Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rundll32.exe & k9371937.dll errors

Started by Herspirit , Mar 23 2005 06:28 AM

  • Please log in to reply

#16
don77
Posted 04 April 2005 - 07:33 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi pinefarmer
This script requires WMI, which can be downloaded at: http://tinyurl.com/jbxe

Please download the WMI file and rerun Silent runners please.
Post back the log from it here please
  • 0

Advertisements

#17
pinefarmer
Posted 06 April 2005 - 01:17 PM

pinefarmer

    New Member

  • Member
  • Pip
  • 8 posts
Once again I hope we got what you were after. Here it is.



"Silent Runners.vbs", revision 33, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadQM" = "loadqm.exe" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE" ["Symantec Corporation"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"AtiPTA" = "Atiptaxx.exe" ["ATI Technologies, Inc."]
"POINTER" = "C:\PROGRA~1\MSHARD~1\point32.exe" [MS]
"VoyetraTray" = "C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s" ["Voyetra Technologies Inc."]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "c:\windows\SYSTEM\mstask.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

WIN.INI
[windows]
INFECTION WARNING! "load=C:\OPLIMIT\ocraware.exe" ["Caere Corporation"]

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\TRAVEL.SCR" [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"UMAX VistaAccess" -> shortcut to: "C:\VSTASCAN\vsaccess.exe" ["UMAX"]
"BJ Printer Status Monitor" -> shortcut to: "C:\WINDOWS\SYSTEM\CJSTSR.EXE ExecSM;BJ Printer Status Monitor.lnk;" ["CANON INC."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"MarketBrowser" -> shortcut to: "C:\Program Files\MarketBrowser\lmt\mktbrws.exe -iconmode" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
"Silent Runners.vbs", revision 33, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadQM" = "loadqm.exe" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE" ["Symantec Corporation"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"AtiPTA" = "Atiptaxx.exe" ["ATI Technologies, Inc."]
"POINTER" = "C:\PROGRA~1\MSHARD~1\point32.exe" [MS]
"VoyetraTray" = "C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s" ["Voyetra Technologies Inc."]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "c:\windows\SYSTEM\mstask.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

WIN.INI
[windows]
INFECTION WARNING! "load=C:\OPLIMIT\ocraware.exe" ["Caere Corporation"]

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\TRAVEL.SCR" [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"UMAX VistaAccess" -> shortcut to: "C:\VSTASCAN\vsaccess.exe" ["UMAX"]
"BJ Printer Status Monitor" -> shortcut to: "C:\WINDOWS\SYSTEM\CJSTSR.EXE ExecSM;BJ Printer Status Monitor.lnk;" ["CANON INC."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"MarketBrowser" -> shortcut to: "C:\Program Files\MarketBrowser\lmt\mktbrws.exe -iconmode" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
"Silent Runners.vbs", revision 33, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadQM" = "loadqm.exe" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE" ["Symantec Corporation"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"AtiPTA" = "Atiptaxx.exe" ["ATI Technologies, Inc."]
"POINTER" = "C:\PROGRA~1\MSHARD~1\point32.exe" [MS]
"VoyetraTray" = "C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s" ["Voyetra Technologies Inc."]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "c:\windows\SYSTEM\mstask.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

WIN.INI
[windows]
INFECTION WARNING! "load=C:\OPLIMIT\ocraware.exe" ["Caere Corporation"]

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\TRAVEL.SCR" [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"UMAX VistaAccess" -> shortcut to: "C:\VSTASCAN\vsaccess.exe" ["UMAX"]
"BJ Printer Status Monitor" -> shortcut to: "C:\WINDOWS\SYSTEM\CJSTSR.EXE ExecSM;BJ Printer Status Monitor.lnk;" ["CANON INC."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"MarketBrowser" -> shortcut to: "C:\Program Files\MarketBrowser\lmt\mktbrws.exe -iconmode" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
"Silent Runners.vbs", revision 33, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadQM" = "loadqm.exe" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE" ["Symantec Corporation"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"AtiPTA" = "Atiptaxx.exe" ["ATI Technologies, Inc."]
"POINTER" = "C:\PROGRA~1\MSHARD~1\point32.exe" [MS]
"VoyetraTray" = "C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s" ["Voyetra Technologies Inc."]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "c:\windows\SYSTEM\mstask.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [file not found]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

WIN.INI
[windows]
INFECTION WARNING! "load=C:\OPLIMIT\ocraware.exe" ["Caere Corporation"]

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\TRAVEL.SCR" [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"UMAX VistaAccess" -> shortcut to: "C:\VSTASCAN\vsaccess.exe" ["UMAX"]
"BJ Printer Status Monitor" -> shortcut to: "C:\WINDOWS\SYSTEM\CJSTSR.EXE ExecSM;BJ Printer Status Monitor.lnk;" ["CANON INC."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"MarketBrowser" -> shortcut to: "C:\Program Files\MarketBrowser\lmt\mktbrws.exe -iconmode" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#18
pinefarmer
Posted 11 April 2005 - 08:15 PM

pinefarmer

    New Member

  • Member
  • Pip
  • 8 posts
Don 77- I got word that you may have replied to my latest posting but there is no message here on the bulletin board. Could you please repeat? Thanks.
  • 0

#19
don77
Posted 11 April 2005 - 08:30 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry pineframer, Let me run through right now and see if we have something,
  • 0

#20
don77
Posted 11 April 2005 - 08:50 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Again sorry for the late reply pinefarmer,
Running 2 anti Virus programs could be causing you some conflicts, Not a good idea to have 2 running I would recommend you remove 1 check the other for updates
Next
Lets see if this show us anything,
Click here: http://www.downloads...VX2Finder9x.exe and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here in this thread.

Next click here: http://www.downloads.../DllCompare.exe to download DLLCompare.zip.

Save it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

Click here
to download FindIt9xME.zip. Unzip it to your desktop.

Doubleclick on the find.bat file and let it run. It may take as long as ten minutes to run. When it is finished it will produce an output.txt file. Copy and paste the contents of output.txt here please.
  • 0

#21
pinefarmer
Posted 15 April 2005 - 09:51 AM

pinefarmer

    New Member

  • Member
  • Pip
  • 8 posts
don77- pinefarmer,here. I'm sorry to report that Herspirit has been quite ill and unable to guide me. So I guess I'll have to take my computer to a repair place. Thank you very much for all you have done.
  • 0

#22
don77
Posted 15 April 2005 - 01:28 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
I m sorry to hear that pinefarmer,, I hope she will be fine,,,

Sorry we couldn't get this sorted out for you,

Good luck
Don
  • 0

#23
Herspirit
Posted 20 April 2005 - 08:56 AM

Herspirit

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi don,
I am doing much better. How can pinefarmer remove a virus program when he can't get to the "Remove Programs" option in the Control Panel? Should he just delete the files?

Herspirit
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP