Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Persistent Poebot trojan

Started by tech_tris , Jul 14 2005 06:47 PM

  • Please log in to reply

#1
tech_tris
Posted 14 July 2005 - 06:47 PM

tech_tris

    New Member

  • Member
  • Pip
  • 3 posts
Hello. I'm hoping that someone can help me with a trojan which is somehow managing to persist despite the best efforts of 10 or so antimalware programs. I've tried all of the scans recommended on the "before posting" post plus a few others and would be grateful for any help.

Before anyone reads the rest of this post I should state that I'm currently running Windows 2000 Professional on a six-year old computer. At the moment I've only applied security patches up to SP2. If someone could tell me whether upgrading to SP4 would provide significantly greater protection against the viruses that are most prevalent today, I'd be grateful. The only thing that has stopped me just applying all the security patches from Microsoft is that I did that once before and it slowed up the computer somewhat. Still, I'll be happy to do it if worth it.

Anyway, as to the problem. When I scan using TDS-3, or Bazooka scanner what happens is that it usually finds a Registry trace of file csrs.exe, and the file explorer.exe in Winnt\System32. Then, even if I delete these (and I tried manually following the Windows Safe mode procedure recommended by the Bazooka people), on a reboot Ad-Watch usually finds the trojan trying to re-register this process. Whenever csrs.exe has managed to start running on the computer my computer slows down to a crawl, being very old as it is. I've also had problems with my dial-up connection being prevented from closing, or the icon disappearing, Windows Media Player not loading, the Dial-Up Netwrking, Winnt\System32 and Program Files windows appearing blank, and cut 'n' paste not working.

In addition to finding the above two things, scanning with Ewido identified a trojan as backdoor.PoeBot.c in a file in the recycled folder. These three things are the only I found while scanning today. However, just a couple of days ago, while doing a first round of suggested scans, NOD32's resident scanner found a "Codbot" trojan present in the creation of files named things like kkk.exe, mmm.exe. Also, on several occasions I got the Trojan process lsasrv.exe being run. At one point it seemed to be running ten instances of it. I think it might be gone but can't be absolitely sure. Also, a few days before that at I was having problems with netlib.exe being run, and a couple of other dodgy processes.

Again, if anyone's got any ideas how to get rid of this infection, it will be much appreciated.

Thanks

Tristan

____________________________________________________________________

HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 01:39:27, on 15/07/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\OWNERZ\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Nulware] C:\WINNT\System32\nulware.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43D2496A-DBFF-42BC-B1FD-A92DE0C30D61}: NameServer = 194.62.44.9 194.62.44.16
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINNT\System32\Netlib.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

____________________________________________________________________

Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:19:55, 14/07/2005
+ Report-Checksum: 40A70DBC

+ Scan result:

C:\Recycled\Dc1.exe -> Backdoor.PoeBot.c : Cleaned with backup


::Report End
  • 0

Advertisements

#2
Wizard
Posted 15 July 2005 - 07:10 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi tech_tris and Welcome to GeekstoGo!

Please DO NOT try to delete explorer.exe from the System32 folder again,you will have much deeper problems if you lose that file!

Please Copy&Paste these Instructions to Notepad and Save them to the Desktop!

Please Disable Ad Watch since it will prevent some of the Changes we are going to make!

Its advisable to just temporarily remove Ad Aware as some of these nasties will get stuck in Ad Watch!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Once its Downloaded-> Physically Unplug the Internet Connection from the PC!!


Click Start-> Click Run-> Type in Services.msc and Click OK!

Scroll the list and locate this entry

Net Functions Library

Right Click the entry and Select "Properties"-> Click "Stop"-> Go up and change the "Startup Type" to "Disabled"

Exit the Services Page!


Copy the Text in the Code Box below to a blank Notepad Page


REGEDIT4

[-HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlib]

[-HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlib]

[-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETLIB]

[-HKLM\SYSTEM\CurrentControlSet\Services\Netlib]


Once pasted into Notepad-> Go up and Click "File"-> "SaveAs"-> Name it "Rem.reg" and Save it to the Desktop!


Now Double Click the New Reg File you just created and allow it to merge into the resgistry!


Open up Pocket Killbox and Copy&Paste the entries below into the "Full Path of File to Delete"

C:\WINNT\System32\nulware.exe

C:\WINNT\System32\csrs.exe

C:\WINNT\System32\Netlib.exe

As you paste each into Killbox-> Place a tick by "Delete on Reboot"

Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Run those files through KillBox again and place a tick by these selections this time

"Standard File Kill"
"End Explorer Shell while Killing File"


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [Nulware] C:\WINNT\System32\nulware.exe

O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\System32\csrs.exe

O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINNT\System32\Netlib.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Click Start-> Click Run-> Copy&Paste the Bold Text below into the Open Box and Click OK!

sc delete Netlib


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Go to the WinPFind folder and locate WinPFind.txt!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned at the 2 sites below
Panda Active Scan

Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save a Report from both Online Scans!

Post back with a fresh HijackThis log-> WinPFind.txt and the reports from the 2 Online Scans!

Edited by Cretemonster, 15 July 2005 - 07:16 AM.

  • 0

#3
tech_tris
Posted 15 July 2005 - 04:15 PM

tech_tris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for your response. Just posting now as the online scans took a while. I've done everything on the list, except I couldn't get Panda Active Scan to load due to a drop down menu not appearing in the screen where I had to enter my details. So I used Trend Micro instead. It completed and didn't find anything but I failed to get a log as some problem happened before it produced the results page.

Before I did all the stuff above, I deleted C:\WINDOWS on my drive as it contained a leftover unused Win 98 installation that I did before I installed Windows 2000. I figured it might just be a place for viruses etc to hide. I also found the explorer.exe file in the Recycle Bin and restored it, not sure whether that was a good idea.

A problem I found: when I tried to run MSCONFIG, I got a message saying it or one of its components couldn't be found.

Since doing everything the computer seems to be running fine, though my firewall is still picking up "LSA Executable and Server DLL" trying to initialise a listen port. I don't know whther this is benign or related to lsasrv process.

Tristan

______________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 23:08:31, on 15/07/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\OWNERZ\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43D2496A-DBFF-42BC-B1FD-A92DE0C30D61}: NameServer = 194.62.44.9 194.62.44.16
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

______________________________________________________________________


»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 C:\WINNT\VPTNFILE.725
qoologic C:\WINNT\VPTNFILE.725
SAHAgent C:\WINNT\VPTNFILE.725
UPX! C:\WINNT\vsapi32.dll
aspack C:\WINNT\vsapi32.dll
UPX! C:\WINNT\tsc.exe
PECompact2 C:\WINNT\LPT$VPN.725
qoologic C:\WINNT\LPT$VPN.725
SAHAgent C:\WINNT\LPT$VPN.725

Checking %System% folder...
Umonitor C:\WINNT\system32\RASDLG.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
15/07/2005 C:\WINNT\ShellIconCache
15/07/2005 C:\WINNT\system32\config\software.LOG
15/07/2005 C:\WINNT\system32\config\default.LOG
15/07/2005 C:\WINNT\system32\config\SECURITY.LOG
15/07/2005 C:\WINNT\system32\config\SAM.LOG
15/07/2005 C:\WINNT\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINNT\System32\tds3shl.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager mobsync.exe /logon
Armor2net C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
CmPCIaudio RunDll32 CMICNFG3.CPL,CMICtrlWnd
NeroFilterCheck C:\WINNT\system32\NeroCheck.exe
nod32kui C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
internat.exe internat.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Network.ConnectionTray
{7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f32main.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINNT\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.




-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Friday, July 15, 2005 20:37:22
Operating System: Microsoft Windows 2000 Professional, Service Pack 2 (Build 2195)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/07/2005
Kaspersky Anti-Virus database records: 130676
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 19054
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 4478 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.
  • 0

#4
Wizard
Posted 15 July 2005 - 05:13 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please check to see that this folder does not exist
http://www.sophos.co...w32codbotp.html

Hopefully after you read that, getting current on Windows Updates will be of the most Importances!

That last log is clean and all looks good to me!

You may want to take a look at some of these programs that monitor real time system changes

Spyware Guard
http://www.javacools...ywareguard.html

Prevx Home
http://www.prevx.com/prevxhome.asp

Download link
http://www.prevx.com...downloadnow.asp


For some added to Security for the browser try SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!


Thats Just some things to look at!

If there is anything else I can assist you with,please feel free to ask!
  • 0

#5
tech_tris
Posted 15 July 2005 - 06:38 PM

tech_tris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
That's great, but just one small thing: I couldn't find details of which folder to look at anywhere in the Sophos link, or by a quick Google. If you're able to specify, great, but if not, no worries.

Thank you for your time!

Tris
  • 0

#6
Wizard
Posted 15 July 2005 - 07:07 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
That would be called a brain fart induced Typo!

I just wanted you to see what the link had to say about this bug,just in case the computer is networked!

Sorry about that!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP