Spyware Warrior

Bluebird

Hi,

I recently switched to Win XP with SP2. Noticed that there's a constant stream of outgoing data from my machine, whenever I connect to the net. This goes on even with all browser windows are closed and with no other programs running.

I installed a firewall (Sygate) to block this outflow. The files that try to transmit data and their destinations are as follows:

* Generic host process for Win32 Services (svchost.ext) is trying to broadcast to (239.255.255.250) using remote port 1900 (SSDP).

* C:\windows\system32\winupdater.ext is trying to connect to roo.sensuiweb.info (72.20.21.163) using remote port 6767 (BMC-PERF-AGENT).

* mmsvc32.exe is trying to connect to nnpy.cplnn.com (81.177.7.84) using remote port 80 (HTTP).

* mouse.exe is trying to connect to real.profess.us (210.115.47.59) using remote port 9103.

* spools.exe is trying to connect to (82.146.41.149) using remote port 80 (HTTP).

My question is -- is this normal with Win XP? Or is there something unusual happening here?

On a different note, I'm unable to run the firefox browser. It apparently installs properly but shuts down immediately on launching. I get this message: "Unable to initialize memory stream." I don't know if these two problems are related or not.

I've scanned my system with AdAware, Spybot S&D, Microsoft AntiSpy and CWShredder. This eliminated unwanted popups. Plus I have Norton antivirus running.

Don't know if this is relevant, but my config is:
P4 3.0 GHz with HT technology
Intel 915 GAV motherboard
512 MB RAM

Any help / advice is greatly appreciated.

Best regards,
San

blender · Posted: Thu Jul 28, 2005 6:51 am Post subject:

Hi San and welcome

Certainly some unusual activity...Looks like several back doors.
keep that firewall running and keep blocking those apps you posted about.
As long as you don't let them out...they can't get further instructions from "their master".

Lets have a closer look please.

Download Hijackthis from here:

http://spywarewarrior.com/files/HijackThis.exe

Save it to its own folder please. EG: C:\HJT\Hijackthis.exe

Once saved...
Double click hijackthis.exe
Click "run system scan and save log file"
When notepad pops up with log. Please post its results here in this thread using the "post reply" button.

Please don't fix anything yet. Most of what you see is safe or even essential!

Thanks! Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

Bluebird · Posted: Thu Jul 28, 2005 5:17 pm Post subject:

Hi,

Thanks very much for your response!

I've followed your instructions and included a log file below.

Before I read your reply, I did a couple of things which are as follows.

Based on advice I found on a blog, I deleted the registry keys for spools.exe and msvc.exe. Firefox runs fine now. And mmsvc32.exe and spools.exe no longer attempt to send data to the net.

I disabled the Windows automatic updater from the control panel and from the Windows Security Center. But that hasn't stopped winupdater.exe from continuing to try to send data (assuming they
are related).

Earlier, when I was connected to the net, the pc used to freeze up for several seconds from time to time. As if something was hogging CPU capacity. This does not seem to happen so much now.

Apart from the files described in the last post, the following one also attempted to send data to the net. This happened only once so far.

* Client Server Runtime Process (csrss.exe) is trying to broadcast to (220.0.0.22).

I understand that while installing the software, my pc vendor upgraded to IE 6.0 using the IE version provided by my local ISP (the latter's url is displayed as internet.vsnl.com in the scan results). Perhaps this caused the problem...

Here are the results of "Do a system scan and save a log file".

Once again, thanks for your help!

Best regards,
San

Logfile of HijackThis v1.99.1
Scan saved at 6:22:00 AM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\mouse.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\winupdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internet.vsnl.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.internet.vsnl.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by VSNL Internet Service
O1 - Hosts: 85.192.32.112 lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 online.lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 www.lloydstsb.co.uk
O1 - Hosts: 85.192.32.112 www.lloydstsb.com
O1 - Hosts: 85.192.32.112 personal.barclays.co.uk
O1 - Hosts: 85.192.32.112 barclays.co.uk
O1 - Hosts: 85.192.32.112 ibank.barclays.co.uk
O1 - Hosts: 85.192.32.112 www.barclays.co.uk
O1 - Hosts: 85.192.32.112 www.nwolb.com
O1 - Hosts: 85.192.32.112 nwolb.com
O1 - Hosts: 85.192.32.112 hsbc.co.uk
O1 - Hosts: 85.192.32.112 www.hsbc.co.uk
O1 - Hosts: 85.192.32.112 abbey.com
O1 - Hosts: 85.192.32.112 www.abbey.com
O1 - Hosts: 85.192.32.112 www.abbey.co.uk
O1 - Hosts: 85.192.32.112 abbey.co.uk
O1 - Hosts: 85.192.32.112 cahoot.com
O1 - Hosts: 85.192.32.112 www.cahoot.com
O1 - Hosts: 85.192.32.112 www.cahoot.co.uk
O1 - Hosts: 85.192.32.112 cahoot.co.uk
O1 - Hosts: 85.192.32.112 www.co-operativebank.co.uk
O1 - Hosts: 85.192.32.112 co-operativebank.co.uk
O1 - Hosts: 85.192.32.112 www.co-operativebank.com
O1 - Hosts: 85.192.32.112 co-operativebank.com
O1 - Hosts: 85.192.32.112 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 85.192.32.112 www.smile.co.uk
O1 - Hosts: 85.192.32.112 smile.co.uk
O1 - Hosts: 85.192.32.112 www.cajamar.es
O1 - Hosts: 85.192.32.112 cajamar.es
O1 - Hosts: 85.192.32.112 www.cajamar.com
O1 - Hosts: 85.192.32.112 www.unicaja.es
O1 - Hosts: 85.192.32.112 unicaja.es
O1 - Hosts: 85.192.32.112 www.unicaja.com
O1 - Hosts: 85.192.32.112 unicaja.com
O1 - Hosts: 85.192.32.112 www.caixagalicia.es
O1 - Hosts: 85.192.32.112 caixagalicia.es
O1 - Hosts: 85.192.32.112 www.caixagalicia.com
O1 - Hosts: 85.192.32.112 caixagalicia.com
O1 - Hosts: 85.192.32.112 activa.caixagalicia.es
O1 - Hosts: 85.192.32.112 www.caixapenedes.es
O1 - Hosts: 85.192.32.112 caixapenedes.es
O1 - Hosts: 85.192.32.112 www.caixapenedes.com
O1 - Hosts: 85.192.32.112 caixapenedes.com
O1 - Hosts: 85.192.32.112 bancae.caixapenedes.com
O1 - Hosts: 85.192.32.112 www.caixasabadell.es
O1 - Hosts: 85.192.32.112 caixasabadell.es
O1 - Hosts: 85.192.32.112 www.caixasabadell.net
O1 - Hosts: 85.192.32.112 caixasabadell.net
O1 - Hosts: 85.192.32.112 www.cajamadrid.es
O1 - Hosts: 85.192.32.112 cajamadrid.es
O1 - Hosts: 85.192.32.112 www.cajamadrid.com
O1 - Hosts: 85.192.32.112 cajamadrid.com
O1 - Hosts: 85.192.32.112 oi.cajamadrid.es
O1 - Hosts: 85.192.32.112 www.ccm.es
O1 - Hosts: 85.192.32.112 ccm.es
O1 - Hosts: 85.192.32.112 www.haspa.de
O1 - Hosts: 85.192.32.112 haspa.de
O1 - Hosts: 85.192.32.112 ssl2.haspa.de
O1 - Hosts: 85.192.32.112 www.dresdner-bank.de
O1 - Hosts: 85.192.32.112 dresdner-bank.de
O1 - Hosts: 85.192.32.112 www.dresdner-privat.de
O1 - Hosts: 85.192.32.112 postbank.de
O1 - Hosts: 85.192.32.112 www.postbank.de
O1 - Hosts: 85.192.32.112 banking.postbank.de
O1 - Hosts: 85.192.32.112 www.sparda-b.de
O1 - Hosts: 85.192.32.112 sparda-b.de
O1 - Hosts: 85.192.32.112 www.bankingonline.de
O1 - Hosts: 85.192.32.112 www.raiffeisenbank-erding.de
O1 - Hosts: 85.192.32.112 raiffeisenbank-erding.de
O1 - Hosts: 85.192.32.112 www.vr-networld-ebanking.de
O1 - Hosts: 85.192.32.112 vr-networld-ebanking.de
O1 - Hosts: 85.192.32.112 www.bnhof.de
O1 - Hosts: 85.192.32.112 bnhof.de
O1 - Hosts: 85.192.32.112 www.deutsche-bank.de
O1 - Hosts: 85.192.32.112 deutsche-bank.de
O1 - Hosts: 85.192.32.112 meine.deutsche-bank.de
O1 - Hosts: 85.192.32.112 www.citibank.de
O1 - Hosts: 85.192.32.112 citibank.de
O1 - Hosts: 85.192.32.112 cipehb13.cdg.citibank.de
O1 - Hosts: 85.192.32.112 www.dkb.de
O1 - Hosts: 85.192.32.112 dkb.de
O1 - Hosts: 85.192.32.112 www.sparkasse-regensburg.de
O1 - Hosts: 85.192.32.112 sparkasse-regensburg.de
O1 - Hosts: 85.192.32.112 www.berliner-bank.de
O1 - Hosts: 85.192.32.112 berliner-bank.de
O1 - Hosts: 85.192.32.112 www.berliner-sparkasse.de
O1 - Hosts: 85.192.32.112 berliner-sparkasse.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Automatic Updater] winupdater.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKLM\..\RunServices: [Windows Automatic Updater] winupdater.exe
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.internet.vsnl.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122531134234
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

blender · Posted: Thu Jul 28, 2005 6:03 pm Post subject:

Hi

Thanks for posting the log.

winupdater.exe is NOT windows update. It is one of the rbot worms!
Disabling windows update like you tried is unrelated. You can re-enable it.

Several issues...

Question...

Do you do any online banking? Any other shopping activities like CC purchaces? I don't know off hand if these backdoor activities log CC #'s or PIN #'s but best to be safe than sorry.
I dont like the fact that csrss.exe is trying to connect to:

Domain Handle:
Domain Name: bbtec.net
Created On: 29-Jun-2001 00:00:00
Last Updated On: 16-Apr-2004 17:27:21
Expiration Date: 29-Jun-2012 00:00:00
Status: ACTIVE
Registrant Name: SoftbankBB Corp.
Registrant Organization: SoftbankBB Corp.
Registrant Street1: 24-1 Nihonbashi-Hakozaki-cho
Registrant Street2: -
Registrant City: Chuo-ku
Registrant State: Tokyo
Registrant Postal Code: 103-0015
Registrant Country: JP
Registrant Phone: 03-5642-8585
Registrant Fax: 03-5641-3376
Registrant Email: hostmaster@bbtec.net
Admin Name: Corp. SOFTBANKBB
Admin Organization: SOFTBANKBB Corp.
Admin Street1: 24-1 Nihonbashi-Hakozakicho
Admin Street2:
Admin City: Chuo-ku
Admin State: Tokyo
Admin Postal Code: 103-0015
Admin Country: JP
Admin Phone: 03-5642-8585
Admin Fax: None
Admin Email: hostmaster@bbtec.net
Billing Name: Hayashi Shuji
Billing Organization: Softbank BB Corp.
Billing Street1: 24-1 nihonbashi-hakozaki-cho
Billing Street2: -
Billing City: Chuo-ku
Billing State: Tokyo
Billing Postal Code: 103-0015
Billing Country: JP
Billing Phone: 03-5642-8585
Billing Fax: 03-5641-3376
Billing Email: shayashi@bb.softbank.co.jp
Tech Name: BBTEC Hostmaster
Tech Organization: SOFTBANKBB Corp
Tech Street1: 24-1 Nihonbashi-Hakozakicho
Tech Street2:
Tech City: Chuo-ku
Tech State: Tokyo
Tech Postal Code: 103-0015
Tech Country: JP
Tech Phone: 03-5642-8585
Tech Fax: None
Tech Email: hostmaster@bbtec.net
Name Server: dns03.bbtec.net
Name Server: dns04.bbtec.net

^^ Any of that look familliart to you?

If so....dont do any banking & online purchace till you are cleaned up. If you have access to an uninfected computer...go change your bank site passwords!

Your Hosts file has also been hacked to redirect all the urls you see under O1 - Hosts to what I suspect to be a malicious site. I cannot even get IP info! (strange)
Most of the listed urls look to be banking sites....but the IP is not right.

OK....lets clean up this crap!

Download Hoster from here:

http://www.funkytoad.com/download/hoster.zip

Unzip it but don't run it yet.

Might want to print out rest of instructions as most of work will be done in safe mode.

Boot computer to Safe mode. Instructions here if needed:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Start Hijackthis, run system scan only and check:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [mouse] mouse.exe
O4 - HKLM\..\Run: [Windows Automatic Updater] winupdater.exe
O4 - HKLM\..\RunServices: [microsft Updates] msupdate32.exe

Close all open windows and "hit fix checked"

Enable your system to "show all files". Instructions here if needed:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=&docid=2002103012571948&nsf=ent-security.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Find and delete if found: Watch spelling closely! There are some legit windows files that look very similar.

C:\Windows\system32\mouse.exe <--file
C:\Windows\system32\winupdater.exe <--file
C:\Windows\system32\msupdate32.exe <--file
C:\Windows\system32\mmsvc32.exe <--file
C:\Windows\system32\spools.exe <--file

Empty out the following folder:

C:\Windows\temp

Click start> run> type %temp% and hit enter.
Select all> delete all

Open Internet options.
Click "delete files" and check to delete offline content, then OK.
It may take a while if not done regularly.

Open firefox (ignore 404 errors)
Tools> options> cache |hit "clear" & ok prompt.

Exit ff

Empty recycle bin.

Double click hoster.exe you saved earlier.
click "replace origional hosts"

Boot back up to normal windows.

run an online scan here:

http://www.kaspersky.com/beta?product=161744315

Need to allow activex install
Only works with IE
Need to input email & name (can use fake but they don't spam you anyway)

Scan will take a while but is one of the better backdoor finders.

Once done please save a report to post here.

Please also post a new hijackthis log.

thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

blender · Posted: Thu Jul 28, 2005 6:06 pm Post subject:

Hmmmm

Once you have done above & posted logs...I want to see another log.

You will likely have to use 'post reply' a second time cus some of these logs are quite long.

Start hijackthis
Click "open misc tools section"

Beside "generate startuplist log" check both:

List also minor sections
List empty sections

Then hit "generate startup list log" and OK.
Post results.
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

Bluebird · Posted: Thu Jul 28, 2005 10:55 pm Post subject:

Hi,

Thank you very much for your detailed response.

I’ve taken all actions you asked for, with one exception: the online scan. I think that site has changed a bit from what you described. They want you to select and upload specific files you want to scan.

I don’t know which ones need scanning; uploading all files on my PC would take days over my slow connection!

So I searched for and uploaded all files which contain ‘svchost’ (more on this below) and all were ok.

Plus, I updated Norton AntiVirus Professional Edition and ran a full system scan, with no infections found.

After I took all actions you described, the only file which now tries to access the internet is svchost.exe. (So far, anyway. One named csrss.exe was a very occasional broadcaster to begin with.) Here’s the message my firewall gives me:
* Generic host process for Win32 Services (svchost.exe) is trying to broadcast to (239.255.255.250) using remote port 1900 (SSDP - Simple Service Discovery Protocol).

Here are the files and locations on my PC that contain the string ‘svchost’:
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530f672.pf
C:\WINDOWS\ServicePackFiles\i386\svchost.exe

To answer your questions – I do make frequent credit card purchases over the net. Thankfully, as soon as I bought this new PC a few days ago, I noticed suspicious activity and didn’t do any transactions at all online. So I guess I’m safe for now!

And no, the site that csrss.exe was trying to connect to is completely unknown to me.

Not sure if this is of any importance, but hoster.exe didn’t have a button called “replace original hosts.” It had one named “restore original hosts”, which is what I hit.

The new Hijackthis log is posted below. The next post contains the ‘startuplist log.’

Thanks a ton for your time and help!

Best regards,
San

Logfile of HijackThis v1.99.1
Scan saved at 11:29:40 AM, on 7/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internet.vsnl.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.internet.vsnl.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by VSNL Internet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Windows Automatic Updater] winupdater.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.internet.vsnl.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122531134234
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Bluebird · Posted: Thu Jul 28, 2005 11:00 pm Post subject:

Hi,

Here's the log from "Generate startup list log".

Thanks and regards,
San

StartupList report, 7/29/2005, 11:31:59 AM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Sanjeev\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ImageFox.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
High Definition Audio Property Page Shortcut = HDAudPropShortcut.exe
SoundMan = SOUNDMAN.EXE
AlcWzrd = ALCWZRD.EXE
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
EPSON Stylus C41 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Windows Automatic Updater = winupdater.exe
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

mouse = mouse.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{24523015-3885-487E-8BD9-2839433758DA}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Ipswitch.WsftpBrowserHelper - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll - {601ED020-FB6C-11D3-87D8-0050DA59922B}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122531134234

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
autorun: \??\c:\huadio.tmp (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Microsoft UAA Function Driver for High Definition Audio Service: system32\drivers\HdAudio.sys (manual start)
Microsoft UAA Bus Driver for High Definition Audio: System32\DRIVERS\HDAudBus.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
Service for Realtek HD Audio (WDM): system32\drivers\RtkHDAud.sys (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050727.008\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050727.008\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINDOWS\System32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel (R) System Management BIOS Service: System32\DRIVERS\SMBios.sys (manual start)
Sygate Personal Firewall: C:\Program Files\Sygate\SPF\smc.exe (autostart)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{129C29B9-BAE9-4D4F-9560-F740FECEDBD8} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
SyGate for NT, wg3n: \SystemRoot\SYSTEM32\Drivers\wg3n.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
wpsdrvnt: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 32,911 bytes
Report generated in 0.109 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Bluebird · Posted: Fri Jul 29, 2005 1:14 am Post subject:

Hi,

Here's something I missed earlier.

When Windows XP Service Pack 2 was installed, it created a folder on E drive (although SP2 was installed, like the rest of windows, onto C drive). This folder also contains an svchost file. The path is:

E:\84ef6c324d693c83e975c814c4\i386\svchost.ex_
(extension .ex_ and not .exe)

Thanks and regards,
San

blender · Posted: Fri Jul 29, 2005 11:50 am Post subject:

Hi

Sorry about the bad link...looks like they changed things fairly recently.
Used to be an online scanner.
That's ok..we'll use another.

"restore origional hosts" in the hoster program was the one to hit. My typo there

Those svchost.exe locations are fine. So is the one on E:\

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.

Under Startup Options uncheck "Enable the Microsoft AntiSpyware Security Agents on startup (recommended)".

Under Real-time spyware threat protection uncheck "Enable real-time spyware threat protection (recommended)".

After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

copy the following text inside the code box to a new notepad file.
Save as file name out.reg
As file types all files
Save it to your desktop. Don't run it yet.

Bluebird · Posted: Fri Jul 29, 2005 5:56 pm Post subject:

Hi,

Thanks for your response.

I've followed your instructions and here are the Panda results followed by a new HJT log.

Microsoft Antispyware was refusing to turn off the Security Agents and the Real Time Spyware Protection. It allows me to uncheck those boxes, but once I press save, it would re-check the boxes on its own! So I temporarily uninstalled the program while doing the processes you described.

I take it there's no need to delete svchost.exe and its enough if I just keep blocking it from accessing the net? Is this a part of Windows XP?

Thank you for your time and help!

Best regards,
San

Panda scan results:

Incident Virus:Bck/Nanspy.A
Location C:\WINDOWS\system32\bbot.exe
Status Disinfected

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:09 AM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internet.vsnl.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.internet.vsnl.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by VSNL Internet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32 \hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [Windows Automatic Updater] winupdater.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.internet.vsnl.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122531134234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

blender · Posted: Sun Jul 31, 2005 7:17 am Post subject:

Hi

sorry for long wait...working long shifts.
Might be a bit before I get back...have real nasty T-Storm right now...

That svchost.exe that wants internet so bad...it is living in system32?

Don't delete that file...it is needed for many of windows services to run.
As long as it keeps trying to access that IP...Keep blocking it.

Those entries in HJT keep returning..This is sometimes one hard family of bugs to kill.

Please download, install, and update the free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.

Download CCleaner and install, but do not run it yet.

Reboot into Safe Mode

Once in Safe Mode, run Ewido again.

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
Be sure "create encrypted backup" is checked.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following items:

O4 - HKLM\..\Run: [Windows Automatic Updater] winupdater.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe

Close all open windows and hit "fix checked".

Now, run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Reboot back to normal windows and post both a new hijackthis log and the log from Ewido.

Thanks Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

Bluebird · Posted: Sun Jul 31, 2005 7:33 pm Post subject:

Hi,

Long waits are no issue! I'm very grateful that you've taken the time and trouble to help me out. (Not to mention all the others on this board you repond to!) Thanks a ton!

The firewall's traffic log indicates that the svchost.exe file lives in the C:\WINDOWS\system32 folder. There are no records of any other svchost.exe file trying to access the net.

Fyi, since the last set of logs were posted, I've downloaded and installed Microsoft .net to enable an application to run.

I haven't deleted any of the exe files while running the Ewido scan. Didn't want to cripple XP / other apps by mistake.

Don't know if this is relevant - while in safe mode, I couldn't see CCleaner application, so I went back into normal mode to uninstall and reinstall it. But I still couldn't see it in safe mode, so I finally used the Start > run command (in safe mode) to run CCleaner.

The Ewido and Hijackit logs are posted below.

Thanks and regards,
San

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:35:43 AM, 8/1/2005
+ Report-Checksum: DBD45770

+ Scan result:

C:\WINDOWS\system32\Ati2xxx.exe -> Backdoor.Rbot : Ignored
C:\WINDOWS\system32\TFTP12112 -> Backdoor.Rbot : Ignored
:mozilla.6:C:\Documents and Settings\Sanjeev\Application

Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt ->

Spyware.Cookie.Tribalfusion : Ignored
C:\System Volume

Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP8\A0005862

.exe -> Backdoor.Nanspy.f : Ignored
C:\System Volume

Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP12\A000656

4.exe -> Backdoor.SdBot.abk : Ignored
C:\System Volume

Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP15\A001161

1.exe -> Backdoor.SdBot.abk : Ignored
C:\System Volume

Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP15\A001161

5.exe -> Backdoor.Nanspy.f : Ignored
C:\Recycled\NPROTECT\00017289.EXE -> Backdoor.Nanspy.f :

Ignored
C:\Documents and

Settings\Sanjeev\Cookies\sanjeev@content.overture[1].txt ->

Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Sanjeev\Cookies\sanjeev@2o7[2].txt ->

Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sanjeev\Cookies\sanjeev@hitbox[1].txt

-> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and

Settings\Sanjeev\Cookies\sanjeev@ehg-webanalyticsasiapteltd.hitbox[1].t

xt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and

Settings\Sanjeev\Cookies\sanjeev@tribalfusion[2].txt ->

Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and

Settings\Sanjeev\Cookies\sanjeev@server.iad.liveperson[1].txt ->

Spyware.Cookie.Liveperson : Cleaned with backup

::Report End

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Logfile of HijackThis v1.99.1
Scan saved at 7:52:01 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.internet.vsnl.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.internet.vsnl.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by VSNL Internet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5. \Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\ \E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.internet.vsnl.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122531134234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) -Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

blender · Posted: Mon Aug 01, 2005 12:22 am Post subject:

Hi

Log is looking much better. I think we are getting somewhere. Smile

That .Net you downloaded...you have checked for updates since installing it? there has been a few security updates to that app.
Visit windows update to get them.

Is svchost.exe still calling out? If so...to what IP address?

Can I get you to zip up and email me a copy of that file please?
Click email button at bottom of my post for address.
I would like to have a look at that file.

Please include link to this thread in your mail so I remember what the file is about.

If unable to email it...you can upload it here:

http://www.yousendit.com/

Enter my email addy and they will send me the d/l link.

Next...I want to have a look at a piece of your registry.

copy the following text to a new notepad file.
Save as file name getole.bat
As file types: all files
Save it to the desktop.

Bluebird · Posted: Mon Aug 01, 2005 8:24 am Post subject:

Hi,

Thanks for your response.

I'm emailing the svchost.exe file to you.

Here are some of the addresses svchost.exe is trying to access, as reported by the firewall:
255.255.255.255
64.4.21.125 (update.microsoft.com)
207.46.157.125 (stats.update.microsoft.com)
207.46.130.100 (time.windows.com)
239.255.255.250
64.4.23.157 (update.microsoft.com)

Just noticed that the firewall has 'Allowed' svchost to access 255.255.255.255!I've never allowed any such thing.

I also noticed there's now a new animal trying to access the net:
Automatic updates (wuauclt.exe) is trying to broadcast to (224.0.0.22).

Here's where it lives:
C:\WINDOWS\System32\wuauclt.exe

This seems to have happened only once so far.

Plus, the firewall reports about several port scan attacks every day.

The getole.bat info is posted below, followed by the scan results for two files.

Thanks and regards,
San

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat]

[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

doesn't exist HKEY_CURRENT_USER\Software\Microsoft\OLE

..............................................

Results of scan at http://virusscan.jotti.org/:

File: C:\WINDOWS\system32\Ati2xxx.exe

File: Ati2xxx.exe
Status: INFECTED/MALWARE
MD5 db6d1551b0d19d1b278fed70d1ffb829
Packers detected: PE_PATCH, NSPACK

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.RB.A
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Spybot.RSI
UNA Found nothing
VBA32 Found Backdoor.Win32.Proxydor.1 (probable variant)

Last file scanned at least one scanner reported something about: Worm.Win32.Eyeveg.g in

image.zip, detected by:
Scanner Malware name
AntiVir Worm/Eyeveg.g
ArcaVir Worm.Eyeveg.G
Avast Win32:Bugbear-B
AVG Antivirus Worm/Eyeveg.H
BitDefender Win32.Wurmark.K@mm
ClamAV Worm.Wurmark.K
Dr.Web Win32.HLLW.Eyeveg.3
F-Prot Antivirus W32/Eyeveg.J
Fortinet W32/Wurmark.J-mm
Kaspersky Anti-Virus Worm.Win32.Eyeveg.g
NOD32 Win32/Eyeveg.K
Norman Virus Control W32/Eyeveg.H
UNA I-Worm.Tanatos.b
VBA32 Worm.Win32.Eyeveg.g

File: C:\WINDOWS\system32\TFTP12112

File: TFTP12112
Status: INFECTED/MALWARE
MD5 a4701dbd8d96bb21f735254c47aee266
Packers detected: PE_PATCH, MEWBUNDLE, MEW

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Worm.Mytob.GH
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Spybot.HIV
UNA Found nothing
VBA32 Found nothing

Last file scanned at least one scanner reported something about: Trojan.StartPage.631 in

SE.DLL.VIR, detected by:
Scanner Malware name
AntiVir TR/StartPage.qr.DLL
ArcaVir Trojan.JScript.StartPage.Gen
Avast X
AVG Antivirus Startpage.16.BD
BitDefender X
ClamAV Trojan.Startpage-239
Dr.Web Trojan.StartPage.631
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
UNA X
VBA32 X

blender · Posted: Mon Aug 01, 2005 11:02 pm Post subject:

Hi

I'll be back shortly with more info...but that svchost.exe file you sent is fine.

Those IP's it is (svchost.exe) trying to contact is ok now. When you had the active infection it was being used to call out elsewhere to wait for "master's commands" so to speak.

You will need to allow it out in order to get windows updates, check email (hotmail, etc),

Should not need to allow server access.

wuauclt.exe is the real windows update.

Let me look up some stuff & I'll be back

blender
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

blender · Posted: Tue Aug 02, 2005 12:34 am Post subject:

Hi again... Smile

OK...I was trying to figure out why you would be broadcasting to these addys:

224.0.0.22
239.255.255.250

and anywhere in between.

Are you on a company network? Router?

From this site:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ipmulti.htm

Look under Internet Protocol Multicast

*********

Those 2 files you uploaded to jotti; you can delete them & remove from recycle bin. alternatively let Ewido delete those files.

***********

A regedit for ya to repair what those bots did.

Copy the following text inside the code box to a new notepad file.
Save as file name repair.reg
As file types: All files
Save it to the desktop.

Bluebird · Posted: Tue Aug 02, 2005 8:16 am Post subject:

Hi Blender,

Thanks for your responses.

Glad to know that the svchost.exe file is legit now.

To answer your question, this is a standalone PC at home, not on any kind of network. And I’ve no clue why the machine is broadcasting to 224.0.0.22 and 239.255.255.250.

I’ve used windows explorer to delete the two infected files from system32 directory and remove them from recycle bin.

Also did the regedit fixup you listed.

Plus I downloaded that tool and disabled Universal Plug and Play.

If so many folks are scanning other people’s machines, I’m glad I’m using a firewall. Is the free version of Sygate Personal Firewall I’m currently using good enough? Or are there better ones (including paid ones) you would recommend?

An important issue for me - can I now assume that my machine is clean enough to safely use paypal / credit cards online?

You didn’t ask for this, but I’m posting a new HJT log here, in case it tells you anything interesting…

Thank you so much for your time!

Regards,
San

Logfile of HijackThis v1.99.1
Scan saved at 9:39:54 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.internet.vsnl.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.internet.vsnl.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by VSNL Internet Service
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper -

{601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program

Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]

HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch

Jukebox\mmtask.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON

Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.internet.vsnl.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1122531134234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO

EPSON CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate

Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

blender · Posted: Tue Aug 02, 2005 11:14 am Post subject:

Hi

Current log looks good Smile

I do believe you are clean! Smile

I have no experience with Sygate fw but from what I read it is as good as any of the other top ones out there.
Personally I use Zone Alarm pro only cus that is the first firewall I was introduced to. Kinda stuck.
I hear alot of good reviews about Outpost Pro ($$)
Lots of options and makes killer log files.
Does Sygate have an option to protect your personal info? Like if something tried to send your password for say...paypal to another site?
Might be called something like ID Lock (that is what it is in zone alarm pro)
You may want to enable that if option is available. Might be available in pro version if not free one.

Since you are on a stand alone computer with no network we can tweak a few services to harden security a little more and make firewall work a little less.
Most deal with networking which you are not doing anyway. Should cut down on alot of the broadcasting.

Please print this out in case I just busted your internet... Razz

Default startup type for the below is automatic.
Manual is safe setting...if windows really thinks it needs to run it will start up anyway. Disabled is not recommended for some or we WILL break internet.

Please don't disable any others.

Click start> run> type services.msc and hit enter.

Scroll to Computer Browser

Double click to bring up properties.
Set startup type to manual
Hit apply & OK.

Do the same for these: (make sure they are the exact ones displayed here)

DNS Client
TCP/IP NetBIOS Helper
Remote Registry
Windows Firewall/Internet Connection Sharing (ICS)
WebClient

Exit services.msc and reboot

Let me know how that goes and I'll have a few other tips & apps to help keep the baddies at bay.

Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

Bluebird · Posted: Tue Aug 02, 2005 8:02 pm Post subject:

Hi Blender,

I’m real glad to know my pc is clean and I can finally do online transactions! Smile

Thank you very much for your unrelenting efforts!

I’ve taken all the steps you mentioned. Can connect to the net with no problems! Smile

Currently, I’m connected to the net via a COM port. At some point, I may have to use the Ethernet port for high-speed net access via DSL. When that happens, do I need to put some / all of the services settings back to automatic?

Sygate doesn’t have the ID protect option you mentioned (at least, not the free version). I’ll check out the paid ones, including the one you mentioned. Thanks for the suggestion!

I updated Ewido, got into safe mode and ran a complete system scan. The scan results are posted below. It cleaned up several cookies but I ignored all the exe files which were labeled ‘infected’.

Thanks for all your help!

Best regards,
San

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:14:04 AM, 8/3/2005
+ Report-Checksum: 38A3B560

+ Scan result:

C:\System Volume Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP8\A0005862.exe -> Backdoor.Nanspy.f : Ignored
C:\System Volume Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP12\A0006564.exe -> Backdoor.SdBot.abk : Ignored
C:\System Volume Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP15\A0011611.exe -> Backdoor.SdBot.abk : Ignored
C:\System Volume Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP15\A0011615.exe -> Backdoor.Nanspy.f : Ignored
C:\System Volume Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP19\A0016272.exe -> Backdoor.Nanspy.f : Ignored
C:\System Volume Information\_restore{987AECF8-E54C-4DAD-AE7E-4B2D456EBED9}\RP22\A0016505.exe -> Backdoor.Rbot : Ignored
:mozilla.16:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sanjeev\Application Data\Mozilla\Firefox\Profiles\ko23dr2n.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup

::Report End

blender · Posted: Wed Aug 03, 2005 7:26 am Post subject:

Hi

Glad all is well. Smile

Your DSL should work fine if you use it. That was main reason for setting those services to manual.
i also didn't go too crazy on tweaks since I didn't know how you connecrted to net.
Most of those services we shut off had to do with networking...like if you had more than one PC at home & shared resorces.
We shut off windows firewall/ Internet connection sharing for 2 reasons.
1....you already have a firewall (better than xp's)
2. You are not sharing resorces with other computers.

Remote Registry is used if you intend on modifyiny your registry from another computer (like when using remote assistance)
I don't like the idea of the chance someone else can mess with my registry.

WebClient...very rarely used.

**********

Your Ewido log...

All those exe files are in your system restore.
Windows makes regular "checkpoints" during times when system is idle.
If something disasterous should happen like you install an incompatible program; you can use system restore to restore to time before bad install. (AKA Whew!) Laughing

Problem is....windows sometimes backs up infected files. Restoring computer using an infected restore point...will re-install the infection.
That we will take care of now...

After a few reboots and checking to see that all is well; it is highly recommended to reset your system restore to remove any possible backed up infected files there.

Right click "my computer"
Click "properties"
Click "system restore" tab
Checkmark "turn off system restore"
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

By doing that...all previous restore points are deleted including any nasties stored there.

As I said...there are a few other apps/tricks to help keep clean.

Check your IE security settings:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialise and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Now on to protection/prevention

I recommend:

You have done some of the following but never hurts to check.

IE-Spyad <--this puts several thousand sites in restricted zone for IE. If you happen on a site within its list they can't hijack you or install anything.
Program is free and updated about once a month.

Please follow readme instructions for install...it is a little different.

Single user XP PC use IE-Spyad1
Multi user XP PC use IE-Spyad2
All other OS use IE-Spyad1

Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts more sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

Spywareguard This program watches for any changes to your home/search pages for IE. If something (including you) tries to make changes, you will be alerted with a popup giving you the option to keep change or revert to previous settings.
Install> update. It should prompt you to start the program
Takses little resorces and is also free.

Using a hosts file will greatly increase security. Many of those flashy annoying ads on websites will not display and it blocks access to thousands of sites entirely.

Info and how to install:

http://www.mvps.org/winhelp2002/hosts.htm

Keep a firewall running at all times. I use zone alarm. A free version can be downloaded here:

Free zone alarm

Remember to keep up with your windows updates including office.

Remember to keep your antivirus up to date.

Keeping all your security up to date

IE settings for increased security

Confused which antispyware is good or bad?

Install an alternative browser for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

And finally...more security reading..: Protect your Computer

Happy surfing! Very Happy

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

blender · Posted: Sat Aug 06, 2005 2:05 pm Post subject:

Hi

I just got a PM from one of the advanced members here that was lookin thru some threads for something..

If there is any chance you did do some CC transactions, banking, etc while infection was installed...:

Could been have been related to this:

http://sunbeltblog.blogspot.com/

http://www.computerworld.com/securitytopics/security/story/0,10801,103737,00.html

If that infection looged any of your passwords, bank account numbers, pin #, CC #, etc while infected...it logs passwords to a plain text file to send to hacker who created the mess. (or their team members)

If you are not sure if you made transactions before you noticed infection....best to go change all your passwords, call your CC companies, bank companies to put a watch on your accounts.
This includes passwords to your email accounts as well.

Regards

Blender
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

Bluebird · Posted: Mon Aug 08, 2005 7:21 am Post subject:

Hi Blender,

OMG! This really looks terrible! Thanks for that warning -- saw that just now.

I had done online cc transactions only after your post dated Tue Aug 02, 2005 at 12:14 pm, where you had stated that you believe my machine was clean.

I hope that means that I'm safe?

In any case, I'll have a watch kept over my cards, as you suggest.

Thanks for your help!

Best regards,
San

blender · Posted: Mon Aug 08, 2005 4:55 pm Post subject:

Hi

Terrible it is!..there is just no end to what hackers will do.

I would LOVE to be a fly on the wall when the FBI catch them.

Transactions made since cleanup should be fine. I was just concerned you may have done some before realizing you were infected.

Take care. Smile

_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You

Kinobe · Posted: Wed Aug 10, 2005 8:19 am Post subject:

blender · Posted: Thu Aug 11, 2005 6:09 am Post subject:

Topic locked. Issue solved. Bluebird; if you need it re-opened please pm me.
New issues please start a new topic.

Thank you

Blender
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You