 Infected with several spywares! |
Forum Rules
Greetings,
Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum
Failure to follow these instructions will only result in delays of the cleaning and removal process.
If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.
Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.
Thank You
  |
 Dec 12 2005, 02:37 PM
Post
#1
|
|
|
New Member  Group: Member Posts: 8 Joined: 13-November 04 Member No.: 11509  |
Hi, I have used both Adaware SE and Spybot 1.4 to scan my system. Spybot detects still IST.YSB and Altnet but cannot get rid of both while Adawre detects nothing. However when i used Panda Online Scanner, it informed me that I have 23 spyware present. Kinda thrown off by that. Any help would be really appreciated. Below is a copy of the log from Hijack this.
Logfile of HijackThis v1.99.1 Scan saved at 6:00:38 PM, on 12/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\macromed\flash\GetFlash.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Cindy2\My Documents\PLNG\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [FGDjYyeBS] C:\WINDOWS\cjgtwg.exe O4 - HKLM\..\Run: [Tzurqu] C:\Program Files\Lbzyct\Tdrc.exe O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/s...svc32_EN_XP.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stu.nus.edu.sg O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
 |
|
|
Dec 12 2005, 10:18 PM
Post
#2
|
|
 Master of Disaster Recovery  Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Check the following items in HijackThis. (note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.) R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [FGDjYyeBS] C:\WINDOWS\cjgtwg.exe O4 - HKLM\..\Run: [Tzurqu] C:\Program Files\Lbzyct\Tdrc.exe Close all windows except HijackThis and click Fix checked. While still in Safe Mode*, delete the following: (you may need to show hidden files**) (Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\) C:\WINDOWS\cjgtwg.exe C:\Program Files\Lbzyct\ <--delete entire folder *How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406 **Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown. Reboot in normal mode Run HiJackThis again and post a new log in this thread. --------------------  Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Dec 14 2005, 06:09 PM
Post
#3
|
|
|
New Member Group: Member Posts: 8 Joined: 13-November 04 Member No.: 11509 |
hi,
did as instructed. However, I was unable to find C:\WINDOWS\cjgtwg.exe C:\Program Files\Lbzyct\ even after showing all hidden files and extensions. Did another spybot scan and still found altnet and Ist.ysB. Here is the logfile after restarting the system. R3 reappeared upon restart. Logfile of HijackThis v1.99.1 Scan saved at 1:54:42 AM, on 12/15/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Cindy2\My Documents\PLNG\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/s...svc32_EN_XP.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stu.nus.edu.sg O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
|
|
|
Dec 14 2005, 11:04 PM
Post
#4
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
That looks good, but we'll check further.
Also, could you please post the Spybot log. Please download SilentRunners from here: http://www.silentrunners.org/Silent%20Runners.zip Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see. -------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Dec 18 2005, 12:21 PM
Post
#5
|
|
|
New Member Group: Member Posts: 8 Joined: 13-November 04 Member No.: 11509 |
hi lo!
Here is the Spybot log... kinda long... --- Search result list --- ISearchTech.YSB: Settings (Registry key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar Altnet: Settings (Registry key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Altnet --- Spybot - Search & Destroy version: 1.4 (build: 20050523) --- 2005-05-31 blindman.exe (1.0.0.1) 2005-05-31 SpybotSD.exe (1.4.0.3) 2005-05-31 TeaTimer.exe (1.4.0.2) 2005-12-06 unins000.exe (51.41.0.0) 2005-05-31 Update.exe (1.4.0.0) 2005-05-31 advcheck.dll (1.0.2.0) 2005-05-31 aports.dll (2.1.0.0) 2005-05-31 borlndmm.dll (7.0.4.453) 2005-05-31 delphimm.dll (7.0.4.453) 2005-05-31 SDHelper.dll (1.4.0.0) 2005-05-31 Tools.dll (2.0.0.2) 2005-05-31 UnzDll.dll (1.73.1.1) 2005-05-31 ZipDll.dll (1.73.2.0) 2005-12-16 Includes\Cookies.sbi (*) 2005-12-16 Includes\Dialer.sbi (*) 2005-12-16 Includes\Hijackers.sbi (*) 2005-12-16 Includes\Keyloggers.sbi (*) 2004-11-29 Includes\LSP.sbi (*) 2005-12-16 Includes\Malware.sbi (*) 2005-12-16 Includes\PUPS.sbi (*) 2005-12-16 Includes\Revision.sbi (*) 2005-12-16 Includes\Security.sbi (*) 2005-12-16 Includes\Spybots.sbi (*) 2005-02-17 Includes\Tracks.uti 2005-12-16 Includes\Trojans.sbi (*) --- Startup entries list --- Located: HK_LM:Run, AHQInit command: C:\Program Files\Creative\SBLive\Program\AHQInit.exe file: C:\Program Files\Creative\SBLive\Program\AHQInit.exe size: 102400 MD5: a92a1e030d09d52ea0eb11bde231a34e Located: HK_LM:Run, avast! command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe size: 98352 MD5: aa78ac45f1a75f4414dc7b2681705dc8 Located: HK_LM:Run, DIAGENT command: C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup file: Located: HK_LM:Run, Mirabilis ICQ command: C:\Program Files\ICQ\ICQNet.exe file: C:\Program Files\ICQ\ICQNet.exe size: 49230 MD5: f071d458ebaf8a282767328946fc2b21 Located: HK_LM:Run, NvCplDaemon command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup file: C:\WINDOWS\system32\RUNDLL32.EXE size: 31744 MD5: 0fb22dd37c17f80ad71316049f725170 Located: HK_LM:Run, nwiz command: nwiz.exe /install file: C:\WINDOWS\system32\nwiz.exe size: 741376 MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72 Located: HK_LM:Run, PRISMSVR.EXE command: "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY file: Located: HK_LM:Run, QuickTime Task command: "C:\Program Files\QuickTime\qttask.exe" -atboottime file: C:\Program Files\QuickTime\qttask.exe size: 77824 MD5: 96d2436434d14b99d0edf8a26be76eed Located: HK_LM:Run, TkBellExe command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe size: 151597 MD5: a05da809ac0d86d916d09e3a908d3a06 Located: HK_LM:Run, UpdReg command: C:\WINDOWS\Updreg.exe file: C:\WINDOWS\Updreg.exe size: 90112 MD5: c419df63e0121d72411285780c2fc6cc Located: HK_CU:Run, SpybotSD TeaTimer command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe size: 1415824 MD5: 70496eee0ddbe485f658693826f44d38 Located: HK_CU:RunOnce, ICQ command: C:\Program Files\ICQ\ICQ.exe -trayboot file: Located: Startup (common), Adobe Gamma Loader.lnk command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe size: 113664 MD5: c2ff17734176cd15221c10044ef0ba1a Located: WinLogon, crypt32chain command: crypt32.dll file: crypt32.dll Located: WinLogon, cryptnet command: cryptnet.dll file: cryptnet.dll Located: WinLogon, cscdll command: cscdll.dll file: cscdll.dll Located: WinLogon, ScCertProp command: wlnotify.dll file: wlnotify.dll Located: WinLogon, Schedule command: wlnotify.dll file: wlnotify.dll Located: WinLogon, sclgntfy command: sclgntfy.dll file: sclgntfy.dll Located: WinLogon, SensLogn command: WlNotify.dll file: WlNotify.dll Located: WinLogon, termsrv command: wlnotify.dll file: wlnotify.dll Located: WinLogon, wlballoon command: wlnotify.dll file: wlnotify.dll --- Browser helper object list --- {53707962-6F74-2D53-2644-206D7942484F} () BHO name: CLSID name: description: Spybot-S&D IE Browser plugin classification: Legitimate known filename: SDhelper.dll info link: http://spybot.eon.net.au/ info source: Patrick M. Kolla Path: C:\PROGRA~1\SPYBOT~1\ Long name: SDHelper.dll Short name: Date (created): 12/6/2005 10:57:50 PM Date (last access): 12/18/2005 7:49:58 PM Date (last write): 5/31/2005 1:04:00 AM Filesize: 853672 Attributes: archive MD5: 250D787A5712D7768DDC133B3E477759 CRC32: D4589A41 Version: 1.4.0.0 --- ActiveX list --- Microsoft XML Parser for Java (Microsoft XML Parser for Java) DPF name: Microsoft XML Parser for Java CLSID name: Installer: Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab description: classification: Legitimate known filename: %WINDIR%\Java\classes\xmldso.cab info link: info source: Patrick M. Kolla Yahoo! Pool 2 (Yahoo! Pool 2) DPF name: Yahoo! Pool 2 CLSID name: Installer: Codebase: http://download.games.yahoo.com/games/clients/y/potd_x.cab description: classification: Legitimate known filename: info link: info source: Safer Networking Ltd. {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) DPF name: CLSID name: MessengerStatsClient Class Installer: Codebase: http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab description: classification: Legitimate known filename: MessengerStatsPAClient.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: MessengerStatsPAClient.dll Short name: MESSEN~2.DLL Date (created): 4/6/2004 7:03:54 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 4/6/2004 7:03:54 PM Filesize: 172072 Attributes: archive MD5: 94D1773AEAA2197AFEE3A6F8404FE4E9 CRC32: 76C3823D Version: 9.2.7513.1 {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) DPF name: CLSID name: Shockwave ActiveX Control Installer: C:\WINDOWS\Downloaded Program Files\erma.inf Codebase: http://download.macromedia.com/pub/shockwa...director/sw.cab description: Macromedia ShockWave Flash Player 7 classification: Legitimate known filename: SWDIR.DLL info link: info source: Patrick M. Kolla Path: C:\WINDOWS\system32\Macromed\Director\ Long name: SwDir.dll Short name: Date (created): 5/16/2004 3:17:44 AM Date (last access): 12/15/2005 1:03:56 AM Date (last write): 3/16/2004 5:07:54 PM Filesize: 49152 Attributes: archive MD5: 188064B39FD529E960F9D821505747EA CRC32: C6D7A014 Version: 10.0.0.210 {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) DPF name: CLSID name: MSSecurityAdvisor Class Installer: C:\WINDOWS\Downloaded Program Files\msSecAdv.inf Codebase: http://download.microsoft.com/download/0/5...b?1084470414000 description: classification: Legitimate known filename: mssecadv.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\System32\ Long name: mssecadv.dll Short name: Date (created): 9/8/2003 11:30:46 AM Date (last access): 12/11/2005 4:41:22 PM Date (last write): 9/8/2003 11:30:46 AM Filesize: 36960 Attributes: archive MD5: A4282FD762CE1C4FFA665538E335CFF0 CRC32: 51ECFB75 Version: 5.4.3790.14 {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) DPF name: CLSID name: Minesweeper Flags Class Installer: Codebase: http://messenger.zone.msn.com/binary/MineSweeper.cab description: classification: Legitimate known filename: minesweeper.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: minesweeper.dll Short name: MINESW~1.DLL Date (created): 5/29/2003 3:00:22 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 5/29/2003 3:00:22 PM Filesize: 84064 Attributes: archive MD5: F951FD0EA383DF2D49CA0359E4A86968 CRC32: 50A69718 Version: 7.1.9502.1 {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) DPF name: CLSID name: Symantec AntiVirus scanner Installer: C:\WINDOWS\Downloaded Program Files\avsniff.inf Codebase: http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab description: Symantec online scanner classification: Legitimate known filename: AVSNIFF.DLL info link: info source: Patrick M. Kolla Path: C:\WINDOWS\Downloaded Program Files\ Long name: avsniff.dll Short name: Date (created): 11/17/2005 2:03:22 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 11/17/2005 2:03:22 PM Filesize: 202400 Attributes: archive MD5: BCE679811E5A7441A24C250803A87F26 CRC32: B9D953A5 Version: 2004.12.14.55 {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) DPF name: CLSID name: YInstStarter Class Installer: C:\WINDOWS\Downloaded Program Files\yinst.inf Codebase: http://download.yahoo.com/dl/installs/yinst0401.cab description: Yahoo! Installation helper classification: Legitimate known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll info link: info source: Patrick M. Kolla Path: C:\WINDOWS\Downloaded Program Files\ Long name: yinsthelper.dll Short name: YINSTH~1.DLL Date (created): 1/26/2004 6:40:04 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 1/26/2004 6:40:04 PM Filesize: 133120 Attributes: archive MD5: E1FBF33D995C89583A36F461EC2879FF CRC32: 1592E04B Version: 2004.1.26.1 {33564D57-0000-0010-8000-00AA00389B71} () DPF name: CLSID name: Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf Codebase: http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB description: classification: Legitimate known filename: info link: info source: Safer Networking Ltd. {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) DPF name: CLSID name: Pixami Image Editor Control Installer: C:\WINDOWS\Downloaded Program Files\BPImageEditor.inf Codebase: http://www.imagestation.com/common/classes...ab?ver=1,1,0,32 description: classification: Open for discussion known filename: BPImageEditor.ocx info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\DOWNLO~1\ Long name: BPImageEditor.ocx Short name: BPIMAG~1.OCX Date (created): 12/12/2003 2:58:58 PM Date (last access): 12/11/2005 4:30:38 PM Date (last write): 12/12/2003 2:58:58 PM Filesize: 630784 Attributes: archive MD5: BF7CBE5BCD49C2DB064F1BB80189A5D7 CRC32: 60BF6BA0 Version: 1.1.0.32 {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) DPF name: CLSID name: Symantec RuFSI Utility Class Installer: C:\WINDOWS\Downloaded Program Files\CabSA.inf Codebase: http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab description: classification: Legitimate known filename: rufsi.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: rufsi.dll Short name: Date (created): 11/17/2005 2:03:36 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 11/17/2005 2:03:36 PM Filesize: 161480 Attributes: archive MD5: 1A3A17DEC5DB03CD99ADCF3DABD4A3D0 CRC32: A399EBC2 Version: 2004.6.23.42 {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) DPF name: CLSID name: HouseCall Control Installer: C:\WINDOWS\Downloaded Program Files\xscan.inf Codebase: http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab description: Trend Micro Antivirus online scanner classification: Legitimate known filename: XSCAN53.OCX info link: info source: Patrick M. Kolla Path: C:\WINDOWS\DOWNLO~1\ Long name: xscan53.ocx Short name: Date (created): 3/24/2004 6:22:12 PM Date (last access): 12/11/2005 4:30:42 PM Date (last write): 3/24/2004 6:22:12 PM Filesize: 435712 Attributes: archive MD5: 99A67AEE9A6E3EFD2126AFA0840ECBED CRC32: 9198FA39 Version: 5.70.0.1085 {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) DPF name: CLSID name: MessengerStatsClient Class Installer: Codebase: http://messenger.zone.msn.com/binary/Messe...StatsClient.cab description: classification: Legitimate known filename: messengerstatsclient.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: messengerstatsclient.dll Short name: MESSEN~1.DLL Date (created): 5/29/2003 3:00:20 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 5/29/2003 3:00:20 PM Filesize: 160864 Attributes: archive MD5: B069B555A00AA026F657AA4FD13AE154 CRC32: 89BB01E1 Version: 7.1.9502.1 {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) DPF name: CLSID name: ActiveScan Installer Class Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab description: classification: Open for discussion known filename: ASINST.DLL info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: asinst.dll Short name: Date (created): 11/11/2005 8:28:22 AM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 11/11/2005 8:28:22 AM Filesize: 135168 Attributes: archive MD5: 5793AB11CE5B5029ED2B9EB4CF67641C CRC32: 1E2240F6 Version: 58.3.0.0 {9F1C11AA-197B-4942-BA54-47A8489BB47F} () DPF name: CLSID name: Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf Codebase: http://v4.windowsupdate.microsoft.com/CAB/...8040.2508564815 description: Windows Update classification: Legitimate known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll info link: info source: Patrick M. Kolla {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) DPF name: CLSID name: SassCln Object Installer: C:\WINDOWS\Downloaded Program Files\SASSCLN.INF Codebase: http://www.microsoft.com/security/controls.../20/SassCln.CAB description: classification: Legitimate known filename: SassCln.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: SassCln.dll Short name: Date (created): 5/11/2004 1:15:20 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 5/11/2004 1:15:20 PM Filesize: 118784 Attributes: archive MD5: A41CA01D1F7E6F64BCD08C88FAEAF85F CRC32: B5166F79 Version: 1.0.0.20 {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) DPF name: CLSID name: ZoneIntro Class Installer: Codebase: http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab description: classification: Legitimate known filename: ZIntro.ocx info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: ZIntro.ocx Short name: Date (created): 4/6/2004 7:03:12 PM Date (last access): 12/11/2005 4:30:42 PM Date (last write): 4/6/2004 7:03:12 PM Filesize: 85032 Attributes: archive MD5: 65431ACCF09A96C3BE53B7681BFFE44D CRC32: C8777857 Version: 9.2.7513.1 {B9191F79-5613-4C76-AA2A-398534BB8999} () DPF name: CLSID name: Installer: C:\Program Files\Yahoo!\Common\yaddbook.dll Codebase: http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab description: Yahoo! Address book classification: Legitimate known filename: %ProgramFiles%\Yahoo!\Common\yaddbook.dll info link: info source: Patrick M. Kolla {C6760A07-A574-4705-B113-7856315922C3} () DPF name: CLSID name: Installer: C:\WINDOWS\Downloaded Program Files\sysnetsvc32.inf Codebase: http://akamai.downloadv3.com/binaries/IA/s...svc32_EN_XP.cab description: classification: Confirmed as malware known filename: sysnetsvc32.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\System32\ Long name: sysnetsvc32.dll {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) DPF name: CLSID name: ActiveDataInfo Class Installer: Codebase: https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll description: classification: Open for discussion known filename: SymAData.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: SymAData.dll Short name: Date (created): 5/7/2004 10:02:48 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 5/7/2004 10:03:02 PM Filesize: 124112 Attributes: archive MD5: 509273596B62B1533B6AD1544704A043 CRC32: A42751C1 Version: 1.0.0.1 {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) DPF name: CLSID name: Shockwave Flash Object Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf Codebase: http://fpdownload.macromedia.com/get/shock...ash/swflash.cab description: Macromedia Shockwave Flash Player classification: Legitimate known filename: info link: info source: Patrick M. Kolla Path: C:\WINDOWS\System32\macromed\flash\ Long name: Flash.ocx Short name: Date (created): 7/14/2004 11:44:26 AM Date (last access): 12/18/2005 7:52:06 PM Date (last write): 7/14/2004 11:44:26 AM Filesize: 939224 Attributes: archive MD5: 774BABD80803E3A7B69A3775F07F0707 CRC32: E2AF9C11 Version: 7.0.19.0 {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) DPF name: CLSID name: PopCapLoader Object Installer: C:\WINDOWS\Downloaded Program Files\popcaploader.inf Codebase: http://download.games.yahoo.com/games/popc...aploader_v5.cab description: classification: Open for discussion known filename: POPCAPLOADER.DLL info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: popcaploader.dll Short name: POPCAP~1.DLL Date (created): 12/19/2003 5:02:06 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 12/19/2003 5:02:06 PM Filesize: 126976 Attributes: archive MD5: 3FDDB5EE807DD371405B305ABDAE3529 CRC32: F4B06292 Version: 1.0.0.5 {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) DPF name: CLSID name: ActiveDataObj Class Installer: Codebase: https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab description: classification: Open for discussion known filename: ActiveData.dll info link: info source: Safer Networking Ltd. Path: C:\WINDOWS\Downloaded Program Files\ Long name: ActiveData.dll Short name: ACTIVE~1.DLL Date (created): 6/12/2002 1:16:22 PM Date (last access): 12/18/2005 8:06:38 PM Date (last write): 6/12/2002 1:16:22 PM Filesize: 112312 Attributes: archive MD5: C0A5720A581109543B113A8BEAE7868C CRC32: 1B08DE36 Version: 1.0.0.1 --- Process list --- PID: 1580 ( 716) alg.exe PID: 1300 ( 716) svchost.exe PID: 1196 ( 716) svchost.exe PID: 648 ( 600) csrss.exe PID: 1792 ( 716) wdfmgr.exe PID: 4 ( 0) System PID: 0 ( 0) [System] PID: 672 ( 600) \??\C:\WINDOWS\system32\winlogon.exe PID: 600 ( 4) \SystemRoot\System32\smss.exe PID: 1076 ( 320) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe size: 98352 MD5: AA78AC45F1A75F4414DC7B2681705DC8 PID: 1640 ( 716) C:\Program Files\Alwil Software\Avast4\ashServ.exe size: 98352 MD5: 53D983A1472375CFB47F0D97D9213F06 PID: 732 ( 716) C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe size: 241712 MD5: F6702B0872E4FD34DFFF39A54526FD3F PID: 1620 ( 716) C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe size: 53248 MD5: 435D862E96FE19612093177CF6618F4E PID: 928 ( 716) C:\Program Files\Alwil Software\Avast4\ashWebSv.exe size: 360496 MD5: BE88DE95D6618573120C37DA36D736C6 PID: 1700 ( 716) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe size: 270336 MD5: D8DDCFC45D8597D57F417D7368538CF0 PID: 1788 ( 320) C:\Program Files\Common Files\Real\Update_OB\realsched.exe size: 151597 MD5: A05DA809AC0D86D916D09E3A908D3A06 PID: 436 ( 320) C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE size: 172122 MD5: 7846D002604BD0C0565F9C91230FB0D3 PID: 3288 ( 320) C:\Program Files\Internet Explorer\iexplore.exe size: 91136 MD5: 418D301C3B1FA94B19584AEEB3D65166 PID: 1164 ( 320) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe size: 1415824 MD5: 70496EEE0DDBE485F658693826F44D38 PID: 3240 (1164) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe size: 4393096 MD5: 09CA174A605B480318731E691DC98539 PID: 3476 (3240) C:\WINDOWS\regedit.exe size: 134144 MD5: B28FB518CD2949715CBFCE0E93A7A535 PID: 320 (1280) C:\WINDOWS\Explorer.EXE size: 1004032 MD5: A82B28BFC2E4455FE43022A498C0EF0A PID: 1728 ( 716) C:\WINDOWS\System32\nvsvc32.exe size: 81920 MD5: 5ED834603C36414B579979B3A9C90F54 PID: 1892 ( 716) C:\WINDOWS\System32\MsPMSPSv.exe size: 53520 MD5: 581176F60885AEF8F78C6E38DCC3CDF9 PID: 2268 (1032) C:\WINDOWS\System32\wuauclt.exe size: 124184 MD5: EBF1AB7E4FC05CABF2F4680D2A45F827 PID: 1460 ( 716) C:\WINDOWS\system32\spoolsv.exe size: 53248 MD5: 6B4BF97957A0B8795811975D4BF1ACFE PID: 904 ( 716) C:\WINDOWS\system32\svchost.exe size: 12800 MD5: 0F7D9C87B0CE1FA520473119752C6F79 PID: 1660 ( 716) C:\WINDOWS\System32\CTsvcCDA.EXE size: 44032 MD5: 3C8B6609712F4FF78E521F6DCFC4032B PID: 444 ( 436) C:\WINDOWS\System32\devldr32.exe size: 25600 MD5: D874723E025C465990B5F105715361F7 PID: 1032 ( 716) C:\WINDOWS\System32\svchost.exe size: 12800 MD5: 0F7D9C87B0CE1FA520473119752C6F79 PID: 728 ( 672) C:\WINDOWS\system32\lsass.exe size: 11776 MD5: B2B6BA905D0E3F8A32A0EB3B4051807B PID: 1764 ( 716) C:\WINDOWS\System32\svchost.exe size: 12800 MD5: 0F7D9C87B0CE1FA520473119752C6F79 PID: 716 ( 672) C:\WINDOWS\system32\services.exe size: 101376 MD5: E3DF4A0252D287C44606EE55355E1623 --- Browser start & search pages list --- Spybot - Search & Destroy browser pages report, 12/18/2005 8:15:19 PM HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page C:\WINDOWS\System32\blank.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page http://www.yahoo.com/ HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page %SystemRoot%\system32\blank.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm --- Winsock Layered Service Provider list --- Protocol 0: MSAFD Tcpip [TCP/IP] GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP IP protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD Tcpip [*] Protocol 1: MSAFD Tcpip [UDP/IP] GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP IP protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD Tcpip [*] Protocol 2: MSAFD Tcpip [RAW/IP] GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP IP protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD Tcpip [*] Protocol 3: RSVP UDP Service Provider GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A} Filename: %SystemRoot%\system32\rsvpsp.dll Description: Microsoft Windows NT/2k/XP RVSP DB filename: %SystemRoot%\system32\rsvpsp.dll DB protocol: RSVP * Service Provider Protocol 4: RSVP TCP Service Provider GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A} Filename: %SystemRoot%\system32\rsvpsp.dll Description: Microsoft Windows NT/2k/XP RVSP DB filename: %SystemRoot%\system32\rsvpsp.dll DB protocol: RSVP * Service Provider Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E965462C-B0F7-492E-863D-CFA67DB10AF0}] SEQPACKET 5 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E965462C-B0F7-492E-863D-CFA67DB10AF0}] DATAGRAM 5 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2A5AC477-29EC-4E13-A898-08723FE5E82C}] SEQPACKET 0 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2A5AC477-29EC-4E13-A898-08723FE5E82C}] DATAGRAM 0 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{313576BA-63F0-452D-9E94-68741674B541}] SEQPACKET 1 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{313576BA-63F0-452D-9E94-68741674B541}] DATAGRAM 1 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A8EEB436-D8AD-4B7A-9078-E2B5A22A3739}] SEQPACKET 2 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A8EEB436-D8AD-4B7A-9078-E2B5A22A3739}] DATAGRAM 2 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{25BFAC5F-85D6-46C2-AE06-FF1D7E8C49B7}] SEQPACKET 3 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{25BFAC5F-85D6-46C2-AE06-FF1D7E8C49B7}] DATAGRAM 3 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{738B5172-EEF0-4371-9AA3-823AB67346AE}] SEQPACKET 4 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{738B5172-EEF0-4371-9AA3-823AB67346AE}] DATAGRAM 4 GUID: {8D5F1830-C273-11CF-95C8-00805F48A192} Filename: %SystemRoot%\system32\mswsock.dll Description: Microsoft Windows NT/2k/XP NetBios protocol DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: MSAFD NetBIOS * Namespace Provider 0: Tcpip GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B} Filename: %SystemRoot%\System32\mswsock.dll Description: Microsoft Windows NT/2k/XP TCP/IP name space provider DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: TCP/IP Namespace Provider 1: NTDS GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC} Filename: %SystemRoot%\System32\winrnr.dll Description: Microsoft Windows NT/2k/XP name space provider DB filename: %SystemRoot%\system32\winrnr.dll DB protocol: NTDS Namespace Provider 2: Network Location Awareness (NLA) Namespace GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83} Filename: %SystemRoot%\System32\mswsock.dll Description: Microsoft Windows NT/2k/XP name space provider DB filename: %SystemRoot%\system32\mswsock.dll DB protocol: NLA-Namespace and this is the silent runners log. "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ICQ" = "C:\Program Files\ICQ\ICQ.exe -trayboot" ["ICQ Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "DIAGENT" = "C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"] "UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."] "AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "Mirabilis ICQ" = "C:\Program Files\ICQ\ICQNet.exe" [null data] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "PRISMSVR.EXE" = ""C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY" [file not found] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{BF05BB6E-442C-428B-8025-82280B7BC26C}" = "Zen Micro Media Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll" ["Creative Technology Ltd"] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] ICQMenu\(Default) = "{f802f260-519b-11d1-bb5d-0060974c6013}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQMenu\(Default) = "{f802f260-519b-11d1-bb5d-0060974c6013}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp" Startup items in "Cindy2" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {6224F700-CBA3-4071-B251-47CB894244CD}\ "ButtonText" = "ICQ Pro" "MenuText" = "ICQ" "Exec" = "C:\Program Files\ICQ\ICQ.exe" ["ICQ Inc."] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 155 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 15 seconds. ---------- (total run time: 218 seconds) Thanks for all the help man! This post has been edited by xenofire: Dec 18 2005, 12:32 PM |
|
|
|
|
Dec 18 2005, 07:50 PM
Post
#6
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
THat looks good and clean!
-------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Dec 23 2005, 02:58 PM
Post
#7
|
|
|
New Member Group: Member Posts: 8 Joined: 13-November 04 Member No.: 11509 |
Hi Lo,
Merry christmas! just a question. when i used panda activescan I got the following results Incident Adware:adware/look2me C:\WINDOWS\SYSTEM32\msg116.dll Adware:adware/netpals C:\WINDOWS\SYSTEM32\netpals.dll Dialer:dialer.b C:\WINDOWS\DOWNLOADED PROGRAM FILES\sysnetsvc32.inf Spyware:spyware/new.net C:\WINDOWS\NDNuninstall4_80.exe Spyware:application/* bad spelling * C:\WINDOWS\smdat32m.sys Adware:adware/downloadware Windows Registry Adware:Adware/MediaTickets C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\Content.IE5\U6ZJHWZV\count[1].htm Adware:Adware/P2PNetworking C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc4983.exe Adware:Adware/KeenValue C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5005.exe Adware:Adware/IST.YourSiteBar C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5075\CA1Y4MRA.HTM Adware:Adware/IST.YourSiteBar C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5075\CAT7ZYG7.HTM Adware:Adware/MediaTickets C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5084\CA9C4VTD.HTM Adware:Adware/nCase C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5095\init[1].js Adware:Adware/IST.YourSiteBar C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5098\CA4WF04V.HTM Adware:Adware/IST.YourSiteBar C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5098\CAQFCDUJ.HTM Adware:Adware/IST.YourSiteBar C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5098\CAWFKBW7.HTM Adware:Adware/WUpd C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc5099\count[1].htm Spyware:Spyware/Altnet C:\RECYCLER\S-1-5-21-1123561945-329068152-682003330-500\Dc73.exe Spyware:Spyware/New.net C:\WINDOWS\NDNuninstall4_80.exe Adware:Adware/Look2Me C:\WINDOWS\system32\msg115.dll Adware:Adware/Look2Me C:\WINDOWS\system32\msg116.dll Adware:Adware/Look2Me C:\WINDOWS\system32\msg118.dll Adware:Adware/Look2Me C:\WINDOWS\system32\msguard.dll Adware:Adware/NetPals C:\WINDOWS\system32\netpals.dll Adware:Adware/IGetNet C:\WINDOWS\system32\NLNP13.dll Adware:Adware/IGetNet C:\WINDOWS\system32\NLNP131.dll Adware:Adware/Look2Me C:\WINDOWS\Temp\upd124.exe However, When I used Spybot 1.4, I got different results. Altnet and IST.YSB. Adware could only detect Altnet.bde and can delete it. Strangely, Spybot can detect it again Any advice? Cheerios, winZ |
|
|
|
|
Dec 23 2005, 06:39 PM
Post
#8
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
The items listed indicate files from Look2me but no infection was shown in the logs.
Perhaps it is best to check.. Download L2mfix: http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! -------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
Dec 26 2005, 06:47 AM
Post
#9
|
|
|
New Member Group: Member Posts: 8 Joined: 13-November 04 Member No.: 11509 |
hi lo,
here is the log. L2MFIX find log 121605 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{D2FAA542-478D-482B-8792-51C953B42F00}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{BF05BB6E-442C-428B-8025-82280B7BC26C}"="Zen Micro Media Explorer" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{472083B0-C522-11CF-8763-00608CC02F24}"="avast" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 8C8F-D572 Directory of C:\WINDOWS\System32 12/23/2005 10:34 PM <DIR> dllcache 02/04/2003 12:07 AM <DIR> Microsoft 0 File(s) 0 bytes 2 Dir(s) 5,054,398,464 bytes free Thanks for helping man. Cheerios, winZ |
|
|
|
|
Dec 27 2005, 01:00 AM
Post
#10
|
|
|
Master of Disaster Recovery Group: General Admin Posts: 15208 Joined: 24-March 03 From: Albuquerque, NM Member No.: 2879 |
THere is a leftover Useragent, but nothing else shows. Those files appear to be older infections and are dead files. Run your AV and do a full system, letting it remove what it finds. Then you run Panda Active scan again and manually remove any still left.
THis will fix the User Agent registry key: Launch Notepad, and copy/paste in the box below to a new text file. Save it on your Desktop as fixme.reg CODE Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer 'Yes' and wait for a message to appear similar to "Merged Successfully". -------------------- Happiness ain't a thing in itself--it's only a contrast with something that ain't pleasant. Mark Twain |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 09:21 PM |
