Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Window NT4 Server: irc/backdoor.sdbot2.hlz


  • Please log in to reply

#1
Ericy

Ericy

    New Member

  • Member
  • Pip
  • 9 posts
Hello,
A various virus and or trojan files keep re-appearing in an NT4 Server (Used as webserver). All patches are shown as applied at WindowsUpdate.com. The latest batch of files appearing in winnt/system32 are scanned by AVG as irc/backdoor.sdbot2.hlz. I had an NT workstation with a similar problem. I gave up and built an XP system. I don't have the option with this webserver.

Highjack THis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:51:43 PM, on 9/10/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\nddeagnt.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\spoolss.exe
D:\WINNT\system32\RpcSs.exe
D:\WINNT\System32\msdtc.exe
D:\WINNT\System32\PROMon.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\TrojanHunter 4.5\THGuard.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINNT\System32\cisvc.exe
C:\Microsoft Site Server\Bin\crssrv.exe
D:\Dptmgr\DPTSERV.EXE
D:\WINNT\System32\esserver.exe
D:\Dptmgr\DPTELOG.EXE
D:\WINNT\System32\cidaemon.exe
d:\winnt\system32\pstores.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\SENS.EXE
D:\Program Files\Norton Speed Disk\nopdb.exe
D:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\Microsoft Site Server\bin\sssearch.exe
C:\Microsoft Site Server\bin\P&M\TMLBSvc.exe
d:\program files\intel\servercontrol\bin\win32sl.exe
D:\WINNT\System32\WBEM\winmgmt.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
d:\program files\intel\servercontrol\bin\basebrd.exe
D:\Program Files\Adaptec\CIO400\iomgr.exe
D:\WINNT\System32\ni_nic.exe
d:\program files\intel\servercontrol\bin\lra.exe
d:\program files\intel\servercontrol\bin\sha.exe
D:\Program Files\Adaptec\CIO400\ciodmi.exe
D:\WINNT\System32\cidaemon.exe
D:\WINNT\System32\ddhelp.exe
D:\PROGRA~1\Grisoft\AVG7\avgwa.dat
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HighJackTHis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [mdac_runonce] D:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O13 - WWW. Prefix: http://
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com Download+Installer Class) - http://bin.mcafee.co...32/mcinsctl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...55/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://msdn.one.mic...ransferCtrl.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {EC23BDB6-E01A-11D2-AA93-006008A6A0E5} (Trend HouseCall for Exchange Control) - http://housecall.ant...all/xscanex.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...836/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HQ
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HQ
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 66.146.160.13 66.146.160.12 204.216.189.36
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HQ
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 66.146.160.13 66.146.160.12 204.216.189.36
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 66.146.160.13 66.146.160.12 204.216.189.36
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel Baseboard Instrumentation (basebrd) - Unknown owner - d:\program files\intel\servercontrol\bin\basebrd.exe
O23 - Service: CIO Array Management Service (CIOArrayManagement) - Adaptec, Inc. - D:\Program Files\Adaptec\CIO400\iomgr.exe
O23 - Service: Adaptec CIODMI (CIODMI) - Unknown owner - D:\Program Files\Adaptec\CIO400\ciodmi.exe
O23 - Service: DPTSRV - Unknown owner - D:\Dptmgr\DPTSERV.EXE
O23 - Service: IntelNic LAN Service (IntelNicService) - Intel® Corporation - D:\WINNT\System32\ni_nic.exe
O23 - Service: Intel Local Response Agent (lra) - Unknown owner - d:\program files\intel\servercontrol\bin\lra.exe
O23 - Service: Intel Server Health Agent (sha) - Unknown owner - d:\program files\intel\servercontrol\bin\sha.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\Program Files\Norton Speed Disk\nopdb.exe
O23 - Service: Win32sl (win32sl) - Intel - d:\program files\intel\servercontrol\bin\win32sl.exe

Thank you in advance for any advice or help.

Ericy
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,943 posts
Hi Ericy,

I don't see anything in your HijackThis log. Can you block the traffic on port 1863 ?

Then download WinPFind2.zip and unzip it to your Desktop. It will create a folder named WinPFind2. Do NOT run the program directly from the zip file.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Click on the Services tab.
  • From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
  • Click on the Configuration tab.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Under File Options click Select All
  • Under Other Options put a check to both Show All boxes
  • Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.
Regards,
  • 0

#3
Ericy

Ericy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello,

Thanks for looking into the problem. The requested log is below.

Ericy

-----------------------------------------------

Logfile created on: 09/18/2006 09:31
WinPFind2 by OldTimer - Version 1.0.10 Folder = D:\WinPfind2\WinPFind2\
Service Pack 6 (Version = 4.0.1381)
Internet Explorer (Version = 6.0.2800.1106)


< All Processes >
\systemroot\system32\smss.exe - (Microsoft Corporation )
\??\d:\winnt\system32\csrss.exe - (Microsoft Corporation )
\??\d:\winnt\system32\winlogon.exe - (Microsoft Corporation )
d:\winnt\system32\services.exe - (Microsoft Corporation )
d:\winnt\system32\lsass.exe - (Microsoft Corporation )
d:\winnt\system32\spoolss.exe - (Microsoft Corporation )
d:\winnt\system32\rpcss.exe - (Microsoft Corporation )
d:\winnt\system32\nddeagnt.exe - (Microsoft Corporation )
d:\winnt\system32\msdtc.exe - (Microsoft Corporation )
d:\winnt\explorer.exe - (Microsoft Corporation )
d:\winnt\system32\cisvc.exe - (Microsoft Corporation )
d:\winnt\system32\promon.exe - (Intel Corporation )
d:\program files\trojanhunter 4.5\thguard.exe - (Mischel Internet Security )
d:\dptmgr\dptserv.exe - ( )
d:\progra~1\window~4\wscheduler.exe - ( )
d:\dptmgr\dptelog.exe - ( )
d:\winnt\system32\esserver.exe - (Microsoft Corporation )
d:\winnt\system32\pstores.exe - (Microsoft Corporation )
d:\winnt\system32\mstask.exe - (Microsoft Corporation )
d:\winnt\system32\sens.exe - (Microsoft Corporation )
d:\program files\norton speed disk\nopdb.exe - (Symantec Corporation )
d:\program files\common files\microsoft shared\web server extensions\50\bin\owstimer.exe - (Microsoft Corporation )
d:\program files\intel\servercontrol\bin\win32sl.exe - (Intel )
d:\winnt\system32\wbem\winmgmt.exe - (Microsoft Corporation )
d:\winnt\system32\inetsrv\inetinfo.exe - (Microsoft Corporation )
d:\program files\intel\servercontrol\bin\basebrd.exe - ( )
d:\program files\adaptec\cio400\iomgr.exe - (Adaptec, Inc. )
d:\winnt\system32\ni_nic.exe - (Intel® Corporation )
d:\program files\intel\servercontrol\bin\lra.exe - ( )
d:\program files\intel\servercontrol\bin\sha.exe - ( )
d:\program files\adaptec\cio400\ciodmi.exe - ( )
d:\winnt\system32\mdm.exe - (Microsoft Corporation )
d:\winnt\system32\ddhelp.exe - (Microsoft Corporation )
d:\program files\x-netstat professional\xns5.exe - (Fresh Software )
d:\program files\7-zip\7zfm.exe - ( )
d:\winpfind2\winpfind2\winpfind2.exe - (OldTimer Tools )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft...p...ER}&ar=home
HKLM->Main\\Search Bar - http://home.microsof...arch/search.asp
HKLM->Main\\Search Page - http://www.microsoft...amp;ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
HKCU->Main\\Start Page - http://www.msn.com/
HKCU->Main\\Search Page - http://www.msn.com/access/allinone.htm
HKCU->Main\\Local Page - D:\WINNT\System32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn...st/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\SHDOCVW.DLL (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\SHDOCVW.DLL (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[HKLM-> Internet Explorer ToolBars]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = D:\WINNT\System32\msdxm.ocx (Microsoft Corporation )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 - Sun Java Console
{85d1f590-48f4-11d9-9669-0800200c9a66} - 8193 - Uninstall BitDefender Online Scanner v8
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - 8192 - Reg Data missing or invalid
NextId - 8195

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (Sun Microsystems, Inc. )
{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = Reg Data missing or invalid (File not found))

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{0006F045-0000-0000-C000-000000000046} - Microsoft Outlook Custom Icon Handler = C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL (File not found))
{23170F69-40C1-278A-1000-000100020000} - 7-Zip Shell Extension = D:\Program Files\7-Zip\7-zip.dll ( )
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = D:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL ( )
{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WinZip\WZSHLSTB.DLL (File not found))
{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WinZip\WZSHLSTB.DLL (File not found))
{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WinZip\WZSHLSTB.DLL (File not found))
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = D:\PROGRA~1\TROJAN~1.5\contmenu.dll ( )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - 7-Zip - {23170F69-40C1-278A-1000-000100020000} = D:\Program Files\7-Zip\7-zip.dll ( )
* - TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\PROGRA~1\TROJAN~1.5\contmenu.dll ( )
* - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL (File not found))
Directory - 7-Zip - {23170F69-40C1-278A-1000-000100020000} = D:\Program Files\7-Zip\7-zip.dll ( )
Directory - TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\PROGRA~1\TROJAN~1.5\contmenu.dll ( )
Directory - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL (File not found))
Folder - TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = D:\PROGRA~1\TROJAN~1.5\contmenu.dll ( )
Folder - WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL (File not found))

[>> ColumnHandlers (Non-Microsoft only) <<]

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - D:\WINNT\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - D:\WINNT\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - D:\WINNT\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - D:\WINNT\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - D:\WINNT\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - D:\WINNT\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - D:\WINNT\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\mdac_runonce - D:\WINNT\System32\runonce.exe (Microsoft Corporation )
HKLM->Run\\PROMon.exe - PROMon.exe (Intel Corporation )
HKLM->Run\\SoftPerfect Personal Firewall - D:\Program Files\SoftPerfect Personal Firewall\fw.exe (SoftPerfect Research )
HKLM->Run\\SystemTray - SysTray.Exe (Microsoft Corporation )
HKLM->Run\\THGuard - "D:\Program Files\TrojanHunter 4.5\THGuard.exe" (Mischel Internet Security )
HKLM->Run\\WScheduler - D:\PROGRA~1\WINDOW~4\WScheduler.exe /LOGON ( )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found))

[Image File Execution Options]

[Shell Service Object Delay Load]

[Shell Execute Hooks]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapssps.dll, schannel.dll, msnsspc.dll, digest.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]
Session Manager\\PendingFileRenameOperations - \??\D:\TEMP\setup.exe;

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]

[>> User Agent Post Platform <<]
T312461 -

[>> Winlogon <<]
HMLM->UserInit - userinit,nddeagnt.exe (File not found))
HKLM->Shell - explorer.exe (Microsoft Corporation )
HKLM->System - lsass.exe (Microsoft Corporation )
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"

[>> DNS Name Servers <<]

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\msafd.dll (Microsoft Corporation )

[>> Protocol Handlers (Non-Microsoft only) <<]
msdaipp - (File not found))

[>> Protocol Filters (Non-Microsoft only) <<]

< All Services >
Abiosdsk (Abiosdsk) - (File not found)) [Disabled - Stopped - Kernel driver]
AFD Networking Support Environment (Afd) - \SystemRoot\System32\drivers\afd.sys (Microsoft Corporation ) [Automatic - Running - Kernel driver]
Aha154x (Aha154x) - (File not found)) [Disabled - Stopped - Kernel driver]
Aha174x (Aha174x) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78u2 (aic78u2) - \SystemRoot\system32\drivers\aic78u2.sys (Adaptec, Inc. ) [ - Running - Kernel driver]
aic78xx (aic78xx) - (File not found)) [Disabled - Stopped - Kernel driver]
Alerter (Alerter) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Always (Always) - (File not found)) [Disabled - Stopped - Kernel driver]
ami0nt (ami0nt) - (File not found)) [Disabled - Stopped - Kernel driver]
amsint (amsint) - (File not found)) [Disabled - Stopped - Kernel driver]
Arrow (Arrow) - (File not found)) [Disabled - Stopped - Kernel driver]
aspi32 (aspi32) - System32\DRIVERS\aspi32.sys (Adaptec ) [Automatic - Running - Kernel driver]
atapi (atapi) - \SystemRoot\System32\DRIVERS\atapi.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Atdisk (Atdisk) - (File not found)) [Disabled - Stopped - Kernel driver]
ati (ati) - (File not found)) [Disabled - Stopped - Kernel driver]
AVG7 Wrap Driver (Avg7RsW) - \SystemRoot\System32\Drivers\avg7rsw.sys (File not found)) [ - Running - Kernel driver]
Intel Baseboard Instrumentation (basebrd) - d:\program files\intel\servercontrol\bin\basebrd.exe ( ) [Automatic - Running - Win32, running in it's own process]
Beep (Beep) - (File not found)) [ - Running - Kernel driver]
Site Server Authentication Service (broksvc) - D:\WINNT\System32\inetsrv\inetinfo.exe (Microsoft Corporation ) [Automatic - Stopped - Win32, running in a shared process]
Computer Browser (Browser) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
BusLogic (BusLogic) - (File not found)) [Disabled - Stopped - Kernel driver]
Busmouse (Busmouse) - (File not found)) [Disabled - Stopped - Kernel driver]
Cdaudio (Cdaudio) - (File not found)) [ - Stopped - Kernel driver]
Cdfs (Cdfs) - (File not found)) [Disabled - Running - Filesystem driver]
Cdrom (Cdrom) - (File not found)) [ - Running - Kernel driver]
Changer (Changer) - (File not found)) [ - Stopped - Kernel driver]
CIO Array Management Service (CIOArrayManagement) - D:\Program Files\Adaptec\CIO400\iomgr.exe (Adaptec, Inc. ) [Automatic - Running - Win32, running in it's own process]
Adaptec CIODMI (CIODMI) - D:\Program Files\Adaptec\CIO400\ciodmi.exe ( ) [Automatic - Running - Win32, running in it's own process]
cirrus (cirrus) - (File not found)) [ - Running - Kernel driver]
Content Index (cisvc) - D:\WINNT\System32\cisvc.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
ClipBook Server (ClipSrv) - D:\WINNT\system32\clipsrv.exe (Microsoft ) [On Demand - Stopped - Win32, running in it's own process]
Cpqarray (Cpqarray) - (File not found)) [Disabled - Stopped - Kernel driver]
cpqfws2e (cpqfws2e) - (File not found)) [Disabled - Stopped - Kernel driver]
Site Server Content Deployment (CRS) - C:\Microsoft Site Server\Bin\crssrv.exe (File not found)) [Automatic - Stopped - Win32, running in it's own process]
dac960nt (dac960nt) - (File not found)) [Disabled - Stopped - Kernel driver]
dce376nt (dce376nt) - (File not found)) [Disabled - Stopped - Kernel driver]
Delldsa (Delldsa) - (File not found)) [Disabled - Stopped - Kernel driver]
Dell_DGX (Dell_DGX) - (File not found)) [Disabled - Stopped - Kernel driver]
DHCP Client (DHCP) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Disk (Disk) - (File not found)) [ - Running - Kernel driver]
Diskperf (Diskperf) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft DNS Server (DNS) - D:\WINNT\System32\dns.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
dptdisk (dptdisk) - \SystemRoot\system32\drivers\dptdisk.sys (Distributed Processing Technology Corp. ) [ - Stopped - Kernel driver]
dpti2o (dpti2o) - \SystemRoot\system32\drivers\dpti2o.sys (Distributed Processing Technology Corp. ) [ - Running - Kernel driver]
DptScsi (DptScsi) - (File not found)) [Disabled - Stopped - Kernel driver]
DPTSRV (DPTSRV) - D:\Dptmgr\DPTSERV.EXE ( ) [Automatic - Running - Win32, running in it's own process]
dtc329x (dtc329x) - (File not found)) [Disabled - Stopped - Kernel driver]
Intel® PRO NDIS Driver (E100B) - \SystemRoot\System32\drivers\E100BNT.SYS (Intel Corporation ) [Automatic - Running - Kernel driver]
et4000 (et4000) - (File not found)) [Disabled - Stopped - Kernel driver]
EventLog (EventLog) - D:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - D:\WINNT\System32\esserver.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in it's own process]
Fastfat (Fastfat) - (File not found)) [Disabled - Running - Filesystem driver]
Fd16_700 (Fd16_700) - (File not found)) [Disabled - Stopped - Kernel driver]
Fd7000ex (Fd7000ex) - (File not found)) [Disabled - Stopped - Kernel driver]
Fd8xx (Fd8xx) - (File not found)) [Disabled - Stopped - Kernel driver]
flashpnt (flashpnt) - (File not found)) [Disabled - Stopped - Kernel driver]
Floppy (Floppy) - (File not found)) [ - Running - Kernel driver]
Ftdisk (Ftdisk) - (File not found)) [ - Running - Kernel driver]
Site Server Gatherer (gthrsvc) - C:\Microsoft Site Server\bin\gthrsvc.exe (File not found)) [On Demand - Stopped - Win32, running in it's own process]
i8042 Keyboard and PS/2 Mouse Port Driver (i8042prt) - System32\DRIVERS\i8042prt.sys (Microsoft Corporation ) [ - Running - Kernel driver]
IIS Admin Service (IISADMIN) - D:\WINNT\System32\inetsrv\inetinfo.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
imbdrv (imbdrv) - System32\DRIVERS\imbdrv.sys ( ) [Automatic - Running - Kernel driver]
Inport (Inport) - (File not found)) [Disabled - Stopped - Kernel driver]
IntelNic LAN Service (IntelNicService) - D:\WINNT\System32\ni_nic.exe (Intel® Corporation ) [Automatic - Running - Win32, running in it's own process]
intlfxsr (intlfxsr) - (File not found)) [ - Running - Kernel driver]
Jazzg300 (Jazzg300) - (File not found)) [Disabled - Stopped - Kernel driver]
Jazzg364 (Jazzg364) - (File not found)) [Disabled - Stopped - Kernel driver]
Jzvxl484 (Jzvxl484) - (File not found)) [Disabled - Stopped - Kernel driver]
Keyboard Class Driver (Kbdclass) - System32\DRIVERS\kbdclass.sys (Microsoft Corporation ) [ - Running - Kernel driver]
KSecDD (KSecDD) - (File not found)) [ - Running - Kernel driver]
Server (LanmanServer) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Workstation (LanmanWorkstation) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Site Server LDAP Service (LDAPSVC) - D:\WINNT\System32\inetsrv\inetinfo.exe (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
License Logging Service (LicenseService) - D:\WINNT\System32\llssrv.exe (Microsoft Corporation ) [Disabled - Stopped - Win32, running in it's own process]
TCP/IP NetBIOS Helper (LmHosts) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Intel Local Response Agent (lra) - d:\program files\intel\servercontrol\bin\lra.exe ( ) [Automatic - Running - Win32, running in it's own process]
M4CX Adapter Driver (M4CX) - \SystemRoot\System32\drivers\M4CXNT4.SYS (D-Link Corporation ) [Automatic - Running - Kernel driver]
Messenger (Messenger) - D:\WINNT\System32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
mga (mga) - (File not found)) [Disabled - Stopped - Kernel driver]
mga_mil (mga_mil) - (File not found)) [Disabled - Stopped - Kernel driver]
mitsumi (mitsumi) - (File not found)) [Disabled - Stopped - Kernel driver]
mkecr5xx (mkecr5xx) - (File not found)) [Disabled - Stopped - Kernel driver]
Modem (Modem) - (File not found)) [On Demand - Stopped - Kernel driver]
Mouse Class Driver (Mouclass) - System32\DRIVERS\mouclass.sys (Microsoft Corporation ) [ - Running - Kernel driver]
MSDTC (MSDTC) - D:\WINNT\System32\msdtc.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Msfs (Msfs) - (File not found)) [ - Running - Filesystem driver]
FTP Publishing Service (MSFTPSVC) - D:\WINNT\System32\inetsrv\inetinfo.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Site Server Message Builder Service (msgbldsvc) - C:\Microsoft Site Server\bin\P&M\TMMsgBld.exe (File not found)) [Disabled - Stopped - Win32, running in it's own process]
Windows Installer (MSIServer) - D:\WINNT\System32\MsiExec.exe /V (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
MSSQLServer (MSSQLServer) - C:\MSSQL7\binn\sqlservr.exe (File not found)) [On Demand - Stopped - Win32, running in it's own process]
Mup (Mup) - \SystemRoot\System32\drivers\mup.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
Ncr53c9x (Ncr53c9x) - (File not found)) [Disabled - Stopped - Kernel driver]
ncr77c22 (ncr77c22) - (File not found)) [Disabled - Stopped - Kernel driver]
Ncrc700 (Ncrc700) - (File not found)) [Disabled - Stopped - Kernel driver]
Ncrc710 (Ncrc710) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft NDIS System Driver (NDIS) - (File not found)) [ - Running - Kernel driver]
NetBIOS Interface (NetBIOS) - \SystemRoot\System32\drivers\netbios.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
WINS Client(TCP/IP) (NetBT) - \SystemRoot\System32\drivers\netbt.sys (Microsoft Corporation ) [Automatic - Running - Kernel driver]
Network DDE (NetDDE) - D:\WINNT\system32\netdde.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Network DDE DSDM (NetDDEdsdm) - D:\WINNT\system32\netdde.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
NetDetect (NetDetect) - \SystemRoot\system32\drivers\netdtect.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Net Logon (Netlogon) - D:\WINNT\System32\lsass.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Npfs (Npfs) - (File not found)) [ - Running - Filesystem driver]
NT4dds (NT4dds) - System32\DRIVERS\NT4dds.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Ntfs (Ntfs) - (File not found)) [Disabled - Running - Filesystem driver]
NT LM Security Support Provider (NtLmSsp) - D:\WINNT\System32\SERVICES.EXE (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Null (Null) - (File not found)) [ - Running - Kernel driver]
Oliscsi (Oliscsi) - (File not found)) [Disabled - Stopped - Kernel driver]
Parallel (Parallel) - (File not found)) [Automatic - Running - Kernel driver]
Parport (Parport) - (File not found)) [Automatic - Running - Kernel driver]
ParVdm (ParVdm) - (File not found)) [Automatic - Running - Kernel driver]
PCIDump (PCIDump) - (File not found)) [ - Stopped - Kernel driver]
Pcmcia (Pcmcia) - (File not found)) [Disabled - Stopped - Kernel driver]
Plug and Play (PlugPlay) - D:\WINNT\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
PnP ISA Enabler Driver (pnpisa) - (File not found)) [ - Stopped - Kernel driver]
Protector Plus Driver (UnRegistered) (PPDrv) - \??\D:\Program Files\Protector Plus\PPDrv.sys ( ) [Disabled - Stopped - Kernel driver]
Protected Storage (ProtectedStorage) - d:\winnt\system32\pstores.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Protector Plus Service (UnRegistered) (ProtectorPlusService) - D:\Program Files\Protector Plus\PPServ.exe ( ) [Disabled - Stopped - Win32, running in it's own process]
psidisp (psidisp) - (File not found)) [Disabled - Stopped - Kernel driver]
qic117 (qic117) - \??\D:\WINNT\System32\drivers\qic117.sys (Microsoft Corporation ) [Disabled - Stopped - Kernel driver]
Ql10wnt (Ql10wnt) - (File not found)) [Disabled - Stopped - Kernel driver]
qv (qv) - (File not found)) [Disabled - Stopped - Kernel driver]
Rdr (Rdr) - \SystemRoot\System32\drivers\rdr.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
Directory Replicator (Replicator) - D:\WINNT\System32\lmrepl.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Remote Procedure Call (RPC) Locator (RPCLOCATOR) - D:\WINNT\System32\LOCATOR.EXE (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Remote Procedure Call (RPC) Service (RpcSs) - D:\WINNT\system32\RpcSs.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
s3 (s3) - (File not found)) [Disabled - Stopped - Kernel driver]
Task Scheduler (Schedule) - D:\WINNT\system32\MSTask.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Scsiprnt (Scsiprnt) - (File not found)) [Automatic - Stopped - Kernel driver]
Scsiscan (Scsiscan) - (File not found)) [ - Stopped - Kernel driver]
SDdriver (SDdriver) - \??\D:\WINNT\System32\Drivers\sddriver.sys (Symantec ) [On Demand - Stopped - Kernel driver]
System Event Notification (SENS) - D:\WINNT\System32\SENS.EXE (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Serial (Serial) - (File not found)) [Automatic - Running - Kernel driver]
Sermouse (Sermouse) - (File not found)) [Disabled - Stopped - Kernel driver]
Sfloppy (Sfloppy) - (File not found)) [ - Stopped - Kernel driver]
Intel Server Health Agent (sha) - d:\program files\intel\servercontrol\bin\sha.exe ( ) [Automatic - Running - Win32, running in it's own process]
Simbad (Simbad) - (File not found)) [Disabled - Stopped - Kernel driver]
slcd32 (slcd32) - (File not found)) [Disabled - Stopped - Kernel driver]
SMBIOS (smbios) - \SystemRoot\SYSTEM32\DRIVERS\smbios.sys (Microsoft Corporation ) [Automatic - Running - Kernel driver]
Microsoft SMTP Service (SMTPSVC) - D:\WINNT\System32\inetsrv\inetinfo.exe (Microsoft Corporation ) [Automatic - Stopped - Win32, running in a shared process]
Sparrow (Sparrow) - (File not found)) [Disabled - Stopped - Kernel driver]
Speed Disk service (Speed Disk service) - D:\Program Files\Norton Speed Disk\nopdb.exe (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Spock (Spock) - (File not found)) [Disabled - Stopped - Kernel driver]
Spooler (Spooler) - D:\WINNT\system32\spoolss.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
SharePoint Timer Service (SPTimer) - D:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Special Purpose Utility Driver (SPUD) - \SystemRoot\System32\drivers\spud.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
sql-smss (sql-smss) - "D:\WINNT\sql-smss.exe" (File not found)) [Disabled - Stopped - Win32, running in it's own process]
SQLServerAgent (SQLServerAgent) - C:\MSSQL7\binn\sqlagent.exe (File not found)) [On Demand - Stopped - Win32, running in it's own process]
Srv (Srv) - \SystemRoot\System32\drivers\srv.sys (Microsoft Corporation ) [On Demand - Running - Filesystem driver]
Site Server Search (SSSEARCH) - C:\Microsoft Site Server\bin\sssearch.exe (File not found)) [Automatic - Stopped - Win32, running in it's own process]
symc810 (symc810) - (File not found)) [Disabled - Stopped - Kernel driver]
T128 (T128) - (File not found)) [Disabled - Stopped - Kernel driver]
T13B (T13B) - (File not found)) [Disabled - Stopped - Kernel driver]
Telephony Service (TapiSrv) - D:\WINNT\system32\tapisrv.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
TCP/IP Service (Tcpip) - \SystemRoot\System32\drivers\tcpip.sys (Microsoft Corporation ) [Automatic - Running - Kernel driver]
tga (tga) - (File not found)) [Disabled - Stopped - Kernel driver]
Site Server List Builder Service (tmlbsvc) - C:\Microsoft Site Server\bin\P&M\TMLBSvc.exe (File not found)) [Automatic - Stopped - Win32, running in it's own process]
tmv1 (tmv1) - (File not found)) [Disabled - Stopped - Kernel driver]
TOKENMON (TOKENMON) - \??\D:\WINNT\system32\drivers\TOKENM.SYS (File not found)) [On Demand - Stopped - Kernel driver]
Ultra124 (Ultra124) - (File not found)) [Disabled - Stopped - Kernel driver]
Ultra14f (Ultra14f) - (File not found)) [Disabled - Stopped - Kernel driver]
Ultra24f (Ultra24f) - (File not found)) [Disabled - Stopped - Kernel driver]
update (update) - (File not found)) [ - Stopped - Kernel driver]
UPS (UPS) - D:\WINNT\System32\ups.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
v7vram (v7vram) - (File not found)) [Disabled - Stopped - Kernel driver]
VgaSave (VgaSave) - \SystemRoot\System32\drivers\vga.sys (Microsoft Corporation ) [ - Stopped - Kernel driver]
VgaStart (VgaStart) - \SystemRoot\System32\drivers\vga.sys (Microsoft Corporation ) [ - Stopped - Kernel driver]
World Wide Web Publishing Service (w3svc) - D:\WINNT\System32\inetsrv\inetinfo.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Wd33c93 (Wd33c93) - (File not found)) [Disabled - Stopped - Kernel driver]
wd90c24a (wd90c24a) - (File not found)) [Disabled - Stopped - Kernel driver]
wdvga (wdvga) - (File not found)) [Disabled - Stopped - Kernel driver]
weitekp9 (weitekp9) - (File not found)) [Disabled - Stopped - Kernel driver]
Win32sl (win32sl) - d:\program files\intel\servercontrol\bin\win32sl.exe (Intel ) [Automatic - Running - Win32, running in it's own process]
Windows Management (WinMgmt) - D:\WINNT\System32\WBEM\winmgmt.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in it's own process]
Xga (Xga) - (File not found)) [Disabled - Stopped - Kernel driver]

< Files >

%SystemDrive%

%ProgramFilesDir%

%WinDir%

%System%
D:\WINNT\SYSTEM32\NHLOADER.EXE - WinShutDown (Microsoft Corporation [Ver = 4.04.0037 | Size = 225280 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\wbdbase.deu - winsync ( [Ver = | Size = 1309184 bytes | Date = 02/24/1998 13:01 | Attr = ])

%System%\Drivers folder and sub-folders

%windir% + sub-dirs for System or Hidden files less than 60 days old
D:\WINNT\ShellIconCache - ( [Ver = | Size = 1009024 bytes | Date = 08/31/2006 16:05 | Attr = H ])
D:\WINNT\Profiles\Administrator\Application Data\Lavasoft\Ad-Aware\settings.awc - ( [Ver = | Size = 1451 bytes | Date = 09/05/2006 14:03 | Attr = RH ])
D:\WINNT\Profiles\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt - ( [Ver = | Size = 1694 bytes | Date = 08/29/2006 09:52 | Attr = HS])
D:\WINNT\Profiles\Administrator\Temporary Internet Files\Content.IE5\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 09/17/2006 19:19 | Attr = HS])
D:\WINNT\Profiles\Administrator\Temporary Internet Files\Content.IE5\8ZQEF0E5\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 09/17/2006 19:19 | Attr = HS])
D:\WINNT\Profiles\Administrator\Temporary Internet Files\Content.IE5\96KHMJBL\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 09/17/2006 19:19 | Attr = HS])
D:\WINNT\Profiles\Administrator\Temporary Internet Files\Content.IE5\HVO6TBIC\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 09/17/2006 19:19 | Attr = HS])
D:\WINNT\Profiles\Administrator\Temporary Internet Files\Content.IE5\JAA3XHSU\desktop.ini - ( [Ver = | Size = 67 bytes | Date = 09/17/2006 19:19 | Attr = HS])
D:\WINNT\system32\eventvwr.GID - ( [Ver = | Size = 10856 bytes | Date = 08/28/2006 12:40 | Attr = H ])
D:\WINNT\system32\rdisk.GID - ( [Ver = | Size = 9793 bytes | Date = 08/30/2006 15:34 | Attr = H ])
D:\WINNT\system32\WINDOWS.GID - ( [Ver = | Size = 381234 bytes | Date = 09/13/2006 10:47 | Attr = H ])
D:\WINNT\system32\__MMtmp_ - ( [Ver = | Size = 4096 bytes | Date = 09/17/2006 20:27 | Attr = H ])
D:\WINNT\Tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 09/17/2006 20:27 | Attr = H ])
CPL files -
D:\WINNT\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 61712 bytes | Date = 10/14/1996 01:38 | Attr = ])
D:\WINNT\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 78608 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\console.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 48400 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\DESK.CPL - (Microsoft Corporation [Ver = 4.72.3110.0 | Size = 163888 bytes | Date = 03/16/1999 04:49 | Attr = ])
D:\WINNT\SYSTEM32\DEVAPPS.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 305936 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\dtccfg.cpl - (Microsoft Corporation [Ver = 1999.6.854.0 | Size = 28432 bytes | Date = 07/14/1999 17:35 | Attr = ])
D:\WINNT\SYSTEM32\FINDFAST.CPL - (Microsoft Corporation [Ver = 9.0.2610 | Size = 40960 bytes | Date = 02/10/1999 04:48 | Attr = ])
D:\WINNT\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2800.1106 | Size = 292352 bytes | Date = 08/29/2002 01:00 | Attr = ])
D:\WINNT\SYSTEM32\INTL.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 74000 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 60176 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 1.5.0.0 | Size = 49262 bytes | Date = 09/11/2006 09:08 | Attr = ])
D:\WINNT\SYSTEM32\LICCPA.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 95504 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 74512 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\mlcfg32.cpl - (Microsoft Corporation [Ver = 4.00.835.1377 | Size = 48400 bytes | Date = 10/14/1996 01:38 | Attr = ])
D:\WINNT\SYSTEM32\MMSYS.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 214288 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\MODEM.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 96016 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 138512 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.6526.0 | Size = 41232 bytes | Date = 07/26/2000 08:37 | Attr = ])
D:\WINNT\SYSTEM32\PORTS.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 35600 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\prefscpl.cpl - (RealNetworks, Inc. [Ver = 6.0.8.115 | Size = 24064 bytes | Date = 07/05/2000 23:10 | Attr = ])
D:\WINNT\SYSTEM32\PROSetp.cpl - (Intel Corporation [Ver = 3.48 | Size = 567808 bytes | Date = 01/12/1999 15:20 | Attr = ])
D:\WINNT\SYSTEM32\srvmgr.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 156432 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\SYSDM.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 93456 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 8976 bytes | Date = 10/13/1996 18:38 | Attr = ])
D:\WINNT\SYSTEM32\TIMEDATE.CPL - (Microsoft Corporation [Ver = 4.00 | Size = 53008 bytes | Date = 11/18/1999 12:04 | Attr = ])
D:\WINNT\SYSTEM32\ups.cpl - (Microsoft Corporation [Ver = 4.00 | Size = 36624 bytes | Date = 10/13/1996 18:38 | Attr = ])

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = D:\WINNT\Profiles\All Users\Start Menu\Programs\Startup

HKLM->Explorer\User Shell Folders\\Common Startup = %SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = D:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - explorer.exe
Config.nt: Line 1 - REM Windows NT MS-DOS Startup File
Config.nt: Line 2 - REM
Config.nt: Line 3 - REM CONFIG.SYS vs CONFIG.NT
Config.nt: Line 4 - REM CONFIG.SYS is not used to initialize the MS-DOS environment.
Config.nt: Line 5 - REM CONFIG.NT is used to initialize the MS-DOS environment unless a
Config.nt: Line 6 - REM different startup file is specified in an application's PIF.
Config.nt: Line 7 - REM
Config.nt: Line 8 - REM ECHOCONFIG
Config.nt: Line 9 - REM By default, no information is displayed when the MS-DOS environment
Config.nt: Line 10 - REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
Config.nt: Line 11 - REM the command echoconfig to CONFIG.NT or other startup file.
Config.nt: Line 12 - REM
Config.nt: Line 13 - REM NTCMDPROMPT
Config.nt: Line 14 - REM When you return to the command prompt from a TSR or while running an
Config.nt: Line 15 - REM MS-DOS-based application, Windows NT runs COMMAND.COM. This allows the
Config.nt: Line 16 - REM TSR to remain active. To run CMD.EXE, the Windows NT command prompt,
Config.nt: Line 17 - REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
Config.nt: Line 18 - REM other startup file.
Config.nt: Line 19 - REM
Config.nt: Line 20 - REM DOSONLY
Config.nt: Line 21 - REM By default, you can start any type of application when running
Config.nt: Line 22 - REM COMMAND.COM. If you start an application other than an MS-DOS-based
Config.nt: Line 23 - REM application, any running TSR may be disrupted. To ensure that only
Config.nt: Line 24 - REM MS-DOS-based applications can be started, add the command dosonly to
Config.nt: Line 25 - REM CONFIG.NT or other startup file.
Config.nt: Line 26 - REM
Config.nt: Line 27 - REM EMM
Config.nt: Line 28 - REM You can use EMM command line to configure EMM(Expanded Memory Manager).
Config.nt: Line 29 - REM The syntax is:
Config.nt: Line 30 - REM
Config.nt: Line 31 - REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
Config.nt: Line 32 - REM
Config.nt: Line 33 - REM AltRegSets
Config.nt: Line 34 - REM specifies the total Alternative Mapping Register Sets you
Config.nt: Line 35 - REM want the system to support. 1 <= AltRegSets <= 255. The
Config.nt: Line 36 - REM default value is 8.
Config.nt: Line 37 - REM BaseSegment
Config.nt: Line 38 - REM specifies the starting segment address in the Dos conventional
Config.nt: Line 39 - REM memory you want the system to allocate for EMM page frames.
Config.nt: Line 40 - REM The value must be given in Hexdecimal.
Config.nt: Line 41 - REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
Config.nt: Line 42 - REM 16KB boundary. The default value is 0x4000
Config.nt: Line 43 - REM RAM
Config.nt: Line 44 - REM specifies that the system should only allocate 64Kb address
Config.nt: Line 45 - REM space from the Upper Memory Block(UMB) area for EMM page frames
Config.nt: Line 46 - REM and leave the rests(if available) to be used by DOS to support
Config.nt: Line 47 - REM loadhigh and devicehigh commands. The system, by default, would
Config.nt: Line 48 - REM allocate all possible and available UMB for page frames.
Config.nt: Line 49 - REM
Config.nt: Line 50 - REM The EMM size is determined by pif file(either the one associated
Config.nt: Line 51 - REM with your application or _default.pif). If the size from PIF file
Config.nt: Line 52 - REM is zero, EMM will be disabled and the EMM line will be ignored.
Config.nt: Line 53 - REM
Config.nt: Line 54 - dos=high, umb
Config.nt: Line 55 - device=%SystemRoot%\system32\himem.sys
Config.nt: Line 56 - files=20
AutoExec.nt: Line 1 - @echo off
AutoExec.nt: Line 3 - REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
AutoExec.nt: Line 4 - REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
AutoExec.nt: Line 5 - REM different startup file is specified in an application's PIF.
AutoExec.nt: Line 7 - REM Install CD ROM extensions
AutoExec.nt: Line 8 - lh %SystemRoot%\system32\mscdexnt.exe
AutoExec.nt: Line 10 - REM Install network redirector (load before dosx.exe)
AutoExec.nt: Line 11 - lh %SystemRoot%\system32\redir
AutoExec.nt: Line 13 - REM Install DPMI support
AutoExec.nt: Line 14 - lh %SystemRoot%\system32\dosx

Miscellaneous Folders

AllUsers ApplicationData Folder

CurrentUser ApplicationData Folder

Program Files Folder
D:\Program Files\LASTSEL.DAT - ( [Ver = | Size = 16 bytes | Date = 09/17/2006 20:28 | Attr = ])

Common Files Folder
D:\Program Files\Common Files\MSCREATE.DIR - ( [Ver = | Size = 0 bytes | Date = 07/03/2000 10:28 | Attr = RH ])

DPF files
{0C568603-D79D-11D2-87A7-00C04FF158BB} - BrowseFolderPopup Class - CodeBase = http://download.mcaf...ed/MGBrwFld.cab
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab
{36C417C6-13C6-448B-9784-DD73A93B0582} - McAfee.com Download+Installer Class - CodeBase = http://bin.mcafee.co...32/mcinsctl.cab
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - McAfee.com Operating System Class - CodeBase = http://bin.mcafee.co...55/mcinsctl.cab
{597C45C2-2D39-11D5-8D53-0050048383FE} - OPUCatalog Class - CodeBase = http://office.micros...ontent/opuc.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitd...can8/oscan8.cab
{82774781-8F4E-11D1-AB1C-0000F8773BF0} - DLC Class - CodeBase = https://msdn.one.mic...ransferCtrl.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0 - CodeBase = http://java.sun.com/...indows-i586.cab
{BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - a-squared Scanner - CodeBase = http://ax.emsisoft.com/asquared.cab
{C78AC153-1FB9-4198-986D-3613E49B152E} - ScanMe Class - CodeBase = http://download.micr...mssecuredll.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - Java Plug-in 1.5.0 - CodeBase = http://java.sun.com/...indows-i586.cab
{CEBC955E-58AF-11D2-A30A-00A0C903492B} - CV3 Class - CodeBase = http://windowsupdate...en/actsetup.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.ma...ash/swflash.cab
{E36C5562-C4E0-4220-BCB2-1C671E3A5916} - Seagate SeaTools English Online - CodeBase = http://www.seagate.c.../npseatools.cab
{EC23BDB6-E01A-11D2-AA93-006008A6A0E5} - Trend HouseCall for Exchange Control - CodeBase = http://housecall.ant...all/xscanex.cab
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - McFreeScan Class - CodeBase = http://download.mcaf...836/mcfscan.cab
DirectAnimation Java Classes - - CodeBase = file://D:\WINNT\dajava.cab
Internet Explorer Classes for Java - - CodeBase = file://D:\WINNT\System32\iejava.cab
Microsoft XML Parser for Java - - CodeBase = file://D:\WINNT\Java\classes\xmldso4.cab

Hosts file = 737 bytes. Reading all entries. D:\WINNT\System32\drivers\etc\Hosts
# Copyright © 1993-1995 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows NT. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\\ChannelSize - 12
Desktop\\OEMSize - 0
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 271
Desktop\Components\\DeskHtmlMinorVersion - 1
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 0
Desktop\Components\AutorunsDisabled -
Desktop\Components\AutorunsDisabled\0 -
Desktop\Components\AutorunsDisabled\0\\Source - 131A6951-7F78-11D0-A979-00C04FD705A2
Desktop\Components\AutorunsDisabled\0\\SubscribedURL - 131A6951-7F78-11D0-A979-00C04FD705A2
Desktop\Components\AutorunsDisabled\0\\FriendlyName - Internet Explorer Channel Bar
Desktop\Components\AutorunsDisabled\0\\Flags - 3
Desktop\Components\AutorunsDisabled\0\\Position - 2C 00 00 00 9C 02 00 00 0F 00 00 00 54 00 00 00 AA 01 00 00 FF FF FF 3F 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\AutorunsDisabled\0\\CurrentState - 60
Desktop\Components\AutorunsDisabled\0\\OriginalStateInfo - 00 00 00 00 04 01 00 00 F8 EB FD 7F 1E 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\AutorunsDisabled\0\\RestoredStateInfo - 00 04 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 04 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper -
Desktop\General\\WallpaperFileTime - 00 00 00 00 00 00 00 00
Desktop\General\\TileWallpaper - 0
Desktop\General\\Wallpaper - D:\WINNT\Web\Wallpaper\Wallpapr.htm
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 20 03 00 00 3C 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\Components -
Desktop\SafeMode\Components\\DeskHtmlVersion - 271
Desktop\SafeMode\Components\\DeskHtmlMinorVersion - 1
Desktop\SafeMode\Components\\Settings - 1
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - D:\WINNT\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Ratings -

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 149

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run not found. -

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run not found. -

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 149

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies not found. -

< End of report >
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,943 posts
A few questions. I'm not used to handling servers, so I'd rather ask then junk something you need.

Is this file temporarily created by something you are running:

D:\TEMP\setup.exe

And do you know what this is for:

Msfs (Msfs) - (File not found)) [ - Running - Filesystem driver]


Then I'd like to have a look at another part of your registry.
To do so click Start > Run > Copy the command below into the window
regedit.exe /e D:\lanmanserver.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions"

If done successfully this will create the file D:\lanmanserver.txt
Find that file and post the content please.

Regards,
  • 0

#5
Ericy

Ericy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi

d:\temp\Setup.exe is AVG by Grisoft's setup

MSFS - not sure
Note: This server's raid array - Drive C: - is not booting up due to new hardware problem in last couple of days.

The requested file log: (looks like there are possible intruders). Those setup_xxxx files are part of the recurring infection. They usually want to make a file called "i" that has connection instructions. The file keeps coming back so I edited the connection instructions and made it read only. Only the "i" file is present at this time.

EricY

-----------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"OIJHT"="D:\\WINNT\\system32\\setup_81411.exe"
"Netmelt"="D:\\WINNT\\system32\\setup_26066.exe"
"MeltMe"="D:\\WINNT\\system32\\eraseme_41551.exe"
"COM+ MELT"="D:\\WINNT\\system32\\last.exe"
"DGMMELT"="D:\\WINNT\\system32\\setup_04734.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Security Page"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}"="Name Space Control Band"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{7D688A77-C613-11D0-999B-00C04FD655E1}"="SlowFile Icon Overlay"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extention"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&People..."
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{23170F69-40C1-278A-1000-000100020000}"="7-Zip Shell Extension"
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,943 posts
As far as I can tell all those "melt" entries are viruses.

The only one I'm not 100% sure about is "COM+ MELT"

Can you upload last.exe at http://www.kaspersky.com/virusscanner
Use the file scanner on:
D:\WINNT\system32\setup_81411.exe
D:\WINNT\system32\setup_26066.exe
D:\WINNT\system32\eraseme_41551.exe
D:\WINNT\system32\setup_04734.exe
D:\WINNT\system32\last.exe

I'm pretty sure the first for will be viral. Let me know if the last (LOL) one belongs to the same family.

Regards,
  • 0

#7
Ericy

Ericy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

The files:
D:\WINNT\system32\setup_81411.exe
D:\WINNT\system32\setup_26066.exe
D:\WINNT\system32\eraseme_41551.exe
D:\WINNT\system32\setup_04734.exe
D:\WINNT\system32\last.exe

Have all been removed in the past few days based off of AVG, Kaspersky Online scans or just spotting suspicious new files. Some of the files are collected in a zip file. The zip was just uploaded to Kaspersky and the results are:

Scanned file: viruszip.zip - Infected

viruszip.zip/setup_04734-i-virus.exe - infected by Backdoor.Win32.Aimbot.eu
viruszip.zip/i-virus - infected by Trojan-Downloader.BAT.Ftp.ab
viruszip.zip/sql-smss.exe - infected by Backdoor.Win32.Aimbot.eu
viruszip.zip/i - infected by Trojan-Downloader.BAT.Ftp.ab
viruszip.zip/eraseme_52233.exe - infected by Backdoor.Win32.SdBot.anp
viruszip.zip/csrsc.exe - infected by Backdoor.Win32.SdBot.anp
viruszip.zip/eraseme_41551.exe - infected by Backdoor.Win32.SdBot.anp


"i" is the only file left, but the instructions were changed and it was made read only. The file contect seems to stay static now.

Thanks - EricY
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,943 posts
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Then copy the part in bold below into notepad and save it as Appid.reg
Set Filetype to "all files"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"OIJHT"=-
"Netmelt"=-
"MeltMe"=-
"COM+ MELT"=-
"DGMMELT"=-


Doubleclick that file and confirm you want to merge it with the registry.

Then there is one more I'd like to look at:
To do so click Start > Run > Copy the command below into the window
regedit.exe /e D:\lanmanparams.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters"

If done successfully this will create the file D:\lanmanparams.txt
Find that file and post the content please.

Regards,
  • 0

#9
Ericy

Ericy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

Ran the regbackup
Created the appid.reg file
Merged into Registry

Lanmanparms.txt:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"MaxThreads"=dword:000000ff

Ran CA's eTrust online scanner and got these hits:
PPSERV.EXE Win32/Babylonia infected, no cure D:\Program Files\Protector Plus\
viruszip.zip>setup_04734-i-virus.exe Win32/Petribot.XF infected D:\sysinternals\
viruszip.zip>sql-smss.exe Win32/Petribot.XF infected D:\sysinternals\
viruszip.zip>i BAT/FTPDownloader infected D:\sysinternals\
viruszip.zip>eraseme_52233.exe Win32/Petribot.XO infected D:\sysinternals\
viruszip.zip>csrsc.exe Win32/Petribot.XO infected D:\sysinternals\
viruszip.zip>eraseme_41551.exe Win32/Petribot.XO infected D:\sysinternals\

The first one "ppserv.exe" is new. Protector Plus was an anti virus from way back that would not uninstall correctly. It seems someone may be using it for cover?

Thanks,

EricY
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,943 posts
It could be a false positive, but if you uninstalled it anyway, remove it just to be on the safe side.

As far as I could find any information about this virus we have covered the places where to look.

Is it too early to know if we were successfull?
Or are you still getting alerts?
  • 0

#11
Ericy

Ericy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

If we are done cleaning-updating should I reboot the system?
It seems to be running OK. If the rpc server gets bogged down the virus has probably returned.

Thanks for the help
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,943 posts
Try at will.

Let me know how it behaves. I'll read it tomorrow.

I'm going to turn in


You're welcome. :whistling:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP