Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Persistent virus/hijacker [RESOLVED]


  • This topic is locked This topic is locked

#61
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Adaware found only negligible objects:

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, September 25, 2005 5:24:22 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R67 20.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R67 20.09.2005
Internal build : 79
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 524443 Bytes
Total size : 1576182 Bytes
Signature data size : 1543004 Bytes
Reference data size : 32666 Bytes
Signatures total : 43850
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 746


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:56 %
Total physical memory:523632 kb
Available physical memory:289164 kb
Total page file size:1279920 kb
Available on page file:1072404 kb
Total virtual memory:2097024 kb
Available virtual memory:2047964 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-25-2005 5:24:22 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    ModuleName        : \SystemRoot\System32\smss.exe
    Command Line      : n/a
    ProcessID          : 984
    ThreadCreationTime : 9-25-2005 10:22:21 PM
    BasePriority      : Normal


#:2 [csrss.exe]
    ModuleName        : \??\C:\WINDOWS\system32\csrss.exe
    Command Line      : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
    ProcessID          : 1100
    ThreadCreationTime : 9-25-2005 10:22:23 PM
    BasePriority      : Normal


#:3 [winlogon.exe]
    ModuleName        : \??\C:\WINDOWS\system32\winlogon.exe
    Command Line      : winlogon.exe
    ProcessID          : 1124
    ThreadCreationTime : 9-25-2005 10:22:26 PM
    BasePriority      : High


#:4 [services.exe]
    ModuleName        : C:\WINDOWS\system32\services.exe
    Command Line      : C:\WINDOWS\system32\services.exe
    ProcessID          : 1168
    ThreadCreationTime : 9-25-2005 10:22:26 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName      : services.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : services.exe

#:5 [lsass.exe]
    ModuleName        : C:\WINDOWS\system32\lsass.exe
    Command Line      : C:\WINDOWS\system32\lsass.exe
    ProcessID          : 1180
    ThreadCreationTime : 9-25-2005 10:22:27 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName      : lsass.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : lsass.exe

#:6 [svchost.exe]
    ModuleName        : C:\WINDOWS\system32\svchost.exe
    Command Line      : C:\WINDOWS\system32\svchost -k DcomLaunch
    ProcessID          : 1432
    ThreadCreationTime : 9-25-2005 10:22:28 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:7 [svchost.exe]
    ModuleName        : C:\WINDOWS\system32\svchost.exe
    Command Line      : C:\WINDOWS\system32\svchost -k rpcss
    ProcessID          : 1500
    ThreadCreationTime : 9-25-2005 10:22:28 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:8 [svchost.exe]
    ModuleName        : C:\WINDOWS\System32\svchost.exe
    Command Line      : C:\WINDOWS\System32\svchost.exe -k netsvcs
    ProcessID          : 1540
    ThreadCreationTime : 9-25-2005 10:22:28 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:9 [svchost.exe]
    ModuleName        : C:\WINDOWS\System32\svchost.exe
    Command Line      : C:\WINDOWS\System32\svchost.exe -k NetworkService
    ProcessID          : 1604
    ThreadCreationTime : 9-25-2005 10:22:29 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:10 [svchost.exe]
    ModuleName        : C:\WINDOWS\System32\svchost.exe
    Command Line      : C:\WINDOWS\System32\svchost.exe -k LocalService
    ProcessID          : 1716
    ThreadCreationTime : 9-25-2005 10:22:29 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:11 [spoolsv.exe]
    ModuleName        : C:\WINDOWS\system32\spoolsv.exe
    Command Line      : C:\WINDOWS\system32\spoolsv.exe
    ProcessID          : 2020
    ThreadCreationTime : 9-25-2005 10:22:30 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion    : 5.1.2600.2696
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName      : spoolsv.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : spoolsv.exe

#:12 [scardsvr.exe]
    ModuleName        : C:\WINDOWS\System32\SCardSvr.exe
    Command Line      : C:\WINDOWS\System32\SCardSvr.exe
    ProcessID          : 176
    ThreadCreationTime : 9-25-2005 10:22:30 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Smart Card Resource Management Server
    InternalName      : SCardSvr.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : SCardSvr.exe

#:13 [ccevtmgr.exe]
    ModuleName        : C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    Command Line      : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    ProcessID          : 240
    ThreadCreationTime : 9-25-2005 10:22:30 PM
    BasePriority      : Normal
    FileVersion        : 1.03.4
    ProductVersion    : 1.03.4
    ProductName        : Event Manager
    CompanyName        : Symantec Corporation
    FileDescription    : Event Manager Service
    InternalName      : ccEvtMgr
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : ccEvtMgr.exe

#:14 [navapsvc.exe]
    ModuleName        : C:\Program Files\Norton AntiVirus\navapsvc.exe
    Command Line      : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
    ProcessID          : 328
    ThreadCreationTime : 9-25-2005 10:22:30 PM
    BasePriority      : Normal
    FileVersion        : 8.07.17
    ProductVersion    : 8.07.17
    ProductName        : Norton AntiVirus
    CompanyName        : Symantec Corporation
    FileDescription    : Norton AntiVirus Auto-Protect Service
    InternalName      : NAVAPSVC
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : NAVAPSVC.EXE

#:15 [nisum.exe]
    ModuleName        : C:\Program Files\Norton Internet Security\NISUM.EXE
    Command Line      : "C:\Program Files\Norton Internet Security\NISUM.EXE"
    ProcessID          : 444
    ThreadCreationTime : 9-25-2005 10:22:30 PM
    BasePriority      : Normal
    FileVersion        : 6.02.2003
    ProductVersion    : 6.02.2003
    ProductName        : Norton Internet Security
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Internet Security NISUM
    InternalName      : NISUM
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : NISUM.exe

#:16 [nvsvc32.exe]
    ModuleName        : C:\WINDOWS\System32\nvsvc32.exe
    Command Line      : C:\WINDOWS\System32\nvsvc32.exe
    ProcessID          : 580
    ThreadCreationTime : 9-25-2005 10:22:31 PM
    BasePriority      : Normal
    FileVersion        : 6.14.10.4422
    ProductVersion    : 6.14.10.4422
    ProductName        : NVIDIA Driver Helper Service, Version 44.22
    CompanyName        : NVIDIA Corporation
    FileDescription    : NVIDIA Driver Helper Service, Version 44.22
    InternalName      : NVSVC
    LegalCopyright    : © NVIDIA Corporation. All rights reserved.
    OriginalFilename  : nvsvc32.exe

#:17 [slserv.exe]
    ModuleName        : C:\WINDOWS\system32\slserv.exe
    Command Line      : slserv.exe
    ProcessID          : 660
    ThreadCreationTime : 9-25-2005 10:22:31 PM
    BasePriority      : Normal
    FileVersion        : 2.80.00(24Apr2000)
    ProductVersion    : 2.80.00
    ProductName        : Modem
    FileDescription    : User-Level Modem Service
    InternalName      : slserv
    LegalCopyright    : Copyright © 1999-2000
    OriginalFilename  : slserv.exe

#:18 [ccpxysvc.exe]
    ModuleName        : C:\Program Files\Norton Internet Security\ccPxySvc.exe
    Command Line      : "C:\Program Files\Norton Internet Security\ccPxySvc.exe"
    ProcessID          : 760
    ThreadCreationTime : 9-25-2005 10:22:31 PM
    BasePriority      : Normal
    FileVersion        : 6.02.2003
    ProductVersion    : 6.02.2003
    ProductName        : Norton Internet Security
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Internet Security Proxy Service
    InternalName      : ccPxySvc
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : ccPxySvc.exe

#:19 [symwsc.exe]
    ModuleName        : C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    Command Line      : "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
    ProcessID          : 780
    ThreadCreationTime : 9-25-2005 10:22:31 PM
    BasePriority      : Normal
    FileVersion        : 2005.1.2.20
    ProductVersion    : 2005.1
    ProductName        : Norton Security Center
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Security Center Service
    InternalName      : SymWSC.exe
    LegalCopyright    : Copyright © 1997-2004 Symantec Corporation
    OriginalFilename  : SymWSC.exe

#:20 [alg.exe]
    ModuleName        : C:\WINDOWS\System32\alg.exe
    Command Line      : C:\WINDOWS\System32\alg.exe
    ProcessID          : 1272
    ThreadCreationTime : 9-25-2005 10:22:32 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Application Layer Gateway Service
    InternalName      : ALG.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : ALG.exe

#:21 [wuauclt.exe]
    ModuleName        : C:\WINDOWS\system32\wuauclt.exe
    Command Line      : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[604]SUSDSc2f8f33fb69b45478b16d47d7034903f
    ProcessID          : 1776
    ThreadCreationTime : 9-25-2005 10:23:17 PM
    BasePriority      : Normal
    FileVersion        : 5.8.0.2469 built by: lab01_n(wmbla)
    ProductVersion    : 5.8.0.2469
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Automatic Updates
    InternalName      : wuauclt.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : wuauclt.exe

#:22 [explorer.exe]
    ModuleName        : C:\WINDOWS\Explorer.EXE
    Command Line      : C:\WINDOWS\Explorer.EXE
    ProcessID          : 1868
    ThreadCreationTime : 9-25-2005 10:23:19 PM
    BasePriority      : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName      : explorer
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : EXPLORER.EXE

#:23 [incd.exe]
    ModuleName        : C:\Program Files\Ahead\InCD\InCD.exe
    Command Line      : "C:\Program Files\Ahead\InCD\InCD.exe"
    ProcessID          : 336
    ThreadCreationTime : 9-25-2005 10:23:22 PM
    BasePriority      : Normal


#:24 [point32.exe]
    ModuleName        : C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    Command Line      : "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
    ProcessID          : 900
    ThreadCreationTime : 9-25-2005 10:23:22 PM
    BasePriority      : Normal


#:25 [ccapp.exe]
    ModuleName        : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    Command Line      : "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ProcessID          : 908
    ThreadCreationTime : 9-25-2005 10:23:22 PM
    BasePriority      : Normal
    FileVersion        : 1.0.10.006
    ProductVersion    : 1.0.10.006
    ProductName        : Common Client
    CompanyName        : Symantec Corporation
    FileDescription    : Common Client CC App
    InternalName      : ccApp
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : ccApp.exe

#:26 [realsched.exe]
    ModuleName        : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    Command Line      : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    ProcessID          : 892
    ThreadCreationTime : 9-25-2005 10:23:22 PM
    BasePriority      : Normal
    FileVersion        : 0.1.0.3275
    ProductVersion    : 0.1.0.3275
    ProductName        : RealPlayer (32-bit)
    CompanyName        : RealNetworks, Inc.
    FileDescription    : RealNetworks Scheduler
    InternalName      : schedapp
    LegalCopyright    : Copyright © RealNetworks, Inc. 1995-2004
    LegalTrademarks    : RealAudio™ is a trademark of RealNetworks, Inc.
    OriginalFilename  : realsched.exe

#:27 [navapw32.exe]
    ModuleName        : C:\PROGRA~1\NORTON~2\navapw32.exe
    Command Line      : "C:\PROGRA~1\NORTON~2\navapw32.exe"
    ProcessID          : 656
    ThreadCreationTime : 9-25-2005 10:23:23 PM
    BasePriority      : Normal
    FileVersion        : 8.07.17
    ProductVersion    : 8.07.17
    ProductName        : Norton AntiVirus
    CompanyName        : Symantec Corporation
    FileDescription    : Norton AntiVirus Agent
    InternalName      : NAVAPW32
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : NAVAPW32.EXE

#:28 [jusched.exe]
    ModuleName        : C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    Command Line      : "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
    ProcessID          : 1216
    ThreadCreationTime : 9-25-2005 10:23:23 PM
    BasePriority      : Normal


#:29 [ituneshelper.exe]
    ModuleName        : C:\Program Files\iTunes\iTunesHelper.exe
    Command Line      : "C:\Program Files\iTunes\iTunesHelper.exe"
    ProcessID          : 1172
    ThreadCreationTime : 9-25-2005 10:23:23 PM
    BasePriority      : Normal
    FileVersion        : 5.0.1.4
    ProductVersion    : 5.0.1.4
    ProductName        : iTunes
    CompanyName        : Apple Computer, Inc.
    FileDescription    : iTunesHelper Module
    InternalName      : iTunesHelper
    LegalCopyright    : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename  : iTunesHelper.exe

#:30 [qttask.exe]
    ModuleName        : C:\Program Files\QuickTime\qttask.exe
    Command Line      : "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ProcessID          : 1096
    ThreadCreationTime : 9-25-2005 10:23:23 PM
    BasePriority      : Normal
    FileVersion        : 7.0.2
    ProductVersion    : QuickTime 7.0.2
    ProductName        : QuickTime
    CompanyName        : Apple Computer, Inc.
    FileDescription    : QuickTime Task
    InternalName      : QuickTime Task
    LegalCopyright    : Copyright Apple Computer, Inc. 1989-2005
    OriginalFilename  : QTTask.exe

#:31 [msmsgs.exe]
    ModuleName        : C:\Program Files\Messenger\msmsgs.exe
    Command Line      : "C:\Program Files\Messenger\msmsgs.exe" /background
    ProcessID          : 1092
    ThreadCreationTime : 9-25-2005 10:23:23 PM
    BasePriority      : Normal
    FileVersion        : 4.7.3001
    ProductVersion    : Version 4.7.3001
    ProductName        : Messenger
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Messenger
    InternalName      : msmsgs
    LegalCopyright    : Copyright © Microsoft Corporation 2004
    LegalTrademarks    : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename  : msmsgs.exe

#:32 [ipodservice.exe]
    ModuleName        : C:\Program Files\iPod\bin\iPodService.exe
    Command Line      : "C:\Program Files\iPod\bin\iPodService.exe"
    ProcessID          : 1104
    ThreadCreationTime : 9-25-2005 10:23:25 PM
    BasePriority      : Normal
    FileVersion        : 5.0.1.4
    ProductVersion    : 5.0.1.4
    ProductName        : iTunes
    CompanyName        : Apple Computer, Inc.
    FileDescription    : iPodService Module
    InternalName      : iPodService
    LegalCopyright    : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename  : iPodService.exe

#:33 [odhost.exe]
    ModuleName        : C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    Command Line      : "C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe"
    ProcessID          : 2460
    ThreadCreationTime : 9-25-2005 10:23:30 PM
    BasePriority      : Normal
    FileVersion        : 1, 0, 0, 1
    ProductVersion    : 1, 0, 0, 1
    FileDescription    : Odyssey COM Host
    InternalName      : OdHost
    LegalCopyright    : Copyright © 2003
    OriginalFilename  : Odhost.exe

#:34 [wpc54cfg.exe]
    ModuleName        : C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    Command Line      : "C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe"
    ProcessID          : 2612
    ThreadCreationTime : 9-25-2005 10:23:31 PM
    BasePriority      : Normal
    FileVersion        : 2.0.2.21
    ProductVersion    : 1.3.0.1
    ProductName        : Linksys Instant WLAN Monitor
    CompanyName        : The Linksys Group, Inc.
    FileDescription    : Linksys Instant WLAN Monitor
    InternalName      : WLANMonitor.EXE
    LegalCopyright    : Copyright © 2003, Linksys
    LegalTrademarks    : Instant Wireless
    OriginalFilename  : WLANMonitor.EXE
    Comments          : Linksys Instant WLAN Monitor

#:35 [ad-aware.exe]
    ModuleName        : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    Command Line      : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
    ProcessID          : 2692
    ThreadCreationTime : 9-25-2005 10:23:56 PM
    BasePriority      : Normal
    FileVersion        : 6.2.0.236
    ProductVersion    : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName      : Ad-Aware.exe
    LegalCopyright    : Copyright © Lavasoft AB Sweden
    OriginalFilename  : Ad-Aware.exe
    Comments          : All Rights Reserved

#:36 [wmiprvse.exe]
    ModuleName        : C:\WINDOWS\System32\wbem\wmiprvse.exe
    Command Line      : C:\WINDOWS\System32\wbem\wmiprvse.exe -Embedding
    ProcessID          : 3148
    ThreadCreationTime : 9-25-2005 10:23:59 PM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : WMI
    InternalName      : Wmiprvse.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : Wmiprvse.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
    Location:          : C:\Documents and Settings\Stephen Hines\recent
    Description        : list of recently opened documents


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\google\navclient\1.1\history
    Description        : list of recently used search terms in the google toolbar


MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\internet explorer
    Description        : last download directory used in microsoft internet explorer


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\search assistant\acmru
    Description        : list of recent search terms used with the search assistant


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\nico mak computing\winzip\filemenu
    Description        : winzip recently used archives


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows media\wmsdk\general
    Description        : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 10




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

5:34:05 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:42.859
Objects scanned:117470
Objects identified:0
Objects ignored:0
New critical objects:0



Here is the HijackThis! logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:35:41 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Also, the blacking out problem started up again.

Sigh.

Steve
  • 0

Advertisements


#62
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please visit Panda and do an online scan. Save the scan report and post it back here.
  • 0

#63
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Panda scan found nothing. I thought I had cut a copy of the scan report, but it wouldn't paste here.

Steve
  • 0

#64
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I just got an odd error -- I had three Internet Explorer windows open and clicked a link to open a fourth. The machine froze up for about two minutes, then dumped me into a 400x640 display with 16 colors. I got a message that the nv5_disp.dll driver had stopped working.

Here is the data from the error:

BCCode : ea    BCP1 : FFB72020    BCP2 : 820CC8A8    BCP3 : 821F4F58   
BCP4 : 00000001    OSVer : 5_1_2600    SP : 2_0    Product : 256_1   

C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\WERc3b2.dir00\Mini092505-01.dmp
C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\WERc3b2.dir00\sysdata.xml



Sigh.

Edited by MrSpkr, 25 September 2005 - 09:58 PM.

  • 0

#65
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
This problem is symptomatic (mostly) of overheating in the PC. Chances are that your Video card is overheating.

(That must be the reason why you are having the blacking out of the screen).

Try - Open the PC case and point a fan at the the mobo and the Video card.

If it doesnt work, then post a new topic in the Hardware section.

Edited by tampabelle, 26 September 2005 - 03:47 PM.

  • 0

#66
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I disagree strongly. This is not a hardware problem.

The only time this error occurs is when I am hooked up to the internet and have internet explorer, MS Word, Wordperfect and/or firefox open. I do not get it when running high-intensity graphics games like Half LIfe II or Combat Mission:Afrika Korps. This is not a heating issue. I am running a medium-high end gaming laptop here.

I told you I removed SpybotSD. I started getting the blackouts again after I removed it. I reinstalled and the blackouts became markedly reduced in frequency. Additionally, the Spybot scan foudn Winfixer and a couple of other things when I ran it.

This is a very nasty trojan of some sort. I am strongly considering wiping my C: partition and reinstalling Windows XP. What I need to know is, can I safely save my favorites, my documents and export/import my Outlook? How can I keep the trojan from following that stuff? Also, how do I ensure it is not hidden on another portion of the partition?

Please advise if you think i am missing something here.

Steve

Edited by MrSpkr, 26 September 2005 - 10:02 PM.

  • 0

#67
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Where ever you can go (without use of a password), the infections can also travel. So whether you are saving files on another partition or creating backups on external drives. The risk exists.


Reinstalling Windows XP also may not give you completely clean PC because the infection can survive it.
  • 0

#68
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Would (a) reformatting that partition help? What of reformatting the entire hard drive and starting from scratch?

I am getting traces of WinFixer here, as well as the Backdoor.Greybird virus, the "Trojan.ByteVerify" trojan, Dealhelper and a svchost.exe.mdmp program. I now know that these issues started after someone in my family apparently tried finding a cheat or reg code for a game and downloaded and opened a program file they should not have.

Please advise. If I have to take a half a day to move most of my stuff to writable CD's, reformat my hard drive, reinstall all programs, then set up my antivirus to scan my backup CD's before restoring the information, then I need to get busy on it.

Steve
  • 0

#69
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
1) Click on Start ---> Settings ---> Control Panel.

Double click on Java.

Click on General Tab. Click on delete files. Check all the three boxes and then click on OK.

Click on Update tab. Click on "Update now".


2) Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip

Unzip it to the desktop and double-click on it.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile for me to see.

3) Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip

Unzip it to the desktop, run it, and click Scan.

This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#70
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Silent Runners doesn't do anything when I double click on it. I have unzipped it to my desktop, but nothing happens.

I'll post the RootKitRevealler in a minute.

Steve
  • 0

Advertisements


#71
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here is the RootKitReveal log:

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050928.007\vscanmsx.dat 10/2/2005 12:05 AM 2.02 KB Hidden from Windows API.



Steve
  • 0

#72
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Got Silent-runners to work -- Norton had "Script Blocking enabled, with "block all and do not warn me" turned on.

Here is the logfile:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Nero AG"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"NAV Agent" = "C:\PROGRA~1\NORTON~2\navapw32.exe" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Stephen Hines\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Startup items in "Stephen Hines" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"CorelCENTRAL 10" -> shortcut to: "C:\WINDOWS\Installer\{A0B295C3-FD3C-11D4-A811-0090279106C3}\I_26dadCC.exe /startup" [null data]
"Wireless-G Notebook Adapter Utility" -> shortcut to: "C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~2\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~2\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" = "AIM Search" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" ["America Online, Inc"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

InCD Helper (read only), InCDsrvR, "C:\Program Files\Ahead\InCD\InCDsrv.exe -r" ["Nero AG"]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, ""C:\Program Files\Norton Internet Security\NISUM.EXE"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SmartLinkService, SLService, "slserv.exe" [" "]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Proxy Service, ccPxySvc, ""C:\Program Files\Norton Internet Security\ccPxySvc.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 35 seconds, including 6 seconds for message boxes)



Steve

Edited by MrSpkr, 02 October 2005 - 07:44 PM.

  • 0

#73
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
These logs dont reveal anything.



Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#74
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I am scanning right now.

Of interest: Today I had this computer at the office. I ran it for six hours straight, running a gaming program that would tax both the processor and the video chip. It didn't lock up, not once.

I came home, turned it on, opened Outlook and Internet Explorer, and immediately the screen blanked for a full second.

The only difference between the two uses -- at work, the computer was not plugged into the internet, and I didn't use Internet Explorer or Outlook.

At home, I did.

Scan report coming now.

Steve
  • 0

#75
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here we go . . .

It keepslocking up when it gets to this file:
googletoolbar2.dll

I am going to uninstall google toolbar. Done.

Also of note -- I just got a warning message that my C: drive is dangerously low on space. It was a ten gigabyte HD partition -- and last time I checked, it had 2 GB open. Now it is down to 350 MB.

. . . . . . .

Okay . . . I did a disk cleanup and have 1.3 GB of space. Starting Pandascan again.

Hrm. Panda scan is locking up on something called hptcpmib.dll.

Okay, last night, the computer locked up again (BSOD -- Page Fault) in the middle of the scan. Will try again this evening.

Advice?

Steve

Edited by MrSpkr, 05 October 2005 - 08:02 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP