Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.p2p I can't get rid of it!


  • Please log in to reply

#1
Sidivan

Sidivan

    Member

  • Member
  • PipPip
  • 14 posts
Ok, so I've been fighting with this thing for a lot of hours... I'm usually pretty adept at this sort of thing, but I keep getting a weird error message. I've followed all the steps in the forums I can find. I've thrown everything I have at this thing. My comp comes up clean as a whistle on every Ad-aware, Ewido, Trend-micro housecall, and every other scan I can come up with. The problem is I get an error on bootup that says "Failure to connect to driver 2". I used to get the whole "Can't install on NT based system" stuff, so I removed Limewire and now it's this new error. Oh, I'm using Windows XP x64 Edition btw. Here's my HJT log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknigh...ad.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:17:50 PM, on 8/29/2005
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe
C:\Program Files (x86)\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe
C:\Program Files (x86)\ewido\security suite\ewidoguard.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe

F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_04\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~2\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123119426656
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files (x86)\ewido\security suite\ewidoguard.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

Edited by Sidivan, 29 August 2005 - 06:28 PM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\p2pnetwork.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Reboot and post back to this topic using the add reply button with a fresh HijackThis log.
Please include the header and running processes.

Regards,
  • 0

#3
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'm still getting the error.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknigh...ad.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:38:26 PM, on 9/5/2005
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe
C:\Program Files (x86)\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe
C:\Program Files (x86)\ewido\security suite\ewidoguard.exe

F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_04\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~2\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123119426656
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files (x86)\ewido\security suite\ewidoguard.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Click Start > Run > and copy this command in the box:
sfc /scannow
and click OK.

Windows will scan for missing, corrupted or outdated system files and prompt you for the Windows CD if it comes across one that needs to be replaced.

Regards,
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Better yet.
Copy the part in green below into notepad and save it as unhide.bfu
Set Filetype to "All files" and save it in the c:\bfu folder you made.


FileSetAttributes C:\WINDOWS\System32\dmadmin.exe|A
FileSetAttributes C:\WINDOWS\system32\services.exe|A
FileSetAttributes C:\WINDOWS\System32\lsass.exe|A
FileSetAttributes C:\WINDOWS\system32\imapi.exe|A
FileSetAttributes C:\WINDOWS\system32\msdtc.exe|A
FileSetAttributes C:\WINDOWS\system32\sessmgr.exe|A
FileSetAttributes C:\WINDOWS\System32\vds.exe|A
FileSetAttributes C:\WINDOWS\System32\vssvc.exe|A
FileSetAttributes C:\WINDOWS\system32\wbem\wmiapsrv.exe|A


Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\unhide.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Reboot and post back to this topic using the add reply button with a fresh HijackThis log.

Regards,
  • 0

#6
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Did. Still getting the error and It still says I'm missing the files.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknigh...ad.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:34:00 PM, on 9/5/2005
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe
C:\Program Files (x86)\ewido\security suite\ewidoguard.exe
C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe
C:\Program Files (x86)\Java\jre1.5.0_04\bin\jusched.exe

F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files (x86)\Asus\Asus Probe V2.64.03\AsusProb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_04\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~2\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123119426656
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files (x86)\ewido\security suite\ewidoguard.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
  • 0

#7
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I ran the sfc /scannow and it didn't find anything because it just ran with the windows disk in. I ran HJT again and it's still the same thing.

Edited by Sidivan, 05 September 2005 - 08:13 PM.

  • 0

#8
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I think I've messed something up. I ran bfu again, but had a little typo... When I ran it, I didn't put the full path in. I just typed "unhide.bfu" in the excecution line. Now, when my comp tries to boot up, I get the windows XP load screen, then it goes black. I can boot up in safemode and everything seems fine, but not normal mode. :tazz:
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Are there any other files called unhide BFU anywhere on your computer?

If not, that could not have caused the error in safe mode.

Click Start > Run > and copy this command in the box:
EXPLORER.EXE /n,/e,/select, C:\WINDOWS\System32\lsass.exe
> then click OK

Let me know what happens.

Regards,
  • 0

#10
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'm at work right now, but I'll try that when I get home. I can only boot up in Safe mode though, so will that work? BTW, I don't have any other unhide.bfu on my comp. I was smart enough to check the log on that execution and all it said was "Complete". I just can't figure out why that would affect my bootup. I'll give you a report in about 8 hours.
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
BFU does not report any error if the file you are trying to execute does not exist, but it doesn't do anything either, so that's why it could not have caused the problem.

The command works for normal XP versions and opens the System32 folder with lsass.exe selected.

I think HijackThis can not find or look in your system32 folder
So I am testing if Windows can by letting you test that command.

I think the 64 bit version works a bit different.
  • 0

#12
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
See, that's what I figured too. I'm trying to run in my head everything I did before that reboot. The only thing I can think of is possibly the sfc /scannow did something. The way 64-Bit works is you run that and it automatically asks for the windows CD. It ran and didn't say anything when it was done. The only other thing I can think of is the first time I ran it I just typed "sfc" without the /scannow and it flashed a window that looked like the command prompt window for a split second. That may have done something.

I'll run that command you gave me when I get home (about 90 mins from now). I'm not sure what it does or it's supposed to do though. It looks like it should just open up the window with the lsass.exe file highlighted.

I'm ready to just backup and reformat...

Oh, BTW, Metallica is my favorite band :tazz:
  • 0

#13
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yes. That command works.

I got all booted up and running now too :tazz:
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I think the following program may be more suitable for troubleshooting your computer.

Download Silentrunners.zip from here and unzip the program to a new folder on your desktop.
Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. This script is not malicious so please allow it.
When it's finished (a few minutes later) it will produce a Startup Programs text file which appears in the folder.
Copy and paste the contents of that text file in your next reply.

Regards,
  • 0

#15
Sidivan

Sidivan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Heh, that's not formatted very well... kinda hard to read. Looks like it found something though!



"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Server 2003 (interpreted as Windows XP)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AsioThk32Reg" = "C:\WINDOWS\SYSWOW64\REGSVR32.EXE /S C:\WINDOWS\SYSWOW64\CTASIO.DLL" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! dimsntfy\DLLName = "dimsntfy.dll" [MS]


Default executables:
--------------------

.HTA: HKLM\SOFTWARE\Classes\htafile\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\syswow64\mshta.exe "%1" %*" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\mswsock.dll [MS], 1 - 5


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Application Experience Lookup Service, AeLookupSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\aelupsvc.dll" [MS]}
ewido security suite control, ewido security suite control, "C:\Program Files (x86)\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files (x86)\ewido\security suite\ewidoguard.exe" ["ewido networks"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 17 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 4 seconds.
---------- (total run time: 46 seconds)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP