Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Home page changed about:blank [RESOLVED]

Started by hesnotthemessiah , Aug 06 2005 01:43 PM

This topic is locked

#16
hesnotthemessiah

Posted 07 August 2005 - 07:32 PM

Member

Topic Starter
Member
24 posts

Only me .......

Did as advised with HJT and rebooted in safe mode.

When I got to the logon screen I chose the administrator icon (rather than my own name icon as I thought this might limit my authority to do certain tasks).

Did start>run>cmdsc stop edd392f81bfsvr but a message came back "[SC] Control service FAILED 1053. The service did not respond to the start or control request in a timely fasion. The service edd392f81bfsvr is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window." I didn't do either of these things.

I then repeated the above but with delete edd392f81bfsvr but a message came back "The specified service does not exist as an installed service."

Latest log:-

Logfile of HijackThis v1.99.1
Scan saved at 02:27:22, on 08/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\edd392f81bf.exe
C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\edd392f81bf.exe
C:\VIRUS\SpywareBlaster\spywareblaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Neville Tubb\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KAVPersonal50] "C:\VIRUS\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ¸æ" : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...2335/model.html
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\VIRUS\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

:tazz:

#17
ukbiker

Posted 07 August 2005 - 07:41 PM

Rest in Peace, ukbiker

Retired Staff
2,014 posts

Hi again

This is getting bizarre, tell me, first ensure that you can view all hidden and system files, then can you find this file using windows explorer? You will have to be logged on as admin probably

C:\WINDOWS\System32\edd392f81bf.exe

UKBiker

Edited by ukbiker, 07 August 2005 - 07:42 PM.

#18
ukbiker

Posted 07 August 2005 - 07:46 PM

Rest in Peace, ukbiker

Retired Staff
2,014 posts

Hi yet again

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
- C:\WINDOWS\System32\edd392f81bf.exe
Click on the submit button
Please post the results in your next reply.

UKBiker

#19
hesnotthemessiah

Posted 07 August 2005 - 09:42 PM

Member

Topic Starter
Member
24 posts

File: edd392f81bf.exe Status:
INFECTED/MALWARE MD5 07655a73cbb43d14f616dce91c053f41 :
Packers detected PE_PATCH, MEWBUNDLE, MEW
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic.JS
BitDefender Found nothing
ClamAV Found Worm.Mytob.GH
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/HacDef
Norman Virus Control Found W32/Suspicious_M.gen
UNA Found nothing
VBA32 Found nothing

It looks like I didn't select search hidden files and folders - Just did a double check on my windows search with system folders and hidden files and folders. Two edd392f81bf files (one application and the other configuration settings) are in C:\windows plus EDD392F818F.EXE-159778F9.pf and EDD392F818F.EXE-1724BA43.pf (prefetch files) are in C:\windows\Prefetch

Sorry about that - I was so sure I had searched hidden files aswell! :tazz:

I await your commands

#20
hesnotthemessiah

Posted 08 August 2005 - 06:11 AM

Member

Topic Starter
Member
24 posts

Hi ukbiker. Just to let you know, I will be off to work this evening and back again at about 5AM in the morning, so won't be able to use the internet until then. I usually go on the internet about then, depending on how knackered I am! I might just go straight to bed, in which case I will be up again about 1PM Tuesday afternoon.

Have a good day now!

Thanks again for all your help. :tazz:

#21
Metallica

Posted 10 August 2005 - 01:49 PM

Spyware Veteran

GeekU Moderator
33,101 posts

Hi hesnotthemessiah,

When you get back can you open edd392f81bf.ini (the configuration settings) by rightclicking it and then choose Open with .... Notepad

Post what you find inside please.

Regards,

#22
hesnotthemessiah

Posted 10 August 2005 - 10:06 PM

Member

Topic Starter
Member
24 posts

Hi Metallica. Thanks for looking into this. Here is the config file as requested:-

[Hidden Table]
edd392f81bf*

[Root Processes]
edd392f81bf*
rundll*
wdmaud*

[Hidden Services]
edd392f81bf*

[Hidden RegKeys]
edd392f81bf*
legacy_edd392f81bf*
edd392f81bfdrv*
legacy_edd392f81bfdrv*

[Hidden RegValues]

[Startup Run]

[Free Space]

[Hidden Ports]

[Settings]
Password=Vw+RsN$I8D
BackdoorShell=1.exe
FileMappingName=edd392f81bfppp
ServiceName=edd392f81bfsvr
ServiceDisplayName=WindowInstallSystem
ServiceDescription=Critical system service
DriverName=edd392f81bfdrv
DriverFileName=edd392f81bfdrv.sys

[Comments]

I have 2 instances of edd392f81bf.exe running in the background at the moment, as indicated by my task manager - (I think yesterday there were 3). If I select End Process for them, then I am able to use the internet with no problems, rather than being constantly told that a page is not available and then having to hit the back button to actually go to it.

The message:-
Your personal data succesfully tracked!
CLICK HERE TO CLEAN ALL TRACKS NOW!
which appeared at the top of every internet page, no longer appears either.

Thanks again. :tazz:

#23
Metallica

Posted 11 August 2005 - 12:46 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Good job. I need you to look up the full path to a few files for me.

First in the .ini file make the following changes.

[Hidden Table]
mgabg*

[Root Processes]
mgabg*
rundll*
wdmaud*

[Hidden Services]
mgabg*

[Hidden RegKeys]
mgabg*
legacy_mgabg*
mgabg*
legacy_mgabg*

[Hidden RegValues]

[Startup Run]

[Free Space]

[Hidden Ports]

[Settings]
Password=Vw+RsN$I8D
BackdoorShell=explorer.exe
FileMappingName=edd392f81bfppp
ServiceName=edd392f81bfsvr
ServiceDisplayName=WindowInstallSystem
ServiceDescription=Critical system service
DriverName=edd392f81bfdrv
DriverFileName=edd392f81bfdrv.sys

Then find and post if and where you find these files:
edd392f81bfdrv.sys
1.exe

Regards,

Edited by Metallica, 11 August 2005 - 12:47 AM.

#24
hesnotthemessiah

Posted 11 August 2005 - 05:13 AM

Member

Topic Starter
Member
24 posts

Good morning (or is that afternoon?) Metallica. Just got out of bed (I do nights). Thanks for having a go at this. You probably realise this, but I thought I had better make sure - I had previously been asked to look for certain files and to make sure that, when I searched for them, to inlcude hidden and system files. I realised I had not been including hidden and system files and advised ukbiker of this in the post dated Aug 8 2005, 04:42 AM. Not sure if this might affect things. :tazz:

Can't find either edd392f81bfdrv.sys or 1.exe

Cheers

Nev.

#25
Metallica

Posted 11 August 2005 - 05:26 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Ok. But you did include them in your search now, right?

These files are probably not hidden by windows anyway but by the driver.

Let's have a try.

Reboot (after the changes we made to the .ini file and saving it)

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\edd392f81bf.exe
C:\WINDOWS\System32\edd392f81bfdrv.sys
C:\WINDOWS\System32\1.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the computer reboot and post a new HijackThis log.

Download WinPFind

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop

Doubleclick WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete[list=1]
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post as well

Regards,

Edited by Metallica, 11 August 2005 - 05:26 AM.

#26
ukbiker

Posted 12 August 2005 - 05:55 PM

Rest in Peace, ukbiker

Retired Staff
2,014 posts

Hi there

My apologies for not being available, and many thanks to you Pieter for stepping in :tazz:

Could you please send one of my colleagues this file?

Download sfp and unzip it to your desktop.

Double click sfp.exe thats on your desktop
In step one, please past in the following files(s):
- C:\WINDOWS\System32\edd392f81bf.exe
Click "Continue"
sfp will create a cab file on your desktop called requested-files (and the date)
please email that file to [email protected]

Thanks

UKBiker

#27
hesnotthemessiah

Posted 13 August 2005 - 02:17 PM

Member

Topic Starter
Member
24 posts

Hi Metallica. Sorry for not getting back sooner.

I did as requested with Killbox and have posted the latest HijackThis log:-

Logfile of HijackThis v1.99.1
Scan saved at 21:11:51, on 13/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Neville Tubb\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KAVPersonal50] "C:\VIRUS\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ¸æ" : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...2335/model.html
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\VIRUS\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I will now download WinPFind and post the results.

Thanks again. :tazz:

Nev.

#28
hesnotthemessiah

Posted 13 August 2005 - 02:36 PM

Member

Topic Starter
Member
24 posts

Here's the WinPFind.txt file:-

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 14/11/2004 00:00:44 65536 C:\WINDOWS\IFinst27.exe

Checking %System% folder...
PEC2 31/03/2003 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 31/03/2003 13:00:00 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 31/03/2003 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 13/04/2004 11:35:28 322068 C:\WINDOWS\SYSTEM32\drivers\Dakota.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 13/08/2005 21:08:06 2048 C:\WINDOWS\bootstat.dat
H 17/07/2005 18:16:18 0 C:\WINDOWS\LastGood\INF\q831167.inf
H 17/07/2005 18:16:18 0 C:\WINDOWS\LastGood\INF\q831167.PNF
H 13/08/2005 21:12:56 1024 C:\WINDOWS\system32\config\default.LOG
H 13/08/2005 21:08:10 1024 C:\WINDOWS\system32\config\SAM.LOG
H 13/08/2005 21:18:18 1024 C:\WINDOWS\system32\config\SECURITY.LOG
H 13/08/2005 21:19:26 1024 C:\WINDOWS\system32\config\software.LOG
H 13/08/2005 21:19:38 1024 C:\WINDOWS\system32\config\system.LOG
H 13/08/2005 21:08:12 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 31/03/2003 13:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 30/05/2003 17:17:20 579584 C:\WINDOWS\SYSTEM32\appwiz.cpl
Frontier Design Group, LLC 30/08/2003 17:58:10 266240 C:\WINDOWS\SYSTEM32\DakPanel.cpl
Microsoft Corporation 31/03/2003 13:00:00 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 31/03/2003 13:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 31/03/2003 13:00:00 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 31/03/2003 13:00:00 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 31/03/2003 13:00:00 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 31/03/2003 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 31/03/2003 13:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 31/03/2003 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 31/03/2003 13:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 31/03/2003 13:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 31/03/2003 13:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 11/03/2003 17:15:56 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Apple Computer, Inc. 14/12/2003 10:20:50 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 31/03/2003 13:00:00 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 31/03/2003 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 31/03/2003 13:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 31/03/2003 13:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 30/05/2003 17:17:20 579584 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 31/03/2003 13:00:00 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 31/03/2003 13:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 31/03/2003 13:00:00 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 31/03/2003 13:00:00 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 31/03/2003 13:00:00 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 31/03/2003 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 31/03/2003 13:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 31/03/2003 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 31/03/2003 13:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 31/03/2003 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 31/03/2003 13:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 31/03/2003 13:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 31/03/2003 13:00:00 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 31/03/2003 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 31/03/2003 13:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
23/05/2005 16:54:50 1578 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kaspersky Anti-Hacker.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\VIRUS\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\VIRUS\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{014DA6CE-189F-421A-88CD-07CFE51CFF10}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EB740041-E2A0-4346-A4DF-F2AFF42AB23D} = : tlde1fjhn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CoolSwitch C:\WINDOWS\System32\taskswitch.exe
LogonStudio "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
KAVPersonal50 "C:\VIRUS\Kaspersky Anti-Virus Personal\kav.exe" /minimize
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Matrox Powerdesk C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
edd392f81bf C:\WINDOWS\System32\edd392f81bf.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
edd392f81bf C:\WINDOWS\System32\edd392f81bf.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoLowDiskSpaceChecks 0
ForceActiveDesktopOn 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 13/08/2005 21:22:36

I will now download sfp and send the data to [email protected] as requested by ukbiker.

Cheers.

Nev.

#29
hesnotthemessiah

Posted 13 August 2005 - 02:54 PM

Member

Topic Starter
Member
24 posts

sfp data set to [email protected] as advised by ukbiker.

Hope you are having a good weekend. Due to goto Newbury races Sunday, leaving early morning, well 10AM is early for a Sunday! Due back late evening or when we are all skint/paraletic (which ever comes first!). Will hopefully be in a fit state to check my emails then - do I really mean that?

Thanks for your help. :tazz:

Nev.

#30
Metallica

Posted 14 August 2005 - 03:56 AM

Spyware Veteran

GeekU Moderator
33,101 posts

What you can do while we wait for Atribune's analysis:

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe

Then reboot and check if they stay away.

Regards,