Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

No clue what the problem is [RESOLVED]


  • This topic is locked This topic is locked

#1
princessss

princessss

    Member

  • Member
  • PipPip
  • 95 posts
Ok , My virus scanner (etrust and avg) say i have several viruses, when i try to cure or delete them they come back. I tried to go to trend.com but keep being redirected to msn, the same thing happens when i type any known anti virus site into the address bar.

I have tried to get to trend no such luck
I have run lavasoft adaware, however it removes the files and they come right back,i have se professional
tried clean up, still the same
ive run spybot s & d, it finds the same things that adaware did , not to mention adaware itself

ran ewido ........here are the logs

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:24:04 AM, 6/17/2005
+ Report-Checksum: 1E585C7E

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 106 min
+ Scanned Files: 93677
+ Speed: 14.69 Files/Second
+ Infected files: 32
+ Removed files: 32
+ Files put in quarantine: 32
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\All Users\Documents\ddfa.exe/dcsedsdu.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\Documents and Settings\All Users\Documents\wdss.exe/cdytwaq.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\Documents and Settings\home\Cookies\home@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\home\exbce.dat -> Backdoor.SpyBot -> Cleaned with backup
C:\Documents and Settings\home\sc.exe -> Trojan.LowZones.h -> Cleaned with backup
C:\Documents and Settings\home\sdf999sdf.exe -> Trojan.LowZones.h -> Cleaned with backup
C:\Documents and Settings\home\sdfsdf.exe -> Trojan.LowZones.h -> Cleaned with backup
C:\Documents and Settings\home\ss00df.exe -> Trojan.LowZones.h -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\RECYCLER\S-1-5-21-602162358-484763869-1060284298-1000\Dc783.exe/sosweet.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\RECYCLER\S-1-5-21-602162358-484763869-1060284298-1000\Dc784.exe/cdytwaq.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Spyware.Gator -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\WINNT\exbce.dat -> Backdoor.SpyBot -> Cleaned with backup
C:\WINNT\prelimhanse.exe -> Spyware.WebHancer -> Cleaned with backup
C:\WINNT\system32\ddfa.exe/dcsedsdu.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\WINNT\system32\exbce.dat -> Backdoor.SpyBot -> Cleaned with backup
C:\WINNT\system32\exbce.exe -> Backdoor.SpyBot -> Cleaned with backup
C:\WINNT\system32\nsp30.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsq35.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsq3C.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\sduxi.exe/sosweet.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\WINNT\system32\wdss.exe/cdytwaq.exe -> Backdoor.IRCBot.bq -> Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__commcos2.dll -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup
D:\exbce.exe -> Backdoor.SpyBot -> Cleaned with backup


::Report End

----------------------------------------------------------------

and then i ran hijack this and here is the log files here:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:44 AM, on 6/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\SYSTEM32\tobetwo.exe
C:\WINNT\system32\oxcellent.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\home\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca.../addons/search/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: 213.199.154.54 www.symantec.com
O1 - Hosts: 213.199.154.54 www.sophos.com
O1 - Hosts: 213.199.154.54 www.mcafee.com
O1 - Hosts: 213.199.154.54 www.viruslist.com
O1 - Hosts: 213.199.154.54 www.f-secure.com
O1 - Hosts: 213.199.154.54 www.avp.com
O1 - Hosts: 213.199.154.54 www.kaspersky.com
O1 - Hosts: 213.199.154.54 www.networkassociates.com
O1 - Hosts: 213.199.154.54 www.ca.com
O1 - Hosts: 213.199.154.54 www.my-etrust.com
O1 - Hosts: 213.199.154.54 www.nai.com
O1 - Hosts: 213.199.154.54 www.trendmicro.com
O1 - Hosts: 213.199.154.54 securityresponse.symantec.com
O1 - Hosts: 213.199.154.54 sophos.com
O1 - Hosts: 213.199.154.54 mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantecliveupdate.com
O1 - Hosts: 213.199.154.54 viruslist.com
O1 - Hosts: 213.199.154.54 f-secure.com
O1 - Hosts: 213.199.154.54 kaspersky.com
O1 - Hosts: 213.199.154.54 kaspersky-labs.com
O1 - Hosts: 213.199.154.54 avp.com
O1 - Hosts: 213.199.154.54 networkassociates.com
O1 - Hosts: 213.199.154.54 ca.com
O1 - Hosts: 213.199.154.54 mast.mcafee.com
O1 - Hosts: 213.199.154.54 my-etrust.com
O1 - Hosts: 213.199.154.54 download.mcafee.com
O1 - Hosts: 213.199.154.54 dispatch.mcafee.com
O1 - Hosts: 213.199.154.54 secure.nai.com
O1 - Hosts: 213.199.154.54 nai.com
O1 - Hosts: 213.199.154.54 update.symantec.com
O1 - Hosts: 213.199.154.54 updates.symantec.com
O1 - Hosts: 213.199.154.54 us.mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantec.com
O1 - Hosts: 213.199.154.54 customer.symantec.com
O1 - Hosts: 213.199.154.54 rads.mcafee.com
O1 - Hosts: 213.199.154.54 trendmicro.com
O1 - Hosts: 213.199.154.54 sandbox.norman.no
O1 - Hosts: 213.199.154.54 www.pandasoftware.com
O1 - Hosts: 213.199.154.54 uk.trendmicro-europe.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\system32\vbrundll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Jermaine] C:\WINNT\SYSTEM32\tobetwo.exe
O4 - HKLM\..\Run: [InsideofYou] oxcellent.exe
O4 - HKLM\..\RunServices: [sdux] tiwqacf.exe
O4 - HKLM\..\RunServices: [InsideofYou] oxcellent.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://xxxtrayicon.com/xtrayinst.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...a/mamma1002.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.c...canada_ver3.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe


any help would be greatly appreciated as i am usually very good at getting rid of malware on my pc........until this

I should mention that this had happened to me once before and was tied into a file called msmpatch.exe that was distributed by msn through some clone virus that sent it self out through peoples im that however does not appear...instead i keep getting a skull.exe and a sxybab.exe or whatever it was...and a whole lot more
  • 0

Advertisements


#2
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
should i post my processes ?
  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackThis. Place a check next to the following entries and click FIX CHECKED:

O1 - Hosts: 213.199.154.54 www.symantec.com
O1 - Hosts: 213.199.154.54 www.sophos.com
O1 - Hosts: 213.199.154.54 www.mcafee.com
O1 - Hosts: 213.199.154.54 www.viruslist.com
O1 - Hosts: 213.199.154.54 www.f-secure.com
O1 - Hosts: 213.199.154.54 www.avp.com
O1 - Hosts: 213.199.154.54 www.kaspersky.com
O1 - Hosts: 213.199.154.54 www.networkassociates.com
O1 - Hosts: 213.199.154.54 www.ca.com
O1 - Hosts: 213.199.154.54 www.my-etrust.com
O1 - Hosts: 213.199.154.54 www.nai.com
O1 - Hosts: 213.199.154.54 www.trendmicro.com
O1 - Hosts: 213.199.154.54 securityresponse.symantec.com
O1 - Hosts: 213.199.154.54 sophos.com
O1 - Hosts: 213.199.154.54 mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantecliveupdate.com
O1 - Hosts: 213.199.154.54 viruslist.com
O1 - Hosts: 213.199.154.54 f-secure.com
O1 - Hosts: 213.199.154.54 kaspersky.com
O1 - Hosts: 213.199.154.54 kaspersky-labs.com
O1 - Hosts: 213.199.154.54 avp.com
O1 - Hosts: 213.199.154.54 networkassociates.com
O1 - Hosts: 213.199.154.54 ca.com
O1 - Hosts: 213.199.154.54 mast.mcafee.com
O1 - Hosts: 213.199.154.54 my-etrust.com
O1 - Hosts: 213.199.154.54 download.mcafee.com
O1 - Hosts: 213.199.154.54 dispatch.mcafee.com
O1 - Hosts: 213.199.154.54 secure.nai.com
O1 - Hosts: 213.199.154.54 nai.com
O1 - Hosts: 213.199.154.54 update.symantec.com
O1 - Hosts: 213.199.154.54 updates.symantec.com
O1 - Hosts: 213.199.154.54 us.mcafee.com
O1 - Hosts: 213.199.154.54 liveupdate.symantec.com
O1 - Hosts: 213.199.154.54 customer.symantec.com
O1 - Hosts: 213.199.154.54 rads.mcafee.com
O1 - Hosts: 213.199.154.54 trendmicro.com
O1 - Hosts: 213.199.154.54 sandbox.norman.no
O1 - Hosts: 213.199.154.54 www.pandasoftware.com
O1 - Hosts: 213.199.154.54 uk.trendmicro-europe.com


Close HiJackThis. The above entries are the reason you can not do any online scans.

After those are fixed, reboot your computer, then run both of these virus scans:

TrendMicro's HouseCall - check "Auto Clean"
ActiveScan
*Save the results from ActiveScan.

Post the results from ActiveScan and a new HijackThis log into this topic.
  • 0

#4
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
ok i did what you said......

i checked and fixed the problems in the hijack

then i went to the trendmicro site and got this when i started scanning

error 101 read generic pattern failed

i finished scanning and went to the active scan site

this is the results


Incident Status Location

Virus:W32/Sdbot.gen.worm Disinfected Operating system
Possible Virus. No disinfected C:\WINNT\SYSTEM32\hardrock.exe
Possible Virus. No disinfected C:\WINNT\system32\Saxcas.exe
Adware:Adware/SaveNow No disinfected C:\WINNT\Downloaded Program Files\WUInst.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\home\Favorites\Fun & Games
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINNT\alchem.???
Adware:Adware/Adroar No disinfected C:\WINNT\artmmp.ini
Adware:Adware/WUpd No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\home\Application Data\Sskknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\home\Application Data\Sskuknwrd.dll
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[~001008.txt]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[message.scr]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[id43342.exe]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[~001267.txt]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[~001340.txt]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[~001428.txt]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\home\Local Settings\Application Data\IM\Identities\{FD51F97F-041D-44FB-B3B6-C9D2ED65296F}\Message Store\Inbox.imm[~001526.txt]
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Ssk.log
Virus:W32/Sdbot.EAJ.worm Disinfected C:\Documents and Settings\home\paewinfile.dat
Virus:W32/Sdbot.DYU.worm Disinfected C:\Documents and Settings\home\pagefilesystem.dat
Adware:Adware/IPInsight No disinfected C:\WINNT\alchem.ini
Adware:Adware/Adroar No disinfected C:\WINNT\artmmp.ini
Adware:Adware/Gator No disinfected C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
Adware:Adware/PopCapLoader No disinfected C:\WINNT\Downloaded Program Files\popcaploader.inf
Adware:Adware/SaveNow No disinfected C:\WINNT\Downloaded Program Files\WUInst.inf
Virus:W32/Sdbot.DYU.worm Disinfected C:\WINNT\pagefilesystem.dat
Possible Virus. No disinfected C:\WINNT\system32\hallo.exe[rockhard.exe]
Possible Virus. No disinfected C:\WINNT\system32\hallo.exe[hardrock.exe]
Possible Virus. No disinfected C:\WINNT\system32\hardrock.exe
Possible Virus. No disinfected C:\WINNT\system32\noidea.exe[tobeone.exe]
Virus:W32/Sdbot.DYU.worm Disinfected C:\WINNT\system32\pagefilesystem.dat
Possible Virus. No disinfected C:\WINNT\system32\rockhard.exe
Possible Virus. No disinfected C:\WINNT\system32\Saxcas.exe
then i did the hijack this again and this is the results

Logfile of HijackThis v1.99.1
Scan saved at 5:03:14 PM, on 6/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\SYSTEM32\hardrock.exe
C:\WINNT\system32\Saxcas.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\home\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca.../addons/search/
F3 - REG:win.ini: load=8
F3 - REG:win.ini: run=8
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\system32\vbrundll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InsideofYou] oxcellent.exe
O4 - HKLM\..\Run: [wnplayer] wnplayer.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TmNetDriver Monitor] exbce.exe
O4 - HKLM\..\Run: [sgabyqmvawlps] C:\WINNT\system32\fglkficb.exe
O4 - HKLM\..\Run: [sdux] tiwqacf.exe
O4 - HKLM\..\Run: [regsync] C:\WINNT\system32\regsync.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Services] InetDriver.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [gqegqefq] dasdqc.exe
O4 - HKLM\..\Run: [fglkficb] c:\winnt\system32\fglkficb.exe
O4 - HKLM\..\Run: [Ekeniyoha] ssekeniyoha.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [qgqqft] C:\WINNT\SYSTEM32\hardrock.exe
O4 - HKLM\..\Run: [SoilSouth] Saxcas.exe
O4 - HKLM\..\RunServices: [sdux] tiwqacf.exe
O4 - HKLM\..\RunServices: [InsideofYou] oxcellent.exe
O4 - HKLM\..\RunServices: [SoilSouth] Saxcas.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://xxxtrayicon.com/xtrayinst.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...a/mamma1002.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.c...canada_ver3.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe


Thanks for the help so far....hopefully this goes away

the indexing service keeps activating itself too now....
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You have got some serious issues with some nasty, nasty worms.

*Open HijackThis.
*Click on "Open Misc Tools Section"
*Make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)

and

List Empty Sections(Complete)

Click "Generate StartupList Log".
Click "Yes" at the prompt

It will produce a NotePad Page. I need you to copy the entire contents of that page and paste it here.
  • 0

#6
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
as instructed :tazz:



StartupList report, 6/17/2005, 5:32:37 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\home\Desktop\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\SYSTEM32\hardrock.exe
C:\WINNT\system32\Saxcas.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\SYSTEM32\somepn.exe
C:\WINNT\system32\dontyoux.exe
C:\Documents and Settings\home\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\home\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\Userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
InsideofYou = oxcellent.exe
wnplayer = wnplayer.exe
WinampAgent = C:\Program Files\Winamp\winampa.exe
TmNetDriver Monitor = exbce.exe
sgabyqmvawlps = C:\WINNT\system32\fglkficb.exe
sdux = tiwqacf.exe
regsync = C:\WINNT\system32\regsync.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
NeroCheck = C:\WINNT\system32\NeroCheck.exe
msnappau = "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
Microsoft Services = InetDriver.exe
Lexmark X6100 Series = "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
gqegqefq = dasdqc.exe
fglkficb = c:\winnt\system32\fglkficb.exe
Ekeniyoha = ssekeniyoha.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
qgqqft = C:\WINNT\SYSTEM32\hardrock.exe
SoilSouth = Saxcas.exe
caxdy = C:\WINNT\SYSTEM32\somepn.exe
Wronglike = dontyoux.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

sdux = tiwqacf.exe
InsideofYou = oxcellent.exe
SoilSouth = Saxcas.exe
Wronglike = dontyoux.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=8
HKCU\..\Windows NT\CurrentVersion\Windows: run=8
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINNT\system32\vbrundll.dll (file missing) - {197B8CA4-E215-46DD-8F33-E0544A80E5C4}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At1.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Yahoo! Bingo]
CODEBASE = http://download.game...nts/y/xt0_x.cab
OSD = C:\WINNT\Downloaded Program Files\Yahoo! Bingo.osd

[Yahoo! Pool 2]
OSD = C:\WINNT\Downloaded Program Files\Yahoo! Pool 2.osd

[{00000000-0000-0000-0000-000020030000}]
CODEBASE = http://xxxtrayicon.com/xtrayinst.exe

[Checkers Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...kr.cab31267.cab

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall-bet...all/xscan60.cab

[Creative Software AutoUpdate]
InProcServer32 = C:\WINNT\DOWNLO~1\CTSUEng.ocx
CODEBASE = http://www.creative....119/CTSUEng.cab

[PCPitstop Utility]
InProcServer32 = C:\WINNT\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop...p/PCPitStop.CAB

[MessengerStatsClient Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[ChainCast VMR Client Proxy]
InProcServer32 = C:\WINNT\Downloaded Program Files\ccpm_0237.dll
CODEBASE = http://www.streamaud...d/ccpm_0237.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by1fd.bay1.ho...es/MsnPUpld.cab

[RdxIE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[{5F3B3060-09E0-44C6-86F7-BC7B02B57BEE}]
CODEBASE = http://downloads.sho...a/mamma1002.cab

[VacPro.canada_ver3]
InProcServer32 = blank
CODEBASE = http://www.advnt01.c...canada_ver3.CAB

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINNT\AvxOScan\BITDEF~1.OCX
CODEBASE = http://www.bitdefend...bitdefender.cab

[Java Plug-in 1.4.2_04]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...nt.cab31267.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[Update Class]
InProcServer32 = C:\WINNT\system32\iuctl.dll
CODEBASE = http://v4.windowsupd...38120.739224537

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[ZoneIntro Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zon...ro.cab32846.cab

[{B9191F79-5613-4C76-AA2A-398534BB8999}]

[Downloader Class]
InProcServer32 = C:\WINNT\DOWNLO~1\dwnldr.dll
CODEBASE = http://www.stopzilla...ller/dwnldr.cab

[Java Plug-in 1.4.2_04]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Live365Player Class]
InProcServer32 = C:\WINNT\DOWNLO~1\Play365.dll
CODEBASE = http://www.live365.c...ers/play365.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ITDetector.ocx
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[PopCapLoader Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\popcaploader.dll

[IMDownloader Class]
CODEBASE = http://www2.incredim...er/imloader.cab

[CRegistryDownload Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RegDload.dll
CODEBASE = http://download.palt....x/regdload.cab

[Creative Software AutoUpdate Support Package]
InProcServer32 = C:\WINNT\DOWNLO~1\CTPID.ocx
CODEBASE = http://www.creative....12119/CTPID.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Resident Driver NT: \SystemRoot\System32\Drivers\avg7rsnt.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Coach Digital Camera on USB: system32\DRIVERS\CoachUsb.sys (manual start)
Coach Video Capture: system32\DRIVERS\CoachVc.sys (manual start)
Video Blaster WebCam 3/WebCam Plus (WDM): system32\DRIVERS\webc3vid.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
fxSVC: C:\WINNT\fxsvc.exe (autostart)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HID Input Service: %SystemRoot%\system32\hidserv.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Network Everywhere Fast Ethernet Adapter(NC100 v2): System32\DRIVERS\NC100A.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
Novell/Eagle NE2000 Adapter Driver: System32\DRIVERS\ne2000.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
CATC USB/Ethernet Link II device driver: system32\DRIVERS\netmate2.sys (manual start)
NetworkX: \SystemRoot\system32\ckldrv.sys (system)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
RapFile: \??\C:\WINNT\system32\drivers\RapFile.sys (system)
RapNet: \??\C:\WINNT\system32\drivers\RapNet.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AC'97 Audio Controller (WDM): system32\drivers\viaudio.sys (manual start)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,849 bytes
Report generated in 1.923 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You definitely need to run another online scan.

Go here:

Kaspersky Web Scanner

Fill in the info, then click OK. Follow the instructions on the page to download the ActiveX control and run the scanner. When it's done it will list infected files, you need to delete ALL files that it finds. This scan will take a while to run particularly if you are on dial-up.
  • 0

#8
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
it keeps telling me that the webscanner is damaged to restart and it does it every time i restart
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I should have figured some malware would mess it up :tazz:

Please go here:

http://vil.nai.com/vil/stinger/

Download s-t-i-n-g-e-r.exe and follow the instructions on the page. Let me know if the removal tool finds anything.
  • 0

#10
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
i cant seem to post the file by cut and paste so will do it by upload i hope this is ok


had to go into safe mode to do this as well

will be on trend while im waiting for reply

trying the scan again
  • 0

Advertisements


#11
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
ok that doesnt work and cutting and pasting a file that large doesnt work so heres the tail end.......


C:\_arm_errors.log

Number of clean files: 134983

Number of infected files: 2

Number of files deleted: 2
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's been 3 days since your last HiJackThis log so I need you to post a new HiJackThis log for me please. I have no doubt that new stuff has shown up. :tazz:
  • 0

#13
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:48:35 AM, on 6/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\home\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca.../addons/search/
F3 - REG:win.ini: load=8
F3 - REG:win.ini: run=8
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINNT\system32\vbrundll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [regsync] C:\WINNT\system32\regsync.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Services] InetDriver.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Spoolsrv Service] spoolmsv.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto
O4 - HKLM\..\RunServices: [sdux] tiwqacf.exe
O4 - HKLM\..\RunServices: [InsideofYou] oxcellent.exe
O4 - HKLM\..\RunServices: [SoilSouth] Saxcas.exe
O4 - HKLM\..\RunServices: [Wronglike] dontyoux.exe
O4 - HKLM\..\RunServices: [Windows Spoolsrv Service] spoolmsv.exe
O4 - HKLM\..\RunServices: [TmNetDriver Monitor] exbce.exe
O4 - HKLM\..\RunServices: [GSeries] boulze.exe
O4 - HKLM\..\RunOnce: [Windows Spoolvvv Service] spoolvvv.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://xxxtrayicon.com/xtrayinst.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...a/mamma1002.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - http://www.advnt01.c...canada_ver3.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: fxSVC (fxScanner) - Unknown owner - C:\WINNT\fxsvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINNT\system32\scardsvr32.exe (file missing)
  • 0

#14
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
result of trendmicro scan

Results:
We have detected 12 infected file(s) with 12 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\WINNT\system32\boulze.exe Possible_Virus
C:\WINNT\system32\dontyoux.exe Possible_Virus
C:\WINNT\system32\exbce.dat WORM_RANDEX.AX
C:\WINNT\system32\exbce.exe WORM_RANDEX.AX
C:\WINNT\system32\ludal.exe Possible_Virus
C:\WINNT\system32\msprotecting.exe WORM_RBOT.GEN
C:\WINNT\system32\oxcellent.exe Possible_Virus
C:\WINNT\system32\rockhard.exe Possible_Virus
C:\WINNT\system32\Saxcas.exe Possible_Virus
C:\WINNT\system32\somecent.exe Possible_Virus
C:\WINNT\system32\tobeone.exe Possible_Virus
D:\exbce.exe WORM_RANDEX.AX

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 1 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type
WORM_RBOT.ZC Worm


Virus Scan 0 virus cleaned, 11 viruses deleted


Results:
We have detected 12 infected file(s) with 12 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 11 virus(es) deleted, 0 virus(es) undeletable
- 1 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken




Trojan/Worm Check 1 worm/Trojan horse deleted
Virus Scan 0 virus cleaned, 11 viruses deleted

--------------------------------------

result of avg scan

Results:
We have detected 12 infected file(s) with 12 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\WINNT\system32\boulze.exe Possible_Virus
C:\WINNT\system32\dontyoux.exe Possible_Virus
C:\WINNT\system32\exbce.dat WORM_RANDEX.AX
C:\WINNT\system32\exbce.exe WORM_RANDEX.AX
C:\WINNT\system32\ludal.exe Possible_Virus
C:\WINNT\system32\msprotecting.exe WORM_RBOT.GEN
C:\WINNT\system32\oxcellent.exe Possible_Virus
C:\WINNT\system32\rockhard.exe Possible_Virus
C:\WINNT\system32\Saxcas.exe Possible_Virus
C:\WINNT\system32\somecent.exe Possible_Virus
C:\WINNT\system32\tobeone.exe Possible_Virus
D:\exbce.exe WORM_RANDEX.AX

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 1 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type
WORM_RBOT.ZC Worm


Virus Scan 0 virus cleaned, 11 viruses deleted


Results:
We have detected 12 infected file(s) with 12 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 11 virus(es) deleted, 0 virus(es) undeletable
- 1 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken




Trojan/Worm Check 1 worm/Trojan horse deleted
Virus Scan 0 virus cleaned, 11 viruses deleted
  • 0

#15
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
I guess that almost everything is infected so burning the software and all my business stuff to disc would be idiocy at this point?

I am panic'd if I lose this pc I lose a lot.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP