"Silent Runners.vbs", revision 34,
http://www.silentrunners.org/Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"WinVNC" = ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper" ["RealVNC Ltd."]
"SO5 Integrator Pass Two" = "C:\WINNT\SOINTGR.EXE" [null data]
"KavSvc" = "C:\WINNT\system32\rprlna.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
4911568c-8b89-464b-ba0f-c9a98d4150a3\(Default) = (no title provided)
\StubPath = "C:\WINNT\system32\cncqoxd.exe" [null data]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express Access"
\StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0AA29C7D-2CCF-4838-B777-EAA058F34ADF}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\recss.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" [null data]
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssbezier.scr" [MS]
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is enabled.
Startup items in "lopezs" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"dkdc.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
HOSTS file
----------
C:\WINNT\system32\Drivers\Etc\HOSTS
maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
DefWatch, DefWatch, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe" ["Symantec Corporation"]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe" ["Symantec Corporation"]
Time Service, TimeServ, "C:\WINNT\system32\timeserv.exe" [MS]
VNC Server, winvnc, ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service" ["RealVNC Ltd."]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
-----------------------------------------------------------------------------------------------
this is the other log.
Logfile of HijackThis v1.99.1
Scan saved at 11:14:29 PM, on 4/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\SOINTGR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rprlna.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.pcfcorp.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.pcfcorp.com/O1 - Hosts: 170.149.191.196 CTIPrimary
O1 - Hosts: 170.149.191.197 CTISecondary
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINNT\SOINTGR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rprlna.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcfcorp.com/
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -
http://files.ea.com/...h/v2/EARTPX.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {BE21E3AA-5EC1-413A-B7D2-58FCF75F1EFB} (MSSR210Ctrl Class) -
http://pcf-op-file-0...der/MSSR210.OCXO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C862CDC-F9AB-43A2-B138-C4CE5499C1B6}: Domain = pcf.nytimes.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pcf.nytimes.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)