation c:\windows\system32\drivers\nabtsfec.sys + NdisIP Microsoft IP Driver Microsoft Corporation c:\windows\system32\drivers\ndisip.sys + NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\windows\system32\drivers\ndistapi.sys + Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\windows\system32\drivers\ndisuio.sys + NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\windows\system32\drivers\ndiswan.sys + NetBT NetBios over Tcpip Microsoft Corporation c:\windows\system32\drivers\netbt.sys + NETMDUSB Net MD USB Driver Sony Corporation c:\windows\system32\drivers\netmdusb.sys + NIC1394 IEEE1394 Ndis Miniport and Call Manager Microsoft Corporation c:\windows\system32\drivers\nic1394.sys + nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 52.16 NVIDIA Corporation c:\windows\system32\drivers\nv4_mini.sys + nv4 NVIDIA Compatible Windows XP Miniport Driver, Version 12.40.20 NVIDIA Corporation c:\windows\system32\drivers\nv4.sys + NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkflt.sys + NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\windows\system32\drivers\nwlnkfwd.sys + ohci1394 1394 OpenHCI Port Driver Microsoft Corporation c:\windows\system32\drivers\ohci1394.sys + Parport Parallel Port Driver Microsoft Corporation c:\windows\system32\drivers\parport.sys + PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\windows\system32\drivers\pci.sys + pfc Padus® ASPI Shell Padus, Inc. c:\windows\system32\drivers\pfc.sys + PfModNT PCI/ISA Device Info. Service Creative Technology Ltd. c:\windows\system32\pfmodnt.sys + phil2vid Universal Serial Bus Camera Driver Microsoft Corporation c:\windows\system32\drivers\philcam2.sys + PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\windows\system32\drivers\raspptp.sys + Processor Processor Device Driver Microsoft Corporation c:\windows\system32\drivers\processr.sys + PSched QoS Packet Scheduler Microsoft Corporation c:\windows\system32\drivers\psched.sys + Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys + RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\windows\system32\drivers\rasacd.sys + Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\windows\system32\drivers\rasl2tp.sys + RasPppoe Remote Access PPPOE Driver Microsoft Corporation c:\windows\system32\drivers\raspppoe.sys + Raspti Direct Parallel Microsoft Corporation c:\windows\system32\drivers\raspti.sys + RDPCDD RDP Miniport Microsoft Corporation c:\windows\system32\drivers\rdpcdd.sys + rdpdr Microsoft RDP Device redirector Microsoft Corporation c:\windows\system32\drivers\rdpdr.sys + redbook Redbook Audio Filter Driver Microsoft Corporation c:\windows\system32\drivers\redbook.sys + rtport Generic Port I/O Windows ® 2000 DDK provider c:\windows\system32\drivers\rtport.sys + sbp2port SBP-2 Protocol Driver Microsoft Corporation c:\windows\system32\drivers\sbp2port.sys + Secdrv SafeDisc driver c:\windows\system32\drivers\secdrv.sys + serenum Serial Port Enumerator Microsoft Corporation c:\windows\system32\drivers\serenum.sys + Serial Serial Device Driver Microsoft Corporation c:\windows\system32\drivers\serial.sys + SLIP Microsoft Slip Deframing Filter Minidriver Microsoft Corporation c:\windows\system32\drivers\slip.sys + splitter Microsoft Kernel Audio Splitter Microsoft Corporation c:\windows\system32\drivers\splitter.sys + streamip Microsoft IP Test Driver Microsoft Corporation c:\windows\system32\drivers\streamip.sys + swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\windows\system32\drivers\swenum.sys + swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\windows\system32\drivers\swmidi.sys + sysaudio System Audio WDM Filter Microsoft Corporation c:\windows\system32\drivers\sysaudio.sys + Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\windows\system32\drivers\tcpip.sys + TermDD Terminal Server Driver Microsoft Corporation c:\windows\system32\drivers\termdd.sys + Update Update Driver Microsoft Corporation c:\windows\system32\drivers\update.sys + usbaudio USB Audio Class Driver Microsoft Corporation c:\windows\system32\drivers\usbaudio.sys + usbccgp USB Common Class Generic Parent Driver Microsoft Corporation c:\windows\system32\drivers\usbccgp.sys + usbhub Default Hub Driver for USB Microsoft Corporation c:\windows\system32\drivers\usbhub.sys + usbprint USB Printer driver Microsoft Corporation c:\windows\system32\drivers\usbprint.sys + usbscan USB Scanner Driver Microsoft Corporation c:\windows\system32\drivers\usbscan.sys + USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\windows\system32\drivers\usbstor.sys + usbuhci UHCI USB Miniport Driver Microsoft Corporation c:\windows\system32\drivers\usbuhci.sys + usbvideo USB Video Class Driver Microsoft Corporation c:\windows\system32\drivers\usbvideo.sys + VgaSave Controls the VGA display adapter to provide basic display capabilities. Microsoft Corporation c:\windows\system32\drivers\vga.sys + viaagp VIA NT AGP Filter Microsoft Corporation c:\windows\system32\drivers\viaagp.sys + ViaIde Generic PCI IDE Bus Driver Microsoft Corporation c:\windows\system32\drivers\viaide.sys + VIAPFD VIA PFD driver VIA Technologies. Inc. c:\windows\system32\drivers\viapfd.sys + VIAudio Vinyl AC'97 Codec Combo WDM Driver VIA Technologies, Inc. c:\windows\system32\drivers\vinyl97.sys + vsdatant TrueVector Device Driver Zone Labs, LLC c:\windows\system32\vsdatant.sys + Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\windows\system32\drivers\wanarp.sys + wceusbsh Windows CE USB Serial Host Microsoft Corporation c:\windows\system32\drivers\wceusbsh.sys + wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\windows\system32\drivers\wdmaud.sys + WSTCODEC WDM WST Codec Driver Microsoft Corporation c:\windows\system32\drivers\wstcodec.sys HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute + autocheck autochk * Auto Check Utility Microsoft Corporation c:\windows\system32\autochk.exe HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options + Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\windows\system32\ntsd.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls + interceptor.dll API Interceptor Tenebril Inc. c:\windows\system32\interceptor.dll HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls + advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\windows\system32\advapi32.dll + comdlg32 Common Dialogs DLL Microsoft Corporation c:\windows\system32\comdlg32.dll + gdi32 GDI Client DLL Microsoft Corporation c:\windows\system32\gdi32.dll + imagehlp Windows NT Image Helper Microsoft Corporation c:\windows\system32\imagehlp.dll + kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\windows\system32\kernel32.dll + lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\windows\system32\lz32.dll + ole32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\ole32.dll + oleaut32 Microsoft Corporation c:\windows\system32\oleaut32.dll + olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\windows\system32\olecli32.dll + olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olecnv32.dll + olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\windows\system32\olesvr32.dll + olethk32 Microsoft OLE for Windows Microsoft Corporation c:\windows\system32\olethk32.dll + rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\windows\system32\rpcrt4.dll + shell32 Windows Shell Common Dll Microsoft Corporation c:\windows\system32\shell32.dll + url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\windows\system32\url.dll + urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\windows\system32\urlmon.dll + user32 Windows XP USER API Client DLL Microsoft Corporation c:\windows\system32\user32.dll + version Version Checking and File Installation Libraries Microsoft Corporation c:\windows\system32\version.dll + wininet Internet Extensions for Win32 Microsoft Corporation c:\windows\system32\wininet.dll + wldap32 Win32 LDAP API DLL Microsoft Corporation c:\windows\system32\wldap32.dll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + crypt32chain Crypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll + cryptnet Crypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll + cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll + ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll + Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll + sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll + SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll + termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll + wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll + WRNotifier File not found: WRLogonNTF.dll HKCU\Control Panel\Desktop\Scrnsave.exe + C:\WINDOWS\System32\ssmypics.scr My Pictures Slideshow Screensaver Microsoft Corporation c:\windows\system32\ssmypics.scr HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 + MSAFD NetBIOS [\Device\NetBT_Tcpip_{1C440ED0-A706-40B2-A3F0-568EEF258A0E}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{1C440ED0-A706-40B2-A3F0-568EEF258A0E}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{BD7FB127-89AE-4CC9-91DE-EBEBDB454B3A}] DATAGRAM 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{BD7FB127-89AE-4CC9-91DE-EBEBDB454B3A}] SEQPACKET 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{D7305662-BE7D-427E-A676-99020BDE2A24}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{D7305662-BE7D-427E-A676-99020BDE2A24}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{D8345C15-EA42-43A7-8404-A7B1E9215182}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{D8345C15-EA42-43A7-8404-A7B1E9215182}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\windows\system32\mswsock.dll + MSAFD NetBIOS [\Device\NetBT_Tcpip_{EE695E20-CA94-4773-8B5D-A3CA02199CDA}] DAT |
|
|
|
|
Dec 14 2005, 07:39 AM
Post
#9
|
|
|
GSF mate Group: Member Posts: 362 Joined: 14-August 04 Member No.: 9701 |
Hi mongrel,
That's odd that it closes on you. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder. Then try Rootkit Revealer again. |
|
|
|
|
Dec 15 2005, 02:16 AM
Post
#10
|
|
|
New Member Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161 |
Here are the logs from my latest HJT, AproposFix and finally Rootkit revealer.
Thanks for all this. Logfile of HijackThis v1.99.1 Scan saved at 1:49:58 p.m., on 15/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\EDSNZ\VPN Client\cvpnd.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\KMaestro\KMaestro.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\mapiicon.exe C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AllStar\AdShield\maintain.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AllStar\AdShield\suppress.htm O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AllStar\AdShield\restrict.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AllStar\AdShield\settings.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\WINDOWS\system32\shdocvw.dll (HKCU) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://www.merchdirect.net O15 - Trusted Zone: http://www.ultimatecarpage.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126758160141 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: interceptor.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EDSNZ\VPN Client\cvpnd.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: MQNGFSJLE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\James\LOCALS~1\Temp\MQNGFSJLE.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TYCNMHJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\James\LOCALS~1\Temp\TYCNMHJ.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe og of AproposFix v1 ************ Running from directory: C:\Documents and Settings\Administrator.HOME-YNAU24Z3BK\Desktop\aproposfix ************ Registry entries found: ************ No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished! -------------------------------------------------------------------------------------------- HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version 19/12/2004 9:24 p.m. 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version 19/12/2004 9:24 p.m. 0 bytes Key name contains embedded nulls (*) C:\Backup to CD\CD4\Richard's stuff\Thumbs.db:encryptable 9/12/2005 11:33 a.m. 0 bytes Hidden from Windows API. C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 11/12/2005 7:58 p.m. 938 bytes Hidden from Windows API. C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 11/12/2005 7:58 p.m. 498 bytes Hidden from Windows API. C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 11/12/2005 7:58 p.m. 112 bytes Hidden from Windows API. C:\Documents and Settings\Anna.HOME-YNAU24Z3BK\Local Settings\History\History.IE5\index.dat 16/10/2005 8:24 p.m. 480.00 KB Hidden from Windows API. C:\Documents and Settings\Carol Gorham\Local Settings\Temp\EACDownload\cnry.exe 14/02/2003 11:29 a.m. 17.50 KB Hidden from Windows API. C:\Documents and Settings\Carol Gorham\Local Settings\Temp\ICD1.tmp\cnry.exe 14/02/2003 11:29 a.m. 17.50 KB Hidden from Windows API. C:\Documents and Settings\James Gorham\Local Settings\Temp\cabex.dll 26/05/2002 4:56 p.m. 76.00 KB Hidden from Windows API. C:\Documents and Settings\James Gorham\Local Settings\Temp\data1.dat 11/01/2004 9:37 a.m. 184 bytes Hidden from Windows API. C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EACDownload\eanth_update.exe 3/02/2004 10:19 p.m. 13.00 KB Hidden from Windows API. C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EanthComponents\oodlz_install.exe 3/02/2004 10:16 p.m. 813.81 KB Hidden from Windows API. C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EanthComponents\StopSign_install-r.exe 3/02/2004 10:14 p.m. 164.17 KB Hidden from Windows API. C:\Documents and Settings\Richard\My Documents\Richard's stuff\My Received Files\Chiptuning - Data-Sheet Chiptuning for Mercedes C 43 AMG_files\Thumbs.db:encryptable 9/12/2005 12:39 p.m. 0 bytes Hidden from Windows API. C:\Documents and Settings\Richard\My Documents\Richard's stuff\Thumbs.db:encryptable 9/12/2005 12:39 p.m. 0 bytes Hidden from Windows API. C:\Program Files\CA\Common\ScanEngine\Logs\20051215005805.txt 15/12/2005 1:58 p.m. 84 bytes Hidden from Windows API. C:\Program Files\CA\Common\ScanEngine\Logs\20051215012808.txt 15/12/2005 2:28 p.m. 84 bytes Visible in directory index, but not Windows API or MFT. C:\Program Files\Corel\WordPerfect Office 2000\programs\layout.bin 16/01/1999 10:24 a.m. 334 bytes Hidden from Windows API. C:\Program Files\Kontiki 24/12/2003 4:37 p.m. 0 bytes Hidden from Windows API. C:\Program Files\Kontiki\bin 5/03/2004 10:09 p.m. 0 bytes Hidden from Windows API. C:\Program Files\Kontiki\bin\KS309190.dll 19/09/2003 7:33 p.m. 96.00 KB Hidden from Windows API. C:\WINDOWS\Downloaded Program Files\CONFLICT.1 13/12/2005 1:07 p.m. 0 bytes Hidden from Windows API. |
|
|
|
|
Dec 16 2005, 11:45 AM
Post
#11
|
|
|
GSF mate Group: Member Posts: 362 Joined: 14-August 04 Member No.: 9701 |
Hi mongrel,
I appoligize for not repling back to you sooner, but I was asking some others about your logs. Please delete this folder in bold: C:\Program Files\Kontiki\ Then reboot. ________ Please download KillBox by Option^Explicit from Here Save it to your Desktop, don't just run it from the download site. Open KillBox. Then on killbox top bar press tools and then "Delete Temp Files" then "OK". In the killbox program, select the Delete on Reboot option. Copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\Documents and Settings\Anna.HOME-YNAU24Z3BK\Local Settings\History\History.IE5\index.dat C:\Documents and Settings\Carol Gorham\Local Settings\Temp\EACDownload\cnry.exe C:\Documents and Settings\Carol Gorham\Local Settings\Temp\ICD1.tmp\cnry.exe C:\Documents and Settings\James Gorham\Local Settings\Temp\cabex.dll C:\Documents and Settings\James Gorham\Local Settings\Temp\data1.dat C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EACDownload\eanth_update.exe C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EanthComponents\oodlz_install.exe C:\Documents and Settings\Richard Gorham\Local Settings\Temp\EanthComponents\StopSign_install-r.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. Before you reboot, close this window and all windows and programs! If your computer does not restart automatically, please restart it manually. ________ Then we need to clean out your Temp folders. There's a few ways to do this. You may need to log on as an Administrator to 'gain access' to the other profiles. Navigate to these Temp folders in bold: C:\Documents and Settings\Carol Gorham\Local Settings\Temp\ C:\Documents and Settings\James Gorham\Local Settings\Temp\ C:\Documents and Settings\Richard Gorham\Local Settings\Temp\ Then delete the contents in that folder. Don't delete the folder itself, just what's inside the folder. If you have trouble removing any files/folders in there, try doing it in Safe mode (tap F8 while restarting). Then reboot. Then click Start | Run | (type) cleanmgr | then "OK" Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Click "OK" to remove them. Click "Yes" to confirm the deletion. Finally, to also clean your temp folder, recycle bin, etc..please download this free tool: CCleaner It will put a shortcut on your Desktop. Click on CCleaner to start it. Then click "Run Cleaner". Then Reboot (Exit). __________ Please download Spybot: Search and Destroy Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button. _______________ Then, there's been an update to smitRem © Please delete your current version, then.... Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Then reboot into Safe mode again. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal. Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient. Restart your computer in normal mode. Then please post the log from the smitRem tool, which will be located at C:\smitfiles.txt. ___________ Please download Kpro_SDT.zip from here: http://castlecops.com/zx/IMM/Kpro_SDT.zip Make a new folder on your Desktop, then Unzip Kpro_SDT to that folder. Open it, then click on KProc.bat After it runs, a log, kproc_rpt.txt will be put into that new folder. Please post the kproc_rpt.txt to this topic. ____________ Then please run a scan here, and please post the results of what was found. http://www.kaspersky.com/trials?chapter=146481750 Then please post a new Rootkit Revealer log, HJT log also along with the other logs asked for. If they don't all fit in one post, then please make several posts in need be. Before you run Rootkit Revealer, make sure there are no other programs running (that you can control). In other words, don't have Notepad open, Internet Explorer open, etc.... |
|
|
|
|
Dec 18 2005, 10:37 PM
Post
#12
|
|
|
New Member Group: Member Posts: 7 Joined: 12-December 05 Member No.: 17161 |
Thanks again for all this. I did all things as requested although my PC did not like Kaspersky at all as it shutdown regularly and I no other porgrams would run after I installed it. I ended up having to delete it in safe mode as that was the only thing I could do. Here was one of the error message details that showed up after restarting:
C:\DOCUME~1\James\LOCALS~1\Temp\WERff50.dir00\Mini121705-01.dmp C:\DOCUME~1\James\LOCALS~1\Temp\WERff50.dir00\sysdata.xml Here are all the logs as requested: smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Sat 17/12/2005 The current time is: 10:33:30.65 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! spyaxe uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ioctrl.dll ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peaco*k@beyondlogic.org Killing PID 748 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Checks SDT for Hooked Native APIs KeServiceDescriptorTable 80559480 KeServiceDescriptorTable.ServiceTable 804E26A8 KeServiceDescriptorTable.ServiceLimit 284 ZwConnectPort 1F \SystemRoot\System32\vsdatant.sys [F5FC3C90] ZwCreateFile 25 \SystemRoot\System32\vsdatant.sys [F5FC0B70] ZwCreateKey 29 \SystemRoot\System32\vsdatant.sys [F5FD9944] ZwCreateProcess 2F \SystemRoot\System32\vsdatant.sys [F5FD8760] ZwCreateProces-- The nicest hobby on Earth ;) -- 30 \SystemRoot\System32\vsdatant.sys [F5FD8980] ZwCreateSection 32 \SystemRoot\System32\vsdatant.sys [F5FDB610] ZwDeleteFile 3E \SystemRoot\System32\vsdatant.sys [F5FC1180] ZwDeleteKey 3F \SystemRoot\System32\vsdatant.sys [F5FDA330] ZwDeleteValueKey 41 \SystemRoot\System32\vsdatant.sys [F5FDA100] ZwDuplicateObject 44 \SystemRoot\System32\vsdatant.sys [F5FD8080] ZwLoadKey 62 \SystemRoot\System32\vsdatant.sys [F5FDA4F0] ZwOpenFile 74 \SystemRoot\System32\vsdatant.sys [F5FC0FD0] ZwOpenProcess 7A \SystemRoot\System32\vsdatant.sys [F5FD7E80] ZwOpenThread 80 \SystemRoot\System32\vsdatant.sys [F5FD7C40] ZwReplaceKey C1 \SystemRoot\System32\vsdatant.sys [F5FDA7C0] ZwRequestWaitReplyPort C8 \SystemRoot\System32\vsdatant.sys [F5FC3960] ZwRestoreKey CC \SystemRoot\System32\vsdatant.sys [F5FDAA50] ZwSecureConnectPort D2 \SystemRoot\System32\vsdatant.sys [F5FC3E40] ZwSetInformationFile E0 \SystemRoot\System32\vsdatant.sys [F5FC12F0] ZwSetValueKey F7 \SystemRoot\System32\vsdatant.sys [F5FD9EA0] ZwTerminateProcess 101 \SystemRoot\System32\vsdatant.sys [F5FD8BB0] Number of Service Table entries hooked = 21 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Checks Shadow SDT for Hooked Native GDI APIs KeServiceDescriptorTableShadow 80559440 KeServiceDescriptorTableShadow.SDE[1].ServiceTable BF998300 KeServiceDescriptorTableShadow.SDE[1].ServiceLimit 667 Entry 1CC Hooked - \systemroot\system32\vsdatant.sys [F5FC2270] Entry 1DB Hooked - \systemroot\system32\vsdatant.sys [F5FC2310] Entry 1F6 Hooked - \systemroot\system32\vsdatant.sys [F5FC24C0] Number of GDI Service Table entries hooked = 3 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Process list by traversal of ActiveProcessLinks 4 - System 192 - InoRT.exe 220 - InoTask.exe 288 - LogWatNT.exe 324 - nvsvc32.exe 364 - svchost.exe 384 - wdfmgr.exe 488 - vsmon.exe 560 - InoDist.exe 644 - Realmon.exe 652 - KMaestro.exe 704 - zlclient.exe 736 - smss.exe 788 - csrss.exe 812 - winlogon.exe 860 - services.exe 872 - lsass.exe 1012 - mapiicon.exe 1032 - svchost.exe 1116 - svchost.exe 1172 - svchost.exe 1296 - svchost.exe 1332 - svchost.exe 1476 - spoolsv.exe 1584 - avgamsvr.exe 1764 - explorer.exe 1808 - avgupsvc.exe 1836 - cvpnd.exe 1904 - SAgent2.exe 1952 - ewidoctrl.exe 1968 - InoRpc.exe 2224 - wscntfy.exe 2304 - wmiprvse.exe 2348 - alg.exe 2684 - cmd.exe 2872 - KProcCheck.exe 3264 - wuauclt.exe Total number of processes = 37 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Process list by traversal of KiWaitListHead 4 - System 192 - InoRT.exe 220 - InoTask.exe 288 - LogWatNT.exe 324 - nvsvc32.exe 364 - svchost.exe 384 - wdfmgr.exe 488 - vsmon.exe 560 - InoDist.exe 644 - Realmon.exe 652 - KMaestro.exe 704 - zlclient.exe 736 - smss.exe 788 - csrss.exe 812 - winlogon.exe 860 - services.exe 872 - lsass.exe 1012 - mapiicon.exe 1032 - svchost.exe 1116 - svchost.exe 1172 - svchost.exe 1296 - svchost.exe 1332 - svchost.exe 1476 - spoolsv.exe 1584 - avgamsvr.exe 1764 - explorer.exe 1808 - avgupsvc.exe 1836 - cvpnd.exe 1904 - SAgent2.exe 1952 - ewidoctrl.exe 1968 - InoRpc.exe 2224 - wscntfy.exe 2304 - wmiprvse.exe 2348 - alg.exe 2684 - cmd.exe 3264 - wuauclt.exe Total number of processes = 36 NOTE: Under WinXP, this will not show all processes. KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Driver/Module list by traversal of PsLoadedModuleList 804D7000 - \WINDOWS\system32\ntoskrnl.exe 806EC000 - \WINDOWS\system32\hal.dll F7D2F000 - \WINDOWS\system32\KDCOM.DLL F7C3F000 - \WINDOWS\system32\BOOTVID.dll F77E0000 - ACPI.sys F7D31000 - \WINDOWS\System32\DRIVERS\WMILIB.SYS F77CF000 - pci.sys F782F000 - isapnp.sys F7D33000 - viaide.sys F7AAF000 - \WINDOWS\System32\DRIVERS\PCIIDEX.SYS F783F000 - MountMgr.sys F77B0000 - ftdisk.sys F7D35000 - dmload.sys F778A000 - dmio.sys F7AB7000 - PartMgr.sys F784F000 - VolSnap.sys F7772000 - atapi.sys F785F000 - disk.sys F786F000 - \WINDOWS\System32\DRIVERS\CLASSPNP.SYS F7753000 - fltmgr.sys F7ABF000 - ino_flpy.sys F773C000 - KSecDD.sys F76AF000 - Ntfs.sys F7682000 - NDIS.sys F787F000 - viaagp.sys F788F000 - sbp2port.sys F789F000 - ohci1394.sys F78AF000 - \WINDOWS\System32\DRIVERS\1394BUS.SYS F7667000 - Mup.sys F78DF000 - \SystemRoot\System32\DRIVERS\processr.sys F74B9000 - \SystemRoot\System32\DRIVERS\nv4_mini.sys F74A5000 - \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS F78EF000 - \SystemRoot\System32\DRIVERS\nic1394.sys F743B000 - \SystemRoot\System32\DRIVERS\itexwana.sys F7ADF000 - \SystemRoot\System32\DRIVERS\DM9PCI5.SYS F78FF000 - \SystemRoot\System32\DRIVERS\imapi.sys F7AEF000 - \SystemRoot\system32\drivers\iviaspi.sys F7CCB000 - \SystemRoot\system32\drivers\pfc.sys F790F000 - \SystemRoot\System32\DRIVERS\cdrom.sys F791F000 - \SystemRoot\System32\DRIVERS\redbook.sys F7418000 - \SystemRoot\System32\DRIVERS\ks.sys F7B07000 - \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys F7B0F000 - \SystemRoot\System32\DRIVERS\usbuhci.sys F73F5000 - \SystemRoot\System32\DRIVERS\USBPORT.SYS F73C3000 - \SystemRoot\system32\drivers\vinyl97.sys F739F000 - \SystemRoot\system32\drivers\portcls.sys F792F000 - \SystemRoot\system32\drivers\drmk.sys F7B27000 - \SystemRoot\System32\DRIVERS\fdc.sys F793F000 - \SystemRoot\System32\DRIVERS\serial.sys F7CE7000 - \SystemRoot\System32\DRIVERS\serenum.sys F738B000 - \SystemRoot\System32\DRIVERS\parport.sys F794F000 - \SystemRoot\System32\DRIVERS\i8042prt.sys F7B37000 - \SystemRoot\System32\DRIVERS\mouclass.sys F7B3F000 - \SystemRoot\System32\DRIVERS\kbdclass.sys F7EDA000 - \SystemRoot\system32\drivers\msmpu401.sys F7CF3000 - \SystemRoot\System32\DRIVERS\gameenum.sys F7373000 - \SystemRoot\System32\DRIVERS\dne2000.sys F7EDF000 - \SystemRoot\System32\DRIVERS\audstub.sys F795F000 - \SystemRoot\System32\DRIVERS\rasl2tp.sys F7CFF000 - \SystemRoot\System32\DRIVERS\ndistapi.sys F735C000 - \SystemRoot\System32\DRIVERS\ndiswan.sys F796F000 - \SystemRoot\System32\DRIVERS\raspppoe.sys F797F000 - \SystemRoot\System32\DRIVERS\raspptp.sys F7B67000 - \SystemRoot\System32\DRIVERS\TDI.SYS F72AB000 - \SystemRoot\System32\DRIVERS\psched.sys F798F000 - \SystemRoot\System32\DRIVERS\msgpc.sys F7B77000 - \SystemRoot\System32\DRIVERS\ptilink.sys F7B87000 - \SystemRoot\System32\DRIVERS\raspti.sys F727A000 - \SystemRoot\System32\DRIVERS\rdpdr.sys F799F000 - \SystemRoot\System32\DRIVERS\termdd.sys F7D3D000 - \SystemRoot\System32\DRIVERS\swenum.sys F721E000 - \SystemRoot\System32\DRIVERS\update.sys F7D1F000 - \SystemRoot\System32\DRIVERS\mssmbios.sys F79AF000 - \SystemRoot\System32\Drivers\NDProxy.SYS F79CF000 - \SystemRoot\System32\DRIVERS\usbhub.sys F7D47000 - \SystemRoot\System32\DRIVERS\USBD.SYS F7B97000 - \SystemRoot\System32\DRIVERS\flpydisk.sys F7D4B000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS F7E51000 - \SystemRoot\System32\Drivers\Null.SYS F7D4F000 - \SystemRoot\System32\Drivers\Beep.SYS F7E54000 - \SystemRoot\System32\Drivers\VIAPFD.SYS F7BAF000 - \SystemRoot\System32\drivers\vga.sys F7D53000 - \SystemRoot\System32\Drivers\mnmdd.SYS F7D57000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys F7BBF000 - \SystemRoot\System32\Drivers\Msfs.SYS F7BCF000 - \SystemRoot\System32\Drivers\Npfs.SYS F7CC7000 - \SystemRoot\System32\DRIVERS\rasacd.sys F60A3000 - \SystemRoot\System32\DRIVERS\ipsec.sys F604B000 - \SystemRoot\System32\DRIVERS\tcpip.sys F6023000 - \SystemRoot\System32\DRIVERS\netbt.sys F6002000 - \SystemRoot\System32\DRIVERS\ipnat.sys F5FA8000 - \SystemRoot\System32\vsdatant.sys F79EF000 - \SystemRoot\System32\DRIVERS\wanarp.sys F5F5E000 - \SystemRoot\System32\drivers\afd.sys F79FF000 - \SystemRoot\System32\DRIVERS\arp1394.sys F7A0F000 - \SystemRoot\System32\DRIVERS\netbios.sys F5E93000 - \SystemRoot\System32\DRIVERS\rdbss.sys F5E24000 - \SystemRoot\System32\DRIVERS\mrxsmb.sys F7BEF000 - \SystemRoot\System32\DRIVERS\usbprint.sys F7A1F000 - \SystemRoot\System32\Drivers\Fips.SYS F5D6C000 - \SystemRoot\System32\Drivers\avg7core.sys F7276000 - \SystemRoot\System32\DRIVERS\usbscan.sys F7D5D000 - \SystemRoot\System32\Drivers\avg7rsw.sys F7C27000 - \SystemRoot\System32\Drivers\avg7rsxp.sys F5D49000 - \SystemRoot\System32\Drivers\Fastfat.SYS F5D31000 - \SystemRoot\System32\Drivers\dump_atapi.sys F7D71000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS BF800000 - \SystemRoot\System32\win32k.sys F6112000 - \SystemRoot\System32\drivers\Dxapi.sys F7AE7000 - \SystemRoot\System32\watchdog.sys BF9C2000 - \SystemRoot\System32\drivers\dxg.sys F7F61000 - \SystemRoot\System32\drivers\dxgthk.sys BF9D4000 - \SystemRoot\System32\nv4_disp.dll F4D0A000 - \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys F4D44000 - \SystemRoot\System32\DRIVERS\ndisuio.sys F42AD000 - \SystemRoot\System32\DRIVERS\mrxdav.sys F7DD7000 - \SystemRoot\System32\Drivers\ParVdm.SYS F43D6000 - \SystemRoot\System32\Drivers\Aspi32.SYS F4270000 - \SystemRoot\system32\drivers\wdmaud.sys F4E38000 - \SystemRoot\system32\drivers\sysaudio.sys F3F21000 - \??\C:\WINDOWS\System32\Drivers\CVPNDRV.sys F3FF3000 - \SystemRoot\System32\Drivers\Cdfs.SYS F7DAF000 - \??\C:\WINDOWS\System32\PfModNT.sys F3C4F000 - \SystemRoot\System32\DRIVERS\srv.sys F3B63000 - \??\C:\WINDOWS\System32\Drivers\Maestro0.sys F3815000 - \SystemRoot\system32\drivers\kmixer.sys F7E25000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys Total number of drivers = 127 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Support driver successfully unloaded. Logfile of HijackThis v1.99.1 Scan saved at 11:26:33 a.m., on 19/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\EDSNZ\VPN Client\cvpnd.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\KMaestro\KMaestro.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\mapiicon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iPod\bin\iPodService.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AllStar\AdShield\maintain.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AllStar\AdShield\suppress.htm O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AllStar\AdShield\restrict.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AllStar\AdShield\settings.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\WINDOWS\system32\shdocvw.dll (HKCU) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://www.merchdirect.net O15 - Trusted Zone: http://www.ultimatecarpage.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126758160141 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\EDSNZ\VPN Client\cvpnd.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: MQNGFSJLE - Unknown owner - C:\DOCUME~1\James\LOCALS~1\Temp\MQNGFSJLE.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: TYCNMHJ - Unknown owner - C:\DOCUME~1\James\LOCALS~1\Temp\TYCNMHJ.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
|
|
|
|
Dec 21 2005, 03:02 AM
Post
#13
|
|
|
GSF mate Group: Member Posts: 362 Joined: 14-August 04 Member No.: 9701 |
Hi mongrel,
Your logs look good. The only thing is that you have too many Anti-Virus programs running. That's not recommended, and may cause some issues. Please decide which one you want, then remove the others. If your subscription hasn't run out on eTrust, then that may be a good one to keep, but that's up to you. If you're not having any problems, then here are some suggestions to clean/protect your PC: (Some may be redundant, so only use those that apply...) I recommend that you get AdAware SE Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan. Do a scan with AdAware and Remove Everything it suggests. Then, also get Spybot: Search and Destroy Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button. Keep them updated, and run them periodically. _ _ _ _ _ Then click Start | Run (type) cleanmgr Select the following: 1) Temporary Internet Files 2) Recycle Bin 3) Temporary Files When completed Reboot. _ _ _ _ _ Also go to Windows Update to keep up on all the latest security patches that apply to your PC. Check Windows' Update site frequently, as new patches come out often. You don't need to install all the updates offered, but ALWAYS get the latest security updates available. _ _ _ _ _ Then, it is not an option these days to be on the internet without and Updated Anti-Virus. If you have one, check it for updates frequently (or set it to "Auto" update). If you don't have one, or can't afford one, a good free one to use is AVG . Have a look at this link: http://www.mvps.org/winhelp2002/avg7.htm Just as it is important to have an updated Anti-virus, it's equally important to have a Firewall these days. Again, if you can't afford one, this is a good free one: Sygate Personal Firewall. _ _ _ _ _ Then I recommend you clean out your System Restore Doing this will remove all your restore points, and any infections that might be hanging in there. Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Check the "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. Click Yes to do this. Click OK. Then Restart your computer. After you have restarted, turn System Restore back on: Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box. Click Apply, and then click OK. Then create a new restore point once you have System Restore back on. To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point, and click Create. _ _ _ _ _ Here is a link that explains how to Clear Out Forgotten Programs, Free Up Wasted Space, Defragment Your Computer, etc... http://www.microsoft.com/windowsxp/using/s...estoreperf.mspx _ _ _ _ _ Here are some good links to follow to make your Internet Explorer more secure: http://www.mvps.org/winhelp2002/restricted.htm http://mvps.org/winhelp2002/unwanted.htm _ _ _ _ _ Here is some free protection you should also consider: Download and install: SpywareBlaster will block bad ActiveX and malevolent cookies. IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Check them for updates occasionally. And also see Tony Klein's fine article: So how did I get infected in the first place? Let us know if you have any concerns, Stay safe! |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 08:08 PM |
