Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

http://www.security2k.net/ help

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived HijackThis Logs
View previous topic :: View next topic  
Author Message
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Mon Sep 12, 2005 8:52 am    Post subject: http://www.security2k.net/ help Reply with quote
I am sorry,i will write properly this time.I am having this stupid problem,my homepage is yahoo.com but whenever i on internet,it suddenly change to http://www.security2k.net/ .i found pc gurad in my registery which i never download and it cant be deleted.my comp slows down and there is a lot of pop pus here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:15 PM, on 9/12/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\WINNT\system32\mssearchnet.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\hijack this\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINNT\system32\hp818.tmp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft SpC Service] sutcp.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [aldefr ere service] tay0x.exe
O4 - HKLM\..\Run: [SonyCD] Sony.exe
O4 - HKLM\..\Run: [Windows Update Center] W32RSA.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [Microsoft SpC Service] sutcp.exe
O4 - HKLM\..\RunServices: [aldefr ere service] tay0x.exe
O4 - HKLM\..\RunServices: [SonyCD] Sony.exe
O4 - HKLM\..\RunServices: [Windows Update Center] W32RSA.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] dll.exe
O4 - HKCU\..\Run: [Microsoft SpC Service] sutcp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [aldefr ere service] tay0x.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Windows Update Center] W32RSA.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {3AF731D0-2FD4-5B6E-0143-565E67E12629} - http://69.50.182.94/1/rdgSG1342.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B876A19-BA30-4705-A404-746FA375E7C0}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B876A19-BA30-4705-A404-746FA375E7C0}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B876A19-BA30-4705-A404-746FA375E7C0}: NameServer = 165.21.83.88 165.21.100.88
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe

i have use spybot,panda,microsoft anti spyware yahoo spyware nod32 mac free iewbo(forgot name) trend micro but it did no remove it for me.
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Mon Sep 12, 2005 10:27 am    Post subject: Reply with quote
hi

could you submit some of the files on your computer?

enable
showing of all files

go to http://www.thespykiller.co.uk/forum/index.php?board=1.0
press new topic , put a link to this thread into your message and
attach the following files:

C:\WINNT\system32\mssearchnet.exe
C:\WINNT\system32\hp818.tmp


also these files
sutcp.exe
tay0x.exe
W32RSA.exe
Sony.exe

most likely you'll find those at system32 or winnt folders, but preferably do a search for them

when you have uploaded


can you generate a startup list using HJT. And please check the 2 boxes below the 'Startup' button:
List also minor sections (full)
List empty sections (complete)

post that log to your next reply
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Wed Sep 14, 2005 7:31 am    Post subject: Reply with quote
http://www.thespykiller.co.uk/forum/index.php?topic=710.0

StartupList report, 9/14/2005, 11:20:24 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hijack this\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\WINNT\system32\mssearchnet.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijack this\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
Microsoft SpC Service = sutcp.exe
LoadQM = loadqm.exe
aldefr ere service = tay0x.exe
SonyCD = Sony.exe
Windows Update Center = W32RSA.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
PicasaNet = "C:\Program Files\Hello\Hello.exe" -b
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
APVXDWIN = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Microsoft SpC Service = sutcp.exe
aldefr ere service = tay0x.exe
SonyCD = Sony.exe
Windows Update Center = W32RSA.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NTSF MICROSOFT SYSTEM = dll.exe
Microsoft SpC Service = sutcp.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
aldefr ere service = tay0x.exe
ares = "C:\Program Files\Ares\Ares.exe" -h
Windows Update Center = W32RSA.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINNT\system32\hp818.tmp - {893fad3a-931e-4e53-b515-b1426d63799b}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

[{3AF731D0-2FD4-5B6E-0143-565E67E12629}]
CODEBASE = http://69.50.182.94/1/rdgSG1342.exe

[Install Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\pinstall.dll
CODEBASE = http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38413.1144097222

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavlsp.dll
Protocol #2: C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavlsp.dll
Protocol #3: C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavlsp.dll
Protocol #4: C:\WINNT\system32\msafd.dll
Protocol #5: C:\WINNT\system32\msafd.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\rsvpsp.dll
Protocol #8: C:\WINNT\system32\rsvpsp.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavlsp.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN): System32\DRIVERS\alcan5wn.sys (manual start)
Alcatel Speed Touch ADSL Modem ATM Transport: System32\DRIVERS\alcaudsl.sys (manual start)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Antivirus Filter Driver: \SystemRoot\system32\drivers\av5flt.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Panda CPoint Driver: system32\Drivers\cpoint.sys (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Creative SB AudioPCI Audio Driver (WDM): system32\drivers\ev19x8mp.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Panda Preventium Driver.: system32\Drivers\netflt.sys (system)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NPPTNT2: \??\C:\WINNT\system32\npptNT2.sys (system)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
Panda anti-virus driver: \SystemRoot\System32\Drivers\pavdrv50.sys (autostart)
Panda Firewall Service: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe" (autostart)
Panda Function Service: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe" (autostart)
Panda Pavkre: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe" (autostart)
Panda Process Protection Driver: \??\C:\WINNT\system32\DRIVERS\PavProc.sys (autostart)
Panda PavProt: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe" (autostart)
Panda Process Protection Service: "C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe" (autostart)
Panda anti-virus service: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe" (autostart)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PfModNT: \??\C:\WINNT\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Panda Preventium+ Service: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe" (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Panda IManager Service: "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe" (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
CanoScan FBP3 Port Driver: \??\C:\WINNT\system32\drivers\ScFBPNT3.SYS (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Teefer for NT: SYSTEM32\Drivers\Teefer.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
SyGate for NT, WG3N: \SystemRoot\SYSTEM32\Drivers\WG3N.sys (autostart)
SyGate for NT, wg4n: \SystemRoot\SYSTEM32\Drivers\wg4n.sys (autostart)
SyGate for NT, wg5n: \SystemRoot\SYSTEM32\Drivers\wg5n.sys (autostart)
SyGate for NT, wg6n: \SystemRoot\SYSTEM32\Drivers\wg6n.sys (autostart)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
wpsdrvnt: \??\C:\WINNT\system32\drivers\wpsdrvnt.sys (system)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

wininet.dll = mscornet.exe
kernel32.dll = C:\WINNT\system32\mssearchnet.exe
nvctrl.exe = nvctrl.exe

--------------------------------------------------

End of report, 32,218 bytes
Report generated in 0.691 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Wed Sep 14, 2005 1:10 pm    Post subject: Reply with quote
hi

first thank you for the files, could you upload the other files Derek mentioned at the spykiller thread too?

question: is SINGNET your ISP?


Please print these next instructions out, or copy them to a NotePad file for reading while in Safe Mode.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items, then click FIX CHECKED:




R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINNT\system32\hp818.tmp

O4 - HKLM\..\Run: [Microsoft SpC Service] sutcp.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [aldefr ere service] tay0x.exe
O4 - HKLM\..\Run: [SonyCD] Sony.exe
O4 - HKLM\..\Run: [Windows Update Center] W32RSA.exe

O4 - HKLM\..\RunServices: [Microsoft SpC Service] sutcp.exe
O4 - HKLM\..\RunServices: [aldefr ere service] tay0x.exe
O4 - HKLM\..\RunServices: [SonyCD] Sony.exe
O4 - HKLM\..\RunServices: [Windows Update Center] W32RSA.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] dll.exe
O4 - HKCU\..\Run: [Microsoft SpC Service] sutcp.exe

O4 - HKCU\..\Run: [aldefr ere service] tay0x.exe
O4 - HKCU\..\Run: [Windows Update Center] W32RSA.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone ab
O16 - DPF: {3AF731D0-2FD4-5B6E-0143-565E67E12629} - http://69.50.182.94/1/rdgSG1342.exe



Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Thu Sep 15, 2005 7:25 am    Post subject: Reply with quote
yes singnet is

the triangular yellow thingy with the excliamation mark is still comming out.


Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, September 15, 2005 9:38:08 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R66 14.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):2 total references
Malware.Psguard(TAC index:7):5 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R66 14.09.2005
Internal build : 77
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 522778 Bytes
Total size : 1570907 Bytes
Signature data size : 1537712 Bytes
Reference data size : 32683 Bytes
Signatures total : 43686
CSI Fingerprints total : 1045
CSI data size : 37239 Bytes
Target categories : 15
Target families : 746


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:64 %
Total physical memory:261616 kb
Available physical memory:164936 kb
Total page file size:631952 kb
Available on page file:562136 kb
Total virtual memory:2097024 kb
Available virtual memory:2046356 kb
OS:Microsoft Windows 2000 Professional Service Pack 4 (Build 2195)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-15-2005 9:38:08 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 120
ThreadCreationTime : 9-15-2005 1:01:02 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 148
ThreadCreationTime : 9-15-2005 1:01:27 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 144
ThreadCreationTime : 9-15-2005 1:01:29 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 9-15-2005 1:01:32 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 208
ThreadCreationTime : 9-15-2005 1:01:33 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 368
ThreadCreationTime : 9-15-2005 1:01:39 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 404
ThreadCreationTime : 9-15-2005 1:01:41 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:8 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 448
ThreadCreationTime : 9-15-2005 1:03:57 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:9 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ProcessID : 300
ThreadCreationTime : 9-15-2005 1:32:25 PM
BasePriority : Normal


#:10 [agentsvr.exe]
FilePath : C:\WINNT\msagent\
ProcessID : 516
ThreadCreationTime : 9-15-2005 1:32:48 PM
BasePriority : Normal
FileVersion : 2.00.0.3422
ProductVersion : 2.00.0.3422
ProductName : Microsoft Agent Server
CompanyName : Microsoft Corporation
FileDescription : Microsoft Agent Server
InternalName : AgentServer
LegalCopyright : Copyright (C) Microsoft Corp. 1997-98
OriginalFilename : AgentSvr.exe

#:11 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 288
ThreadCreationTime : 9-15-2005 1:37:38 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{15dc7116-e58e-4395-a45a-a1c99b17c030}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e0aa0493-c410-4cbd-b1db-1723374fa8e0}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e5d78bd8-3874-4aa0-9d45-cfb79382c484}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1123561945-706699826-854245398-500\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:administrator@bluestreak.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:administrator@tribalfusion.com/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:administrator@imrworldwide.com/cgi-bin

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:administrator@trafficmp.com/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 9



Deep scanning and examining files (CSmile
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 9




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.Psguard Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : Wallpaper

Malware.Psguard Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Display Inline Images

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 11

9:43:52 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:44.5
Objects scanned:62829
Objects identified:11
Objects ignored:0
New critical objects:11

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:16:47 PM, 9/15/2005
+ Report-Checksum: 80593D7D

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End

Panda Titanium Antivirus 2005 incident report


EVENT DATE RESULTS ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 09/15/05 23:05:58 Scan: All My Computer
Spyware detected: Cookie/Rn11 09/15/05 22:32:16 Eliminated Location: C:\Documents and Settings\Administrator\Cookies\administrator@rn11[2].txt
Spyware detected: Cookie/Belnk 09/15/05 22:32:16 Eliminated Location: C:\Documents and Settings\Administrator\Cookies\administrator@dist.belnk[2].txt
Spyware detected: Cookie/Com.com 09/15/05 22:32:16 Eliminated Location: C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt
Spyware detected: Cookie/Belnk 09/15/05 22:32:15 Eliminated Location: C:\Documents and Settings\Administrator\Cookies\administrator@belnk[1].txt
Spyware detected: Cookie/Ask 09/15/05 22:32:15 Eliminated Location: C:\Documents and Settings\Administrator\Cookies\administrator@ask[1].txt
Scan started 09/15/05 22:25:41 Scan: All My Computer
Scan completed 09/15/05 22:24:46 Scan: All My Computer
Scan started 09/15/05 22:24:26 Scan: All My Computer
Connection attempt 09/15/05 19:44:55 Blocked Source IP address: 165.21.100.88
Network virus: Exploit/uPnP 09/15/05 00:50:50 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:50:48 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:47:07 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:46:27 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:46:07 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:45:57 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:45:52 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:45:49 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/15/05 00:41:28 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/15/05 00:40:51 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:40:37 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/15/05 00:40:33 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/15/05 00:40:24 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/15/05 00:40:19 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/15/05 00:40:17 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:39:54 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:39:32 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:39:22 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:39:16 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:39:14 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:33:22 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:32:44 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:32:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:32:15 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:32:10 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:32:08 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:30:50 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:30:08 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:29:47 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:29:37 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:29:32 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:29:29 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:28:13 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:27:35 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:27:15 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:27:06 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:27:01 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:26:59 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:25:42 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:25:03 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:24:43 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:24:34 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:24:29 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:24:27 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:22:30 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:21:48 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:21:28 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:21:17 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:21:12 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:21:09 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:20:56 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:20:17 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:19:58 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:19:48 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:19:44 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:19:41 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:16:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:15:41 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:15:18 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:15:07 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:15:01 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:14:59 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:11:58 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:10:37 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:09:58 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:09:03 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:08:56 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:08:37 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:08:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:08:08 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:08:01 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:07:09 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:07:01 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:06:13 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:06:12 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:05:49 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:05:44 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:05:37 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:05:30 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:05:23 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:00:57 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:00:07 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/15/05 00:00:06 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:59:15 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:58:24 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:58:07 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:57:35 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:57:32 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:57:06 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:47 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:41 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:41 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:36 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:22 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:20 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:10 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:04 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:56:01 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:54:48 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:54:10 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:54:03 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:40 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:30 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:29 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:23 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:21 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:10 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:53:00 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:52:55 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:52:52 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:48:55 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:48:07 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:47:43 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:47:31 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:47:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:47:23 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:46:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:46:16 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:45:42 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:45:27 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:45:04 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:45:04 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:45:03 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:45:03 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:51 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:45 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:44:45 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:43 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:44:35 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:34 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:30 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:44:28 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:26 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:24 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:44:05 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:43:56 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:43:51 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:43:48 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:42:48 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:42:25 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:42:11 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:41:53 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:41:44 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:41:39 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:41:37 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:41:21 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:40:49 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:40:42 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:40:23 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:40:13 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:40:09 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:40:06 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:39:37 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:36:14 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:36:05 Blocked Intrusion attempt blocked
Network virus: Exploit/RPC-DCOM 09/14/05 23:35:57 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:33:53 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:33:15 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:32:55 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:32:46 Blocked Intrusion attempt blocked
Network virus: Exploit/uPnP 09/14/05 23:32:41 Blocked Intrusion attempt blocked
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Thu Sep 15, 2005 12:05 pm    Post subject: Reply with quote
hi

there are 2 options:
we could wait for an update to smithrem
or we could try manually removing the infection

its your machine so which one you choose?

the virus incidents shown in the panda log are zotob worm spreading attempts, your firewall seems to be blocking them
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Fri Sep 16, 2005 4:30 am    Post subject: Reply with quote
manually remove them asap because there are still pop ups and something is not right.if i on internet for a while and i dont thouch it,my internet like taken over by another network or internet access,cause none of the web i got to can work.it says something like that

Action canceled
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.

If you have visited this page previously and you want to view what has been stored on your computer, click File, and then click Work Offline.

For information about offline browsing with Internet Explorer, click the Help menu, and then click Contents and Index.




Internet Explorer


and i am afraid that if there was another dailer or something i might have to pay money when it gets connected.

btw thx alot,its better now at least!
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Fri Sep 16, 2005 1:32 pm    Post subject: Reply with quote
hi
lets first try another virus scan:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:

    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)

    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer

  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:

  • Save the file to your desktop.
  • Copy and paste that information in your next post.

_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Fri Sep 16, 2005 9:11 pm    Post subject: Reply with quote
the kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, September 17, 2005 13:02:04
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/09/2005
Kaspersky Anti-Virus database records: 149617
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 23731
Number of viruses found: 6
Number of infected objects: 32
Number of suspicious objects: 2
Duration of the scan process: 6250 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\My Documents\setup_ares.exe/data0037/NHInstall.exe Infected: not-a-virus:AdWare.NavExcel.d
C:\Documents and Settings\Administrator\My Documents\setup_ares.exe/data0037 Infected: not-a-virus:AdWare.NavExcel.d
C:\Documents and Settings\Administrator\My Documents\setup_ares.exe/data0038 Infected: not-a-virus:AdWare.NavExcel.i
C:\Documents and Settings\Administrator\My Documents\setup_ares.exe Infected: not-a-virus:AdWare.NavExcel.i
C:\Documents and Settings\Administrator\My Documents\VideoCodec3_05b.exe Infected: Trojan-Downloader.Win32.Zlob.am
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip/{82F7CFE5-7759-4596-BD48-12697937F5F7}/SECURITY.EXE Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchYexe.zip Suspicious: Password-protected-EXE
C:\Program Files\hijack this\backups\backup-20050915-212652-585.dll Infected: Trojan.Win32.Small.fs
C:\WINNT\system32\ld1576.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld16C9.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld1761.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld1A28.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld2562.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld2A46.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld3616.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld3881.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld471E.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld5C46.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld64F5.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld6BA.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld6FD3.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ld8260.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldBFF2.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldC9A2.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldCB3D.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldD8AC.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldDE3A.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldF468.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldF5F8.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldF8EB.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\ldF974.tmp Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\mscornet.exe Infected: Trojan-Downloader.Win32.Zlob.am
C:\WINNT\system32\mssearchnet.exe Infected: Trojan.Win32.Small.fs
C:\WINNT\system32\msvol.tlb Infected: Trojan.Win32.Puper.az

Scan process completed.
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Sat Sep 17, 2005 11:19 am    Post subject: Reply with quote
hi
Download Killbox

  • Download the Killbox.Do Not Use It Yet
  • Unzip the contents of KillBox.zip to a convenient location.


open killbox.exe by doubleclicking on it

then highlight the list of files below

C:\WINNT\system32\ld1576.tmp
C:\WINNT\system32\ld16C9.tmp
C:\WINNT\system32\ld1761.tmp
C:\WINNT\system32\ld1A28.tmp
C:\WINNT\system32\ld2562.tmp
C:\WINNT\system32\ld2A46.tmp
C:\WINNT\system32\ld3616.tmp
C:\WINNT\system32\ld3881.tmp
C:\WINNT\system32\ld471E.tmp
C:\WINNT\system32\ld5C46.tmp
C:\WINNT\system32\ld64F5.tmp
C:\WINNT\system32\ld6BA.tmp
C:\WINNT\system32\ld6FD3.tmp
C:\WINNT\system32\ld8260.tmp
C:\WINNT\system32\ldBFF2.tmp
C:\WINNT\system32\ldC9A2.tmp
C:\WINNT\system32\ldCB3D.tmp
C:\WINNT\system32\ldD8AC.tmp
C:\WINNT\system32\ldDE3A.tmp
C:\WINNT\system32\ldF468.tmp
C:\WINNT\system32\ldF5F8.tmp
C:\WINNT\system32\ldF8EB.tmp
C:\WINNT\system32\ldF974.tmp
C:\WINNT\system32\mscornet.exe I
C:\WINNT\system32\mssearchnet.exe
C:\WINNT\system32\msvol.tlb
C:\WINNT\system32\nvctrl.exe
C:\WINNT\nvctrl.exe


pressCTRL+Cto copy them to the clipboard
then in killbox click >file> paste from clipboard

  • Choose Delete on Reboot.
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Delete on Reboot prompt.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


after the machine boots back reboot to safe mode

repeat the instructions from the smithfraud trojan fix from my above post

post a fresh hjt log and the contents of c:\smitfiles.txt

go back to the spykiller uploads forum thread
attach the contents of c:\!submit folder to your message there


also post me all possible error messages you get
good luck
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Sat Sep 17, 2005 8:45 pm    Post subject: Reply with quote
Logfile of HijackThis v1.99.1
Scan saved at 12:25:16 PM, on 9/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\hijack this\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
Back to top
View user's profile Send private message
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Sat Sep 17, 2005 8:51 pm    Post subject: Reply with quote
http://www.thespykiller.co.uk/forum/index.php?topic=710.0

please state more clearly cause i dun understand sorry...
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Sat Sep 17, 2005 11:06 pm    Post subject: Reply with quote
hi

if you did run killbox it should make backup copies of every file killed with it
it creates a folder called c:\!submit if the deletion is succesful

i'd like you to upload that folder to spykiller

also smitrem when run should create a logfile called smithfiles.txt which i would like to see to confirm if the removal was succesful

there are still a couple of entries that need attention

i'll post some instructions later today, real life interferes now Wink
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Mon Sep 19, 2005 7:11 am    Post subject: Reply with quote
cant find it...
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Mon Sep 19, 2005 1:13 pm    Post subject: Reply with quote
hi

the smitrem tool has now been updated to cover the variant you had
(special thanks to you for it Very Happy )

download it again, and proceed like i instructed above to run it
there are some things left in the registry that the tool effectively cleans

after running smitrem again reboot

copy the text in the code box below into a notepad window
save as fix.reg, save as type all files *important*
it wont work if oyu save it as a txt file

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001



when ready right click the fix.reg file and select "merge" from the r-click menu
answer yes and ok
you should see a message like merged succesfully

reboot

post a final hijackthis log
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
jason1e2
Junior Member


Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
PostPosted: Sun Sep 25, 2005 8:07 pm    Post subject: Reply with quote
http://www.thespykiller.co.uk/forum/index.php?topic=710.0

sorry for the late post i am having exam so i had to study.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:21 AM, on 9/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijack this\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B876A19-BA30-4705-A404-746FA375E7C0}: NameServer = 165.21.83.88 165.21.100.88
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe


smitRem log file
version 2.4

by noahdfear

The current date is: Mon 09/26/2005
The current time is: 11:23:19.96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ncompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! Smile
Back to top
View user's profile Send private message
illukka
SWW Expert


Joined: 31 Jul 2004
Last Visit: 20 Aug 2009
Posts: 1989
Location: the Pits Of Hell
PostPosted: Wed Sep 28, 2005 4:55 am    Post subject: Reply with quote
thx for the files again.

now you need to disable microsof antispyware's real time protection:

  1. Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  2. Click on "Security Agents Status".
  3. Click on "Disable real-time protection".


Next, open Microsoft Anti-Spyware.

  1. Click on the Options menu, then Settings.
  2. Select "Real Time Protection" from the left column.
  3. Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  4. Click the Save button.

Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

remember to reenable it after were done Wink

copy the text in the code box below into a notepad window
save as fix2.reg, save as type all files *important*
it wont work if you save it as a txt file

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000


[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]


when ready right click the fix.reg file and select "merge" from the r-click menu
answer yes and ok
you should see a message like merged succesfully

reboot

post a final hijackthis log
_________________
INFECTED? report it << click here

To Ride, Shoot Straight And Speak TheTruth


The help you receive here is free. If you wish to show your appreciation, then you may DONATE to help keep us online.
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived HijackThis Logs All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group