Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please check my HJ log... [CLOSED]


  • This topic is locked This topic is locked

#16
KingMartin

KingMartin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I thought that you would say that Sam ;)

But I can't find the file in the folder, nor anywhere on my comp.

Maybe the file is disguised somehow??? This makes me crazy :tazz:

I'll re-run the mwaw once more this night...

???

martin

Edited by KingMartin, 04 August 2005 - 08:44 AM.

  • 0

Advertisements


#17
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's try it another way.

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINNT\Downloaded Program Files\www.sexmission.cz.exe
      C:\WINNT\system32\dmznp.exe
      C:\WINNT\system32\dmkgm.exe
      C:\WINNT\TEMP\IZE3.EXE

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.


Post a new Mwav log and a new hijackthis log.
  • 0

#18
KingMartin

KingMartin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello Sam,

I did as you said.

here's the new mwaw:

Fri Aug 05 16:08:33 2005 => File C:\PROGRA~1\RealVNC\WinVNC\WinVNC.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 16:08:33 2005 => File C:\PROGRA~1\RealVNC\WinVNC\VNCHooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 16:08:33 2005 => File C:\PROGRA~1\RealVNC\WinVNC\othread2.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 16:08:44 2005 => File C:\PROGRA~1\RealVNC\WinVNC\WinVNC.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 16:13:25 2005 => File C:\Data\Access2000\Tips\hhousefree.exe tagged as "not-a-virus:AdWare.SaveNow.c". Action Taken: No Action Taken.
Fri Aug 05 16:37:35 2005 => File C:\Program Files\RealVNC\WinVNC\othread2.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 16:37:35 2005 => File C:\Program Files\RealVNC\WinVNC\vnchooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 16:55:42 2005 => File C:\Data\Access2000\Tips\hhousefree.exe tagged as "not-a-virus:AdWare.SaveNow.c". Action Taken: No Action Taken.
Fri Aug 05 17:20:31 2005 => File C:\Program Files\RealVNC\WinVNC\othread2.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.
Fri Aug 05 17:20:31 2005 => File C:\Program Files\RealVNC\WinVNC\vnchooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.c. No Action Taken.

and here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:52 PM, on 05.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\RBA Direkt\ACCOCA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\YS81ED.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\AEIWLSTA.EXE
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\RBA Direkt\agquickp.exe
C:\Program Files\VIP.fastnet\AcceleNetClient.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\DrayTek\Vigor560\WLAN_manager.exe
C:\Program Files\VIP.fastnet\ClientSideProxy.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Wireless LAN Utility\SiWake.exe
C:\Program Files\Wireless LAN Utility\SiSCFG.exe
C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\RBA Direkt\\agquickp.exe
O4 - HKLM\..\Run: [AcceleNet Client Application] C:\Program Files\VIP.fastnet\AcceleNetClient.exe -startup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [FLKPT] lpt.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Vodafone Mobile Connect Card.lnk = C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe
O4 - Global Startup: 802.11g WLAN Adapter Utility.lnk = C:\Program Files\DrayTek\Vigor560\WLAN_manager.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: SiWake.lnk = C:\Program Files\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: View Original Image - C:\Program Files\VIP.fastnet\getoriginal.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.sml01
O15 - Trusted Zone: http://*.sml01 (HKLM)
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.micro...ce/outlctlx.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://sms01/offices...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://sms01/offices...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://sms01/offices...stall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://sms01/offices...html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://sms01/offices.../RemoveCtrl.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://ssp01/Intrane...rces/msddsc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = poslovno.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = poslovno.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = poslovno.local
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\RBA Direkt\\ACCOCA.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - Unknown owner - C:\SQLLIB\bin\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - Unknown owner - C:\SQLLIB\bin\db2sec.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#19
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's try looking at another type of log.

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#20
KingMartin

KingMartin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here it is, Sam:
(thanks again for looking)

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"a-squared" = ""C:\Program Files\a2\a2guard.exe"" [null data]
"internat.exe" = "internat.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TrackPointSrv" = "tp4serv.exe" ["IBM Corporation"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AEIWLSTA.EXE" = "AEIWLSTA.EXE" ["Actiontec Electronics, Inc"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"XircWinModem4" = "ltcm000c.exe 9" ["LUCENT TECHNOLOGIES"]
"WinVNC" = ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper" ["RealVNC Ltd."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" [file not found]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"(Default)" = (empty string)
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"QuickPassword" = "C:\Program Files\RBA Direkt\\agquickp.exe" ["ActivCard S.A."]
"AcceleNet Client Application" = "C:\Program Files\VIP.fastnet\AcceleNetClient.exe -startup" ["Intelligent Compression Technologies (ICT)"]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]
"Sunkist2k" = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" ["Alcor Micro, Corp."]
"FLKPT" = "lpt.exe" [file not found]
"HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust\InoculateIT\InoShell.dll" [file not found]
"{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}" = "OfficeScan NT"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{fc181130-05a0-11d6-8140-000102e745a6}" = "My P910i"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a* Context Menu Shell Extension" (unwriteable string)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csziq.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! ScCertProp\DLLName = "wlnotify.dll" [MS]

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\
WARNING! Either "\\poslovno.local\SysVol\poslovno.local\Policies\{239D5A20-7C23-412C-86D1-E0C556262F1E}\Machine\Scripts\scripts.ini"
doesn't exist or there is insufficient permission to read it!

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust\InoculateIT\InoShell.dll" [file not found]
OfficeScan NT\(Default) = "{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust\InoculateIT\InoShell.dll" [file not found]
OfficeScan NT\(Default) = "{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\a2\A2CONT~1.DLL" [null data]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["eFront Media, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\logon.scr" [MS]


Startup items in "martink" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\martink\Start Menu\Programs\Startup
"Vodafone Mobile Connect Card" -> shortcut to: "C:\Program Files\Vodafone\VodafoneMobileConnectCard\VodafoneMobileConnectCard.exe" ["Vodafone"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"802.11g WLAN Adapter Utility" -> shortcut to: "C:\Program Files\DrayTek\Vigor560\WLAN_manager.exe" ["DrayTek"]
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Cisco Systems VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]
"EPSON SMART PANEL for Scanner" -> shortcut to: "C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe /h" ["NewSoft"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Phone Connection Monitor" -> shortcut to: "C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe" ["Teleca Software Solutions AB"]
"SiWake" -> shortcut to: "C:\Program Files\Wireless LAN Utility\SiWake.exe" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\VIP.fastnet\ICTLOAD.DLL ["Intelligent Compression Technologies (ICT)"], 01 - 03, 10
%SystemRoot%\system32\msafd.dll [MS], 04 - 07, 11 - 56
%SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\ = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]


HOSTS file
----------

C:\WINNT\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ActivCard Gold service, Accoca, "C:\Program Files\RBA Direkt\\ACCOCA.EXE" ["ActivCard"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
IBM PM Service, IBMPMSVC, "C:\WINNT\System32\ibmpmsvc.exe" [null data]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" ["Trend Micro Inc."]
OfficeScanNT Personal Firewall, OfcPfwSvc, "C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe" ["Trend Micro Inc."]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
TrcBoot, TrcBoot, "C:\WINNT\System32\drivers\trcboot.exe" [null data]
VNC Server, winvnc, ""C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service" ["RealVNC Ltd."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 53 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 4 seconds.
---------- (total run time: 83 seconds)
  • 0

#21
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Nothing new there either.

Let's try this.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINNT\TEMP\YS81ED.EXE <-- or whatever file is currently showing up in your processes.
  • Click on the submit button
  • Please post the results in your next reply.
How is your computer running? Are you having any problems?
  • 0

#22
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP