Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need some help with hijacked protocols

Started by mko_san , Sep 26 2006 11:06 PM

  • Please log in to reply

#1
mko_san
Posted 26 September 2006 - 11:06 PM

mko_san

    New Member

  • Member
  • Pip
  • 1 posts
Hello, I heve been re-directed here from SpyWare BeWare forums, and decided not to give up and post here as I was told...

Ok first off - hello xD
Perhaps you can shed some light on this... I've been baffled with this for a while now. Something is messing with the protocols, but I can't pinpoint the culprit.

Here's some slimmed down version of hjt log [I have some irrelevant items skipped, like some 08s and 09s I installed long time ago, and some 023s that are quite obvious. It improves the clarity of the lo and helps find new stuff easily... just telling you that in case you find the log too short xD

Logfile of HijackThis v1.99.1
Scan saved at 23:26:57, on 26/09/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
D:\WIN_2K3\System32\smss.exe
D:\WIN_2K3\system32\winlogon.exe
D:\WIN_2K3\system32\services.exe
D:\WIN_2K3\system32\lsass.exe
D:\WIN_2K3\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WIN_2K3\System32\svchost.exe
D:\WIN_2K3\system32\spoolsv.exe
D:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
D:\WIN_2K3\System32\svchost.exe
D:\WIN_2K3\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WIN_2K3\System32\svchost.exe
D:\WIN_2K3\Explorer.EXE
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\ClamWin\bin\ClamTray.exe
D:\WIN_2K3\system32\ctfmon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Documents and Settings\Admin\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [RegKillElbyCheck] "D:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "D:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WIN_2K3\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ClamWin] "D:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WIN_2K3\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] D:\WIN_2K3\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - D:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - D:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .wmv: D:\Program Files\Netscape\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT}
O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H}
O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: lid - >IT13H1N0H9IH3-4HTMGAIT4-H4NMH7IHW8PH}
O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P}
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

Of course I'm interested in those 018s that has miraculous ability to respawn and random intervals. To make things mor interesting, when fix them with hjt the following entry takes their place:

O18 - Protocol hijack: file - FILE>{79 
C  
-

 9-
1 	-
 82
00 
0

   
 }


quite cool, eh? bet your pc can't do that xD

Anyhow, a little story behind it. If you are not into stories skip this part and read ahead xD

As with all great tragedies, it all happened by a coincidence. I was looking at some silly video on google video thingy that a friend sent me link to, and then clicked next one in lineup that appears on the right. It was quite average, don’t even remember what it was about. It however said it’s from website be-dumb.com or something like that. Not thinking much I followed along to that website, to see who the [bleep] has too much time on their hands. Big mistake, never follow suggestions that appear in urls xD The video I’ve just seen was the first on the website, so I clicked next one down. Guess I was bored. Well that click was the worst choice of the month. A so-fake-[bleep]-gallery page opened I immediately thought “crap, I’m on ie”. Unfortunately it was too late already as a script written by some genius that’s obviously wasting his/her talents on crap was set in motion. MS AntiSpywarte, oops, I mean it now grew to name ‘windows defender’ [whatever Bill…] that I usually relay on for day-to-day spyware protection [hey, it is quite good. Far from best, but does the job most the times. And isn’t annoying.] Eghm… as I was saying, the MSWD [lol] started to go crazy with alerts. While I started to go along the long list it spat out selecting block on everything I could, a ‘shutting down in 20 seconds’] box appeared. Quite impressive, considering I’m on W2k3 with all the patches installed. Unfortunately MSWD failed to block anything, and the windows got the message [the defender has fallen, abandon the castle] and shut off. Quite permanently too, I couldn’t boot into safe mode, didn’t dare to try regular.

Being prepared for such, I fired up oh-so-precious winterminerals package and disabled the long and very weird list of startup items that seemed to be some of the MS files/services with very heavily overloaded attributes ~ Next a long fight with what seemed like endless amount of spyware I ever seen begun. It didn’t take a genius to figure out that a collection of spyware is being d/lded and run my computer, and also it had very flashy way of installing itself: after it downloaded it spat out blue screen without any file/irq error, just a stop code, which I haven’t seen ever before.

The price for not keeping up with innovations in spyware community was dire, and resulted in many hours of frustration and lost time. The problem there was of course cursed rootkits, via which da** thing was operating. It somehow attached itself under services.exe [judging by where the data was sent from, but no process under it seemed off, I even googled most of the dlls form this process or dependant processes, found out nothing >_>] and stayed in touch with what seemed to be half of the world xD After I finally got rid of that things cooled down enough to remove all the unwanted stuff ~ And it seems I got rid of that neat spyware downloader for good, since the portscanner doesn’t report any suspicious activity anymore. Anyhow, I need to give some credit to however wrote the da** things, it gave me quite a workout xD
-----------

Concluding, that protocol hijack thing is a leftover from that ingenious mass spyware attack. I can’t seem to get rid off it, it keeps on respawning.
MSWD scans clean
SpyBot Scans clean
Ewido scans clean
NAV scans clean [though I only scanned from boot cd, recent version though]
ClamWin scans clean
AVG anti-rook scans clean.
AdAware scans clean
And some other utilities, nothing seems to catch on ~


Silent Runners looks quite clean as well, but take a look yourself, perhaps I missed something:
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows Server 2003 (interpreted as Windows XP)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "D:\WIN_2K3\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DAEMON Tools-1033" = ""D:\Program Files\D-Tools\daemon.exe"  -lang 1033" ["DAEMON'S HOME"]
"RegKillElbyCheck" = ""D:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill" ["Elaborate Bytes AG"]
"RegKillTray" = ""D:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"" ["Elaborate Bytes"]
"NvMediaCenter" = "RUNDLL32.EXE D:\WIN_2K3\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Windows Defender" = ""D:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"ClamWin" = ""D:\Program Files\ClamWin\bin\ClamTray.exe" --logon" ["alch"]
"NvCplDaemon" = "RUNDLL32.EXE D:\WIN_2K3\system32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
				   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{16664845-0E00-11D2-8059-000000000000}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "ClickCatcher MSIE handler"
				   \InProcServer32\(Default) = "D:\Program Files\Common Files\ReGet Shared\Catcher.dll" ["ReGet Software"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
				   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{4648F940-EFE3-4BAB-9211-3BE45CD5029D}" = "VSSShellExt"
  -> {HKLM...CLSID} = "VSSShellExt Class"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\vssui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {HKLM...CLSID} = "Portable Media Devices"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
				   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
				   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{19F500E0-9964-11cf-B63D-08002B317C03}" = "Desktop Icon Layout"
  -> {HKLM...CLSID} = "Desktop Icon Layout"
				   \InProcServer32\(Default) = "Layout.dll" ["Microsoft"]
"{fc181130-05a0-11d6-8140-000102e745a6}" = "My P910i"
  -> {HKLM...CLSID} = "My P910i"
				   \InProcServer32\(Default) = "D:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "Bluetooth Neighborhood"
  -> {HKLM...CLSID} = "My Bluetooth Places"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{B73A057F-DC1B-4067-9D8E-B69A07A7C368}" = "Microsoft Visual SourceSafe"
  -> {HKLM...CLSID} = "Microsoft Visual SourceSafe"
				   \InProcServer32\(Default) = "D:\Program Files\Microsoft Visual SourceSafe\tdnamespaceextension.dll" [MS]
"{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}" = "ImageShack QuickLoad Image Uploader"
  -> {HKCU...CLSID} = "QuickLoad.QuickLoadContextMenu"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\mscoree.DLL" [MS]
"{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView"
  -> {HKLM...CLSID} = "PicaView Shell Extension"
				   \InProcServer32\(Default) = "D:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
  -> {HKLM...CLSID} = "ACDWFTHMBPRXY"
				   \InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
  -> {HKLM...CLSID} = "ACTHUMBNAIL"
				   \InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
  -> {HKLM...CLSID} = "AcSignIcon"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\AcSignIcon.dll" ["Autodesk"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {HKLM...CLSID} = "Shell Search Band"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\browseui.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
  -> {HKLM...CLSID} = "AlcoholShellEx"
				   \InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
  -> {HKLM...CLSID} = "ShellLink for Application References"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"
				   \InProcServer32\(Default) = "D:\WIN_2K3\system32\dfshim.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
  -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
				   \InProcServer32\(Default) = "D:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
				   \InProcServer32\(Default) = "D:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
				   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ClamWin\(Default) = "{65713842-C410-4f44-8383-BFE01A398C90}"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "D:\Program Files\ClamWin\bin\ExpShell.dll" ["alch"]
PicaView\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
  -> {HKLM...CLSID} = "PicaView Shell Extension"
				   \InProcServer32\(Default) = "D:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
  -> {HKLM...CLSID} = "CContextScan Object"
				   \InProcServer32\(Default) = "D:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ClamWin\(Default) = "{65713842-C410-4f44-8383-BFE01A398C90}"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "D:\Program Files\ClamWin\bin\ExpShell.dll" ["alch"]
IconLayout\(Default) = "{19F500E0-9964-11cf-B63D-08002B317C03}"
  -> {HKLM...CLSID} = "Desktop Icon Layout"
				   \InProcServer32\(Default) = "Layout.dll" ["Microsoft"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
INFECTION WARNING! HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""D:\WIN_2K3\notepad.exe" "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WIN_2K3\system32\ACDSee.scr" ["ACD Systems"]


Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"AutoCAD Startup Accelerator" -> shortcut to: "D:\Program Files\Common Files\Autodesk Shared\acstart16.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "D:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
D:\WIN_2K3\system32\dcsws2.dll ["DiamondCS"], 01 - 03
%SystemRoot%\system32\mswsock.dll [MS], 04 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{95188727-288F-4581-A48D-EAB3BD027314}" = (no title provided)
  -> {HKLM...CLSID} = "Zend Studio"
				   \InProcServer32\(Default) = "D:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL" [empty string]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{16664849-0E00-11D2-8059-000000000000}\(Default) = "MSIE Spy"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Program Files\Common Files\ReGet Shared\Catcher.dll" ["ReGet Software"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
				   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
				   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{A26ABCF0-1C8F-46E7-A67C-0489DC21B9CC}\
"ButtonText" = "Zend Studio Toolbar"
"MenuText" = "Zend Studio"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "D:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Experience Lookup Service, AeLookupSvc, "D:\WIN_2K3\system32\svchost.exe -k netsvcs" {"D:\WIN_2K3\System32\aelupsvc.dll" [MS]}
Bluetooth Service, btwdins, "D:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
NVIDIA Display Driver Service, NVSvc, "D:\WIN_2K3\system32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind iSCSI Service, StarWindService, "D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows Defender Service, WinDefend, ""D:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 38 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 16 seconds.
---------- (total run time: 75 seconds)

So yeah, if you got any ideas post them xD

PS
Sry about typos, I’m so tired >_< need to catch up on some sleep ~
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP