My HiJackThis Log (Nail.exe problem!)[RESOLVED]

If you want to post help in the Malware Removal forum here at GTG, you need to be a staff member. Click here to join Geek U.

ScHwErV

Edited by Geek U Moderator

Edited by ScHwErV, 29 April 2005 - 10:09 AM.

I think I've managed to get rid of Nail.exe based on helpful advice on others' posts with similar problems. However, there is still one that is troubling me since I've tried to delete it but it stays:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnrzi.exe


Is this a legitimate file ??

Thank you!
Pegg

You have a new infection that we are still working on. This fix has been used successfully many times now so give it a shot and lets see whats left over.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Open HijackThis
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

There will also be an item towards the bottom of the O4 section in HijackThis (it should be the last O4 item marked "HKLM")This item will be marked with "garbage" random characters. However, it seems to be renaming itself so the name will most likely be different by the time you follow these directions. In your previous log it was:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnrzi.exe

Whatever the name of the item is, check it. Then close all open windows except for HijackThis and click Fix Checked.

Then delete the file listed in the random O4 entry. In the above example you would delete
C:\WINDOWS\System32\vvnrzi.exe

Restart your computer

Scan the computer here:
http://www.ewido.net/en/
Let it do a full run, than copy the log. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

Post back here with a fresh log using HijackThis and both of the scan results.

ScHwErV

Hello-I've followed your directions and here are 2 Ewido reports and the final HijackThis Log. Thanks for your time and help!!!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:49:30 AM, 5/2/2005
+ Report-Checksum: F058EB09

+ Date of database: 5/2/2005
+ Version of scan engine: v3.0

+ Duration: 36 min
+ Scanned Files: 81420
+ Speed: 36.91 Files/Second
+ Infected files: 6
+ Removed files: 6
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\peggy\Cookies\peggy@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\peggy\Cookies\peggy@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\peggy\Cookies\peggy@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\peggy\Cookies\peggy@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned without backup
C:\Documents and Settings\peggy\Local Settings\Temp\tp7543.exe -> TrojanDownloader.Qoologoc.i -> Cleaned without backup
C:\WINDOWS\SYSTEM32\ppvqu.dat -> TrojanDownloader.Qoologoc.i -> Cleaned without backup


::Report End






---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:22:30 PM, 5/2/2005
+ Report-Checksum: CB6A41BA

+ Date of database: 5/2/2005
+ Version of scan engine: v3.0

+ Duration: 28 min
+ Scanned Files: 81414
+ Speed: 47.63 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End










Logfile of HijackThis v1.99.1
Scan saved at 12:23:13 PM, on 5/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\HJ\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nntd.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJ\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnrzi.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\HJ\Ewido\security suite\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

Looks good from here. How are things running?

ScHwErV

Hi-
Things seem to be running fine - but I am still looking at this:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnrzi.exe

That is a legitimate file? I googled "KavSvc" and it appears KavSvc.exe is the Kaspersky Anti-Virus application, but I don't have that I have the file vvnrzi.exe.
I don't remember downloading that application either.

Otherwise, everything seems to be ok !
-Peggy

I missed that and it must not have gone in the last instructions.

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\System32\vvnrzi.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

After that, check that line in HiJackThis and click fix checked. Then Reboot and post a fresh HiJackThis log.

ScHwErV

You did not miss that line in your previous posts - you had instructions to deal with it but this file won't delete!

I ran KillBox and it confirmed "File Deleted" but then I rebooted and ran HiJackThis and it still appears:


Logfile of HijackThis v1.99.1
Scan saved at 1:28:57 PM, on 5/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\HJ\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nntd.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\HJ\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnrzi.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\HJ\Ewido\security suite\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

Lets see if we can find where it is comming back from.

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

ScHwErV

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KavSvc" = "C:\WINDOWS\System32\vvnrzi.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
8e48b37a-d8a3-4fe7-93ff-54ae0c9be618\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\System32\bbocadn.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\peggy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "peggy" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\peggy\Start Menu\Programs\Startup
"WinMySQLadmin" -> shortcut to: "C:\mysql\bin\winmysqladmin.exe" ["MySQL AB"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe" [null data]
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Monitor Apache Servers" -> shortcut to: "C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe" ["Apache Software Foundation"]
INFECTION WARNING! "nntd.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
ewido security suite control, ewido security suite control, "C:\HJ\Ewido\security suite\ewidoctrl.exe" ["ewido networks"]
MySql, MySql, "C:/mysql/bin/mysqld-nt.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Run killbox again and have it delete the following files

C:\WINDOWS\System32\bbocadn.exe
C:\WINDOWS\System32\vvnrzi.exe
C:\WINDOWS\System32\nntd.exe

If they do not delete, have Killbox delete them on reboot. Then check the previous line in HiJackThis and reboot.

Then let me know if that line returns

ScHwErV

The first 2 files "deleted", but the 3rd I had to "Delete on Reboot".
Unfortunately - this file is still there!!


Logfile of HijackThis v1.99.1
Scan saved at 2:35:34 PM, on 5/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\HJ\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nntd.exe
C:\mysql\bin\winmysqladmin.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJ\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=374
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vvnrzi.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{008AD617-CCB2-4A28-AB6E-4286BC25CE9B}: NameServer = 216.41.101.15,204.17.65.2
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\HJ\Ewido\security suite\ewidoctrl.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

Can I get another SilentRunners log?

Good morning:

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KavSvc" = "C:\WINDOWS\System32\vvnrzi.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
8e48b37a-d8a3-4fe7-93ff-54ae0c9be618\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\System32\bbocadn.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\HJ\Spybot\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\peggy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "peggy" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\peggy\Start Menu\Programs\Startup
"WinMySQLadmin" -> shortcut to: "C:\mysql\bin\winmysqladmin.exe" ["MySQL AB"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe" [null data]
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Monitor Apache Servers" -> shortcut to: "C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe" ["Apache Software Foundation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
ewido security suite control, ewido security suite control, "C:\HJ\Ewido\security suite\ewidoctrl.exe" ["ewido networks"]
MySql, MySql, "C:/mysql/bin/mysqld-nt.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------