Mcafee is still detecting C:\WINDOWS\SYSTEM32\RDSNDIN.EXE everytime it starts up.
Can't shake these Trojans [RESOLVED]
Started by
joshcohn20
, Jul 10 2005 05:03 PM
#16
Posted 18 July 2005 - 07:48 PM
Mcafee is still detecting C:\WINDOWS\SYSTEM32\RDSNDIN.EXE everytime it starts up.
#17
Posted 19 July 2005 - 04:11 PM
Hmm...This is most puzzling,unless the system is actually hacked!
Do this for me please
Update Ewido and MWAV!
Have Remv3 ready for Safe Mode use!
Delete the old WinPfind and Download the new one from here
http://www.bleepingc...es/winpfind.php
Go into Safe Mode!
Scan with Remv3 first!
Scan with WinPFind next!
Scan with MWAV next!
Scan with Ewido Last!
Save all the Reports!
While in Safe Mode!
Look on the System for these files please!
C:\WINDOWS\SYSTEM32\drv2cltr.dll
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE
C:\WINDOWS\system32\cisvvc.exe
C:\WINDOWS\system32\csmgf.exe
C:\WINDOWS\system32\hybsys32.dll
C:\WINDOWS\system32\loadctr.exe
C:\WINDOWS\system32\gpsresl32.exe
When you post back,please give me as much information as you can!
I dont care if you think its insignificant,just give me as much Info about what you find and what else the System is doing and i Mcafee is flagging anything else!
Post the results of all 4 scans and I will ask for some extra eyes on this one!
Do this for me please
Update Ewido and MWAV!
Have Remv3 ready for Safe Mode use!
Delete the old WinPfind and Download the new one from here
http://www.bleepingc...es/winpfind.php
Go into Safe Mode!
Scan with Remv3 first!
Scan with WinPFind next!
Scan with MWAV next!
Scan with Ewido Last!
Save all the Reports!
While in Safe Mode!
Look on the System for these files please!
C:\WINDOWS\SYSTEM32\drv2cltr.dll
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE
C:\WINDOWS\system32\cisvvc.exe
C:\WINDOWS\system32\csmgf.exe
C:\WINDOWS\system32\hybsys32.dll
C:\WINDOWS\system32\loadctr.exe
C:\WINDOWS\system32\gpsresl32.exe
When you post back,please give me as much information as you can!
I dont care if you think its insignificant,just give me as much Info about what you find and what else the System is doing and i Mcafee is flagging anything else!
Post the results of all 4 scans and I will ask for some extra eyes on this one!
Edited by Cretemonster, 19 July 2005 - 04:34 PM.
#18
Posted 20 July 2005 - 12:35 PM
Remv3:
The batch is run from -- C:\Documents and Settings\Joshua Cohn\Desktop\remv3
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 34EE-EBDB
Directory of C:\WINDOWS\SYSTEM32
msi.dll
Finished
Winpfind:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\system32\DFRG.MSC
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\system32\Dwapilib.tlb
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\system32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\system32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\system32\WBDBASE.DEU
Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\system32\drivers\mtlstrm.sys
Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 5:14:52 PM 0 oem33.inf
7/7/2005 5:17:24 PM 0 oem34.inf
7/9/2005 4:19:44 PM 286777 package_16.cab
7/17/2005 7:21:38 PM 5 AuxDrv32b_d.oxc
7/20/2005 11:42:02 AM 8192 DEFAULT.LOG
7/20/2005 11:42:26 AM 1024 SAM.LOG
7/20/2005 11:42:16 AM 16384 SECURITY.LOG
7/20/2005 11:42:28 AM 114688 SOFTWARE.LOG
7/20/2005 11:42:22 AM 884736 SYSTEM.LOG
7/14/2005 9:22:42 AM 1024 NTUSER.DAT.LOG
5/21/2005 9:14:10 PM 388 391ec4df-8d44-4633-ba0d-ba38caf0eb93
5/21/2005 9:14:10 PM 24 Preferred
7/20/2005 11:41:24 AM 6 SA.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
1/13/2005 2:13:04 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
2/1/2004 10:45:44 PM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
2/1/2004 10:47:56 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
Checking files in %USERPROFILE%\Application Data folder...
1/13/2005 2:10:16 AM 1214 C:\Documents and Settings\Joshua Cohn\Application Data\AdobeDLM.log
1/13/2005 2:10:16 AM 0 C:\Documents and Settings\Joshua Cohn\Application Data\dm.ini
7/11/2005 4:51:00 PM 60160 C:\Documents and Settings\Joshua Cohn\Application Data\GDIPFONTCACHEV1.DAT
12/22/2004 10:43:14 PM 4713 C:\Documents and Settings\Joshua Cohn\Application Data\wo.tmp
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
BCMSMMSG BCMSMMSG.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
E6TaskPanel "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Mwav:
File C:\Documents and Settings\Joshua Cohn\Desktop\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Joshua Cohn\Desktop\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032673.dll infected by "Trojan-PSW.Win32.Agent.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032674.dll infected by "Trojan-PSW.Win32.Agent.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032746.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0032913.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0033912.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP262\A0033932.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP262\A0033942.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034008.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034017.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034021.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0035021.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035037.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035052.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035061.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035069.exe tagged as not-a-virus:AdWare.Msnagent.b. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035077.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035081.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035089.exe tagged as not-a-virus:AdWare.Msnagent.b. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035164.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035168.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035178.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035180.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035184.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036184.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036189.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036199.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036203.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036213.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:20:57 PM, 7/20/2005
+ Report-Checksum: F04434
+ Scan result:
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035069.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035089.exe -> Spyware.Msnagent : Cleaned with backup
::Report End
I found and deleted C:\WINDOWS\system32\gpsresl32.exe in a search after all scans were run.
In addition, in the past few days, my system is having a difficult time booting up. It becomes unresponsive and I'm forced to restart my computer.
It does not appear as though my MS Word files are infected and that's really all that I need on this computer. If I back those up, would you recommend reinstalling windows to get rid of these trojans because they seem to be completely unshakeable.
The batch is run from -- C:\Documents and Settings\Joshua Cohn\Desktop\remv3
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 34EE-EBDB
Directory of C:\WINDOWS\SYSTEM32
msi.dll
Finished
Winpfind:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\system32\DFRG.MSC
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\system32\Dwapilib.tlb
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\system32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\system32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\system32\WBDBASE.DEU
Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\system32\drivers\mtlstrm.sys
Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 5:14:52 PM 0 oem33.inf
7/7/2005 5:17:24 PM 0 oem34.inf
7/9/2005 4:19:44 PM 286777 package_16.cab
7/17/2005 7:21:38 PM 5 AuxDrv32b_d.oxc
7/20/2005 11:42:02 AM 8192 DEFAULT.LOG
7/20/2005 11:42:26 AM 1024 SAM.LOG
7/20/2005 11:42:16 AM 16384 SECURITY.LOG
7/20/2005 11:42:28 AM 114688 SOFTWARE.LOG
7/20/2005 11:42:22 AM 884736 SYSTEM.LOG
7/14/2005 9:22:42 AM 1024 NTUSER.DAT.LOG
5/21/2005 9:14:10 PM 388 391ec4df-8d44-4633-ba0d-ba38caf0eb93
5/21/2005 9:14:10 PM 24 Preferred
7/20/2005 11:41:24 AM 6 SA.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
1/13/2005 2:13:04 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
2/1/2004 10:45:44 PM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
2/1/2004 10:47:56 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
Checking files in %USERPROFILE%\Application Data folder...
1/13/2005 2:10:16 AM 1214 C:\Documents and Settings\Joshua Cohn\Application Data\AdobeDLM.log
1/13/2005 2:10:16 AM 0 C:\Documents and Settings\Joshua Cohn\Application Data\dm.ini
7/11/2005 4:51:00 PM 60160 C:\Documents and Settings\Joshua Cohn\Application Data\GDIPFONTCACHEV1.DAT
12/22/2004 10:43:14 PM 4713 C:\Documents and Settings\Joshua Cohn\Application Data\wo.tmp
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
BCMSMMSG BCMSMMSG.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
E6TaskPanel "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Mwav:
File C:\Documents and Settings\Joshua Cohn\Desktop\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Joshua Cohn\Desktop\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032673.dll infected by "Trojan-PSW.Win32.Agent.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032674.dll infected by "Trojan-PSW.Win32.Agent.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032746.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0032913.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0033912.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP262\A0033932.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP262\A0033942.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034008.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034017.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034021.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0035021.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035037.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035052.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035061.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035069.exe tagged as not-a-virus:AdWare.Msnagent.b. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035077.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035081.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035089.exe tagged as not-a-virus:AdWare.Msnagent.b. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035164.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035168.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035178.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035180.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035184.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036184.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036189.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036199.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036203.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036213.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:20:57 PM, 7/20/2005
+ Report-Checksum: F04434
+ Scan result:
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035069.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035089.exe -> Spyware.Msnagent : Cleaned with backup
::Report End
I found and deleted C:\WINDOWS\system32\gpsresl32.exe in a search after all scans were run.
In addition, in the past few days, my system is having a difficult time booting up. It becomes unresponsive and I'm forced to restart my computer.
It does not appear as though my MS Word files are infected and that's really all that I need on this computer. If I back those up, would you recommend reinstalling windows to get rid of these trojans because they seem to be completely unshakeable.
#19
Posted 20 July 2005 - 02:49 PM
Do you remember any Instance or references to the program WareOut?
Thats exactly what the files are associated with!
Lets give this a try before throwing in the towel!
You are going to have to Check both the Windows and Mcafee Firewalls for any exceptions like rk.exe or the like!
Check Add\Remove for WareOut and Relevant Knowledge
Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.
Download the Attached Zip file,I have enclosed a Registry file that should unlock some of this!
Locate the Registry File and Double Click to execute-> Allow it to Merge into the Registry!
Copy&Paste each entry below into Killbox and use the Instructions that follow
C:\WINDOWS\system32\cisvvc.exe
C:\WINDOWS\system32\csmgf.exe
C:\WINDOWS\system32\drv2cltr.dll
C:\WINDOWS\system32\hybsys32.dll
C:\WINDOWS\system32\loadctr.exe
C:\WINDOWS\system32\rdsndin.exe
Once each is Pasted into Killbox,place a tick by "Delete on Reboot"
Click "Yes" to Confirm
Click "No" to Reboot
Once at the last file
Click "Yes" to Confirm
Click "Yes" to Reboot
If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Restart Normal and Post back!
Here is where some of the Information came from
http://www.easydesks...news/news29.htm
Thats exactly what the files are associated with!
Lets give this a try before throwing in the towel!
You are going to have to Check both the Windows and Mcafee Firewalls for any exceptions like rk.exe or the like!
Check Add\Remove for WareOut and Relevant Knowledge
Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.
Download the Attached Zip file,I have enclosed a Registry file that should unlock some of this!
Locate the Registry File and Double Click to execute-> Allow it to Merge into the Registry!
Copy&Paste each entry below into Killbox and use the Instructions that follow
C:\WINDOWS\system32\cisvvc.exe
C:\WINDOWS\system32\csmgf.exe
C:\WINDOWS\system32\drv2cltr.dll
C:\WINDOWS\system32\hybsys32.dll
C:\WINDOWS\system32\loadctr.exe
C:\WINDOWS\system32\rdsndin.exe
Once each is Pasted into Killbox,place a tick by "Delete on Reboot"
Click "Yes" to Confirm
Click "No" to Reboot
Once at the last file
Click "Yes" to Confirm
Click "Yes" to Reboot
If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Restart Normal and Post back!
Here is where some of the Information came from
http://www.easydesks...news/news29.htm
Attached Files
Edited by Cretemonster, 20 July 2005 - 02:50 PM.
#20
Posted 20 July 2005 - 03:41 PM
Yes! A WareOut icon did appear on my computer about two weeks ago and I removed it (but apparently not all of it).
PendingFileRenameOperations Registry Data has been Removed by External Process did appear when I tried to Killbox the files you listed so I restarted manually.
I read article your last post linked me to. Unbelievable. Should I run the program the author mentioned that removes WareOut and its agents or have I done enough to get rid of it already?
PendingFileRenameOperations Registry Data has been Removed by External Process did appear when I tried to Killbox the files you listed so I restarted manually.
I read article your last post linked me to. Unbelievable. Should I run the program the author mentioned that removes WareOut and its agents or have I done enough to get rid of it already?
#21
Posted 20 July 2005 - 03:55 PM
Did you merge the Registry File and try running the files through Killbox again?
I havent had a chance to read the entire article but from what i have read,its worth looking into!
Why not have a read further and see what you think!
Is there any noticable difference in the PC?
Let me know!
I havent had a chance to read the entire article but from what i have read,its worth looking into!
Why not have a read further and see what you think!
Is there any noticable difference in the PC?
Let me know!
#22
Posted 20 July 2005 - 06:30 PM
I merged the registry and tried running through Killbox again. I also downloaded the trial version of the program the author of the article mentions. The scan did not come up with WareOut, so I'd assume we got it.
The computer seems to be running okay right now. I'll keep you posted.
The computer seems to be running okay right now. I'll keep you posted.
#23
Posted 20 July 2005 - 07:01 PM
Let me ask you one more question. The PCsecure scan I ran says that my system is infected with the W32 Elitper Worm. The directions of how to clean the worm according to the Easy Desk Software website are as follows:
W32.Elitper:
This worm has changed your Registered User name and the name of your computer. Reset the value "RegisteredOwner" at the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion. Reset the value "ComputerName" at the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName and then reboot.
How do I go about resetting these values?
W32.Elitper:
This worm has changed your Registered User name and the name of your computer. Reset the value "RegisteredOwner" at the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion. Reset the value "ComputerName" at the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName and then reboot.
How do I go about resetting these values?
#24
Posted 21 July 2005 - 06:14 AM
Since you are the only one that knows what these names are suppose to be,you will have to navigate those paths in the registry and reset the names to reflect what you have named the Computer!
Registrar Lite makes this much easier
http://www.resplendence.com/downloads
Copy&Paste the path below into the Address Bar of Reg Lite
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
When you look at the "Active Computer" and "Computer Name"
They should show no more than the Name you gave the PC when you bought it!
Remove any keys that show a different Owner or Computer Name
Copy&Paste the path below into the Address Bar of Reg Lite
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
Locate the subkey "RegisteredOwner" and eliminate anything other than your name or the Computer name!
Registrar Lite makes this much easier
http://www.resplendence.com/downloads
Copy&Paste the path below into the Address Bar of Reg Lite
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
When you look at the "Active Computer" and "Computer Name"
They should show no more than the Name you gave the PC when you bought it!
Remove any keys that show a different Owner or Computer Name
Copy&Paste the path below into the Address Bar of Reg Lite
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
Locate the subkey "RegisteredOwner" and eliminate anything other than your name or the Computer name!
#25
Posted 21 July 2005 - 08:48 AM
The program is now telling me that I must Reset the following Registry Key Values: AntiVirusDisableNotify at SOFTWARE\Microsoft\Security Center and FirewallDisableNotify at SOFTWARE\Microsoft\Security Center.
Using the Reg Lite program, I don't see any option of how to reset these values. What should I do?
Using the Reg Lite program, I don't see any option of how to reset these values. What should I do?
#26
Posted 21 July 2005 - 09:17 PM
I also just ran an ewido scan. It's still picking up some trojans.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:13:30 PM, 7/21/2005
+ Report-Checksum: 24EB5F7D
+ Scan result:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036218.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\csfdt.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntfsnlpa.exe -> Spyware.Msnagent : Cleaned with backup
::Report End
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:13:30 PM, 7/21/2005
+ Report-Checksum: 24EB5F7D
+ Scan result:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036218.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\csfdt.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntfsnlpa.exe -> Spyware.Msnagent : Cleaned with backup
::Report End
#27
Posted 22 July 2005 - 02:14 AM
I am attaching a Reg file for you to merge into the Registry!
Unzip it to the Desktop and Extract All!
Double Click to Execute and allow it to merge into the registry!
Now Click Start-> Control Panel-> Security Center-> Windows Firewall->Advanced-> Restore Default!
Now,do you have the Installation CD from Mcafee?
If so,completely Uninstall and Reinstall Mcafee!
Now run this Online Scan
http://uk.trendmicro...call_launch.php
Make sure to Select Auto Clean and delete all it finds!
Lets see if these changes dont make a difference!
Unzip it to the Desktop and Extract All!
Double Click to Execute and allow it to merge into the registry!
Now Click Start-> Control Panel-> Security Center-> Windows Firewall->Advanced-> Restore Default!
Now,do you have the Installation CD from Mcafee?
If so,completely Uninstall and Reinstall Mcafee!
Now run this Online Scan
http://uk.trendmicro...call_launch.php
Make sure to Select Auto Clean and delete all it finds!
Lets see if these changes dont make a difference!
Attached Files
#28
Posted 22 July 2005 - 09:05 PM
I merged the file into the registry and ran the online scan which came back clean but when I ran Ewido in safe mode right after, it came up with the following spyware and Trojan.
Looking back on the other scans, it seems like the TrojanDropper.Vidro in the C:\System Volume Information\_restore is just jumping from file to file each time I restart. Any thoughts on how to outsmart this sucker?
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:51:47 PM, 7/22/2005
+ Report-Checksum: CCE8C99D
+ Scan result:
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0036425.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0036426.exe -> Spyware.Msnagent : Cleaned with backup
::Report End
Looking back on the other scans, it seems like the TrojanDropper.Vidro in the C:\System Volume Information\_restore is just jumping from file to file each time I restart. Any thoughts on how to outsmart this sucker?
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:51:47 PM, 7/22/2005
+ Report-Checksum: CCE8C99D
+ Scan result:
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0036425.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0036426.exe -> Spyware.Msnagent : Cleaned with backup
::Report End
#29
Posted 23 July 2005 - 03:51 AM
Now this we can deal with!
Disable System Restore
http://service1.syma...src=sec_doc_nam
Restart the PC and Download these 2 programs
SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!
CCleaner:
http://www.filehippo...d_ccleaner.html
Open CCleaner and Click "Run Cleaner"
It will do the rest,dont use any of the other functions!
Now reanable System Restore and Restart in Safe Mode and Scan again with Ewido!
Lets see if that scan doesnt look better!
Disable System Restore
http://service1.syma...src=sec_doc_nam
Restart the PC and Download these 2 programs
SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!
CCleaner:
http://www.filehippo...d_ccleaner.html
Open CCleaner and Click "Run Cleaner"
It will do the rest,dont use any of the other functions!
Now reanable System Restore and Restart in Safe Mode and Scan again with Ewido!
Lets see if that scan doesnt look better!
#30
Posted 25 July 2005 - 06:59 AM
The scans are coming back clean. I think we got it. Thank you so much!
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users