Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Fake Security Center popup [RESOLVED]


  • This topic is locked This topic is locked

#1
baneman

baneman

    New Member

  • Member
  • Pip
  • 6 posts
Hi there
I hope you can help me with removing this unbelievably irritating malware popup.

It randomly ( yet regularly ) pops up. Clicking on the Yes button opens a browser window pointing to a so-called anti-spyware site. Clicking No merely puts off for a random amount of time the reoccurrence of the popup.

I have discovered that the beast responsible for this is rdsndin.exe - which I found when trying to close the so-called Windows Security Center via Task Manager.

This also seems to be associated with a taskbar creature that pops up a "baloon" purporting to have identified my firewall/anti-virus software as "being bad". The one always appears around the time of the other.

None of the usual Anti-spyware tools have found or identified this and I eventually reinstalled Windows XP - but a day later it was back ( my reinstall was leaving my old settings ).

Thanks in advance
B
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi baneman and welcome to GeeksToGo!


If you are having malware issues, please got to the following site and follow all the instructions carefully.


You Must Read This Before Posting A Hijackthis Log

this will help you clean up to 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THIS Thread.

Thanks,

:tazz:

Excal
  • 0

#3
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Topic is reopened :)

:tazz:

Excal
  • 0

#5
baneman

baneman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks very much.

HijackThis log follows :

Logfile of HijackThis v1.99.1
Scan saved at 01:33:38, on 25/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\CTsvcCDA.exe
F:\Program Files\Norton Personal Firewall\ISSVC.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\CTHELPER.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Nikon\NkView6\NkvMon.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Messenger\msmsgs.exe
F:\dwnlds\Utils\Antispyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipp.co.za/blog
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Class - {A818BD85-2B41-49E4-B9F9-80D9FBF83E60} - F:\WINDOWS\mfcyw32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: NkvMon.exe.lnk = F:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....012/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15012/CTPID.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - F:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: svchost.exe (moto) - Unknown owner - F:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I know for sure that the process doing the Security Centre popup is called rdsndin.exe as that is the program that "isn't responding" when I close Security Centre with Task Manager. The bottom right hand "baloon" icon I have no idea.

Thanks a lot for helping
B
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
don't do anything with it yet.

boot into safe mode


Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

reboot

Please post the winpfind log

Silent Runners:
  • Please click this link to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

  • NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
    For some time it will look like nothing is happening. Just keep waiting.
  • Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here

  • 0

#7
baneman

baneman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Cheers, ok here goes :

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 28/09/2005 17:58:00 202953 F:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 04/08/2004 13:00:00 41397 F:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 01/07/2005 20:24:08 705 F:\WINDOWS\SYSTEM32\msexnpbi.exe
FSG! 30/06/2005 20:15:36 705 F:\WINDOWS\SYSTEM32\msexnpfi.exe
aspack 04/08/2004 13:00:00 708096 F:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 13:00:00 657920 F:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 04/08/2004 13:00:00 1309184 F:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in F:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
28/09/2005 18:03:12 S 2048 F:\WINDOWS\bootstat.dat
24/09/2005 13:09:12 H 54156 F:\WINDOWS\QTFont.qfn
14/08/2005 17:16:28 RH 749 F:\WINDOWS\WindowsShell.Manifest
14/08/2005 17:16:36 H 65 F:\WINDOWS\Downloaded Program Files\desktop.ini
14/08/2005 17:17:10 HS 67 F:\WINDOWS\Fonts\desktop.ini
14/08/2005 17:16:36 H 65 F:\WINDOWS\Offline Web Pages\desktop.ini
14/08/2005 17:17:52 H 262144 F:\WINDOWS\repair\ntuser.dat
14/08/2005 17:16:28 RH 749 F:\WINDOWS\system32\cdplayer.exe.manifest
14/08/2005 17:16:36 RH 488 F:\WINDOWS\system32\logonui.exe.manifest
14/08/2005 17:16:28 RH 749 F:\WINDOWS\system32\ncpa.cpl.manifest
14/08/2005 17:16:28 RH 749 F:\WINDOWS\system32\nwc.cpl.manifest
14/08/2005 17:16:28 RH 749 F:\WINDOWS\system32\sapi.cpl.manifest
14/08/2005 17:16:36 RH 488 F:\WINDOWS\system32\WindowsLogon.manifest
14/08/2005 17:16:28 RH 749 F:\WINDOWS\system32\wuaucpl.cpl.manifest
28/09/2005 18:03:02 H 8192 F:\WINDOWS\system32\config\default.LOG
14/08/2005 18:05:04 H 0 F:\WINDOWS\system32\config\default.tmp.LOG
28/09/2005 18:03:50 H 1024 F:\WINDOWS\system32\config\SAM.LOG
28/09/2005 18:03:14 H 12288 F:\WINDOWS\system32\config\SECURITY.LOG
28/09/2005 18:03:52 H 69632 F:\WINDOWS\system32\config\software.LOG
14/08/2005 18:05:02 H 0 F:\WINDOWS\system32\config\software.tmp.LOG
28/09/2005 18:03:18 H 851968 F:\WINDOWS\system32\config\system.LOG
14/08/2005 18:04:48 H 0 F:\WINDOWS\system32\config\system.tmp.LOG
14/08/2005 18:04:44 H 1024 F:\WINDOWS\system32\config\TempKey.LOG
14/08/2005 18:05:04 H 1024 F:\WINDOWS\system32\config\userdiff.LOG
14/08/2005 17:17:56 H 1024 F:\WINDOWS\system32\config\userdifr.LOG
26/08/2005 01:26:02 HS 388 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1d2c1689-5dee-4dd3-8b02-4daea46d876f
26/08/2005 01:26:02 HS 24 F:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
28/09/2005 18:02:14 H 6 F:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04/08/2004 13:00:00 68608 F:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 13:00:00 549888 F:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 110592 F:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 13:00:00 135168 F:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 13:00:00 80384 F:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 13:00:00 155136 F:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 358400 F:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 129536 F:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 13:00:00 380416 F:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 13:00:00 68608 F:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03/06/2005 03:52:54 49265 F:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 04/08/2004 13:00:00 187904 F:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 13:00:00 618496 F:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 04/08/2004 13:00:00 35840 F:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 13:00:00 25600 F:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 13:00:00 257024 F:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 01/04/2005 16:16:00 73728 F:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 32768 F:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 13:00:00 114688 F:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 27/09/2001 20:41:50 287232 F:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 13:00:00 298496 F:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 13:00:00 28160 F:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 13:00:00 94208 F:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 13:00:00 148480 F:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04/08/2004 13:00:00 162304 F:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 68608 F:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04/08/2004 13:00:00 549888 F:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 135168 F:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04/08/2004 13:00:00 80384 F:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04/08/2004 13:00:00 155136 F:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04/08/2004 13:00:00 358400 F:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04/08/2004 13:00:00 129536 F:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04/08/2004 13:00:00 68608 F:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 04/08/2004 13:00:00 187904 F:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04/08/2004 13:00:00 618496 F:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 04/08/2004 13:00:00 35840 F:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04/08/2004 13:00:00 25600 F:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04/08/2004 13:00:00 257024 F:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 04/08/2004 13:00:00 32768 F:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04/08/2004 13:00:00 114688 F:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04/08/2004 13:00:00 155648 F:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04/08/2004 13:00:00 298496 F:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 04/08/2004 13:00:00 28160 F:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04/08/2004 13:00:00 94208 F:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04/08/2004 13:00:00 148480 F:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 04/08/2004 13:00:00 162304 F:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
14/08/2005 17:17:50 HS 84 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
04/09/2005 10:10:32 1567 F:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
14/08/2005 17:07:04 HS 62 F:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
27/05/2005 22:21:08 HS 84 F:\Documents and Settings\Ian\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
27/05/2005 23:05:30 HS 62 F:\Documents and Settings\Ian\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = F:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = F:\WINDOWS\system32\tds3shl.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = F:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = F:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = F:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = F:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = F:\WINDOWS\system32\tds3shl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = F:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = F:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A818BD85-2B41-49E4-B9F9-80D9FBF83E60}
Class = F:\WINDOWS\mfcyw32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = F:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : F:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : F:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NeroFilterCheck F:\WINDOWS\system32\NeroCheck.exe
Symantec NetDriver Monitor F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
NvCplDaemon RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
CTHelper CTHELPER.EXE
ccApp "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
THGuard "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
TkBellExe "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = F:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallpaper 0
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
ClassicShell 0
ForceActiveDesktopOn 0
NoBandCustomize 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = F:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 28/09/2005 18:12:04


AND the Silent Runner :

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "F:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Symantec NetDriver Monitor" = "F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"ccApp" = ""F:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"THGuard" = ""F:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{A818BD85-2B41-49E4-B9F9-80D9FBF83E60}\(Default) = "Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\mfcyw32.dll" [file not found]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csjdp.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\system32\tds3shl.dll" [empty string]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\system32\tds3shl.dll" [empty string]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "F:\Documents and Settings\Ian\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Ian" & "All Users" startup folders:
-----------------------------------------------------

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
"NkvMon.exe" -> shortcut to: "F:\Program Files\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Ian" -> launches: "F:\PROGRA~1\NORTON~1\Navw32.exe /task:"F:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "F:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

F:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Application Management, AppMgmt, "F:\WINDOWS\system32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\appmgmts.dll" [file not found]}
Creative Service for CDROM Access, Creative Service for CDROM Access, "F:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
HTTP SSL, HTTPFilter, "F:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"F:\WINDOWS\System32\w3ssl.dll" [MS]}
ISSvc, ISSVC, ""F:\Program Files\Norton Personal Firewall\ISSVC.exe"" ["Symantec Corporation"]
Logical Disk Manager Administrative Service, dmadmin, "F:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Network Provisioning Service, xmlprov, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\xmlprov.dll" [MS]}
Norton AntiVirus Auto-Protect Service, navapsvc, ""F:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "F:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Portable Media Serial Number Service, WmdmPmSN, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\mspmsnsv.dll" [MS]}
SAVScan, SAVScan, ""F:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
ScriptBlocking Service, SBService, "F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe" ["Symantec Corporation"]
svchost.exe, moto, "F:\WINDOWS\svchost.exe" [file not found]
Symantec Core LC, Symantec Core LC, "F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""F:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Password Validation, ccPwdSvc, ""F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
WMI Performance Adapter, WmiApSrv, "F:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 209 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 16 seconds.
---------- (total run time: 266 seconds)

Thanks
B
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""



Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


If you use Windows XP, Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - F:\WINDOWS\SYSTEM32\msexnpfi.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.
F:\WINDOWS\SYSTEM32\msexnpbi.exe

Post back when you finish and tell me how your computer is running :tazz:
  • 0

#9
baneman

baneman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Excellent ! :)

It's looking good, although it has gone through periods of inactivity before ( it kept its head down for a couple of days after I reinstalled Windows ), so I will keep a weather eye out in case it has another go.

But initial indications are that you've nailed it :tazz:

Many thanks

I'll post back in a few days to confirm.
Cheers
B
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I am pretty confident its gone :tazz:

Great job, it appears your computer is clean :)

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#11
baneman

baneman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Confirming that my PC has not seen any recurrence of this horrible popup.


Many thanks again. :) :tazz: :)
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP