Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

http://www.security2k.net/ Problem [CLOSED]

Started by Frankie D. , Sep 18 2005 11:16 AM

This topic is locked

#16
Frankie D.

Posted 19 September 2005 - 08:39 AM

Member

Topic Starter
Member
30 posts

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:38:41 AM, 19/09/2005
+ Report-Checksum: F8FA5068

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE} -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} -> Spyware.CommonName : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F} -> Spyware.CommonName : Cleaned with backup
[452] C:\WINDOWS\q262156_disk.dll -> TrojanDownloader.Delf.h : Cleaned with backup
[280] C:\WINDOWS\q262156_disk.dll -> TrojanDownloader.Delf.h : Error during cleaning
[544] C:\WINDOWS\System32\intmon.exe -> Trojan.Puper.az : Cleaned with backup
C:\!Submit\q262156_disk.dll -> TrojanDownloader.Delf.h : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Application Data\Mozilla\Firefox\Profiles\8d8tih67.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Cookies\owner@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Local Settings\Temporary Internet Files\Content.IE5\8FVBEK51\popcaploader_v6[1].cab/PopCapLoader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\q262156_disk.dll -> TrojanDownloader.Delf.h : Cleaned with backup
C:\WINDOWS\SYSTEM32\hhk.dll -> Trojan.Puper.az : Cleaned with backup
C:\WINDOWS\SYSTEM32\hp569B.tmp -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\hp5B20.tmp -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\intmon.exe -> Trojan.Puper.az : Cleaned with backup

::Report End

#17
Frankie D.

Posted 19 September 2005 - 08:40 AM

Member

Topic Starter
Member
30 posts

Logfile of HijackThis v1.99.1
Scan saved at 10:40:11 AM, on 19/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.security2k.net/
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp569B.tmp
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{041D713B-E005-431F-A0C1-625FD47E0998}: NameServer = 130.63.237.99 130.63.168.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{041D713B-E005-431F-A0C1-625FD47E0998}: NameServer = 130.63.237.99 130.63.168.21
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\q262156_disk.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

#18
Frankie D.

Posted 19 September 2005 - 08:42 AM

Member

Topic Starter
Member
30 posts

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"paint.exe" = "shnlog.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\McAgent.exe" ["McAfee, Inc"]
"McRegWiz" = "c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\(Default) = "HP Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hp569B.tmp" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\program files\microsoft office\windows 97\Office\olkfstub.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\program files\microsoft office\windows 97\Office\UNBIND.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B212D577-05B7-4963-911E-4A8588160DFA}" = "style 2"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\q262156_disk.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! style32\DLLName = "C:\WINDOWS\q262156_disk.dll" [file not found]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner.DEFRAN-A5N4D52C\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\System32\mclsp.dll ["Networks Associates Technology, Inc"], 01 - 19, 39
%SystemRoot%\system32\mswsock.dll [MS], 20 - 22, 25 - 38
%SystemRoot%\system32\rsvpsp.dll [MS], 23 - 24

HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "%SystemRoot%\System32\drivers\etc"

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 63 seconds, including 16 seconds for message boxes)

#19
don77

Posted 19 September 2005 - 06:50 PM

Malware Expert

Retired Staff
18,526 posts

Lets get a look at another log here please.
Download winpfind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#20
Frankie D.

Posted 20 September 2005 - 12:22 PM

Member

Topic Starter
Member
30 posts

Don, everytime I run winpfind program in the safe mode and press scan, the program does not seem to respond.

Yes, I have read that if it says not responding to leave it alone, if the green light is flashing. The first time I did not notice it said to leave it alone, however, I redid the process and it was stuck on one file called hiberfil.sys for about a hour, it scanned 3 files before that, then it went onto this file and the green light was not flashing. Do you suppose that I should wait longer then an hour for it to check?

Thank You
Frankie D.

#21
don77

Posted 20 September 2005 - 07:36 PM

Malware Expert

Retired Staff
18,526 posts

OK lets run a different route, Some of this might be a bit repeatitive but follow the following instructions

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <http://www.security2...arch.php?qq=%1>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <http://www.security2k.net/bar.html>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <http://www.security2...arch.php?qq=%1>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = <http://www.security2...arch.php?qq=%1>
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = <http://www.security2...arch.php?qq=%1>
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = <http://www.security2...arch.php?qq=%1>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = <http://www.security2k.net/>
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp569B.tmp
O20 - Winlogon Notify: style32 - C:\WINDOWS\q262156_disk.dll (file missing)

===================================================
Make sure all open windows are closed and click on " Fixe Checked"

Next,
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

#22
Frankie D.

Posted 21 September 2005 - 07:07 AM

Member

Topic Starter
Member
30 posts

Don, I have some bad news, before I could even do what you have requested, it will not let me download Panda ActiveScan and Ad-Ware Setup. When I click the Panda ActiveScan site the page keeps returning to the about blank and when I use Mozilla FireFox it says that I need Internet Explorer however, I can't view the page because of the redirection of the site to about blank. The Ad-Ware setup just simply will not let me download it, it stops before it can even be done downloading.

Now, I have just finished downloading Mozilla FireFox, I was wondering is it possible if I delete my Internet Explorer and all of its files, would that remove it? Simply because on Mozilla FireFox my internet seems to working perfectly.

#23
don77

Posted 21 September 2005 - 05:55 PM

Malware Expert

Retired Staff
18,526 posts

OK this will take a bit of work but lets see if we can get through it,
Click Here Download Ad-aware, Once the program is set up check for updates and close out the program,

Follow the rest of my earlier instructions starting with rebooting to safe mode,
Fix the entries with HJT,
Then run the smitrem,
Then scan with Ad-aware after it has finished scanning your system fix all it finds, Go to the Critical objects tab, right click anywhere on that window and choose select all and then click the Next button,
Close out Ad-aware
Scan with Ewido please

Reboot to normal mode and post back a fresh HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log please

#24
don77

Posted 09 October 2005 - 11:05 AM

Malware Expert

Retired Staff
18,526 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.