Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Uh... help?


  • Please log in to reply

#1
Nike

Nike

    Member

  • Member
  • PipPip
  • 36 posts
I posted about a week ago and I've been waiting patiently since then, so you can imagine my surprise when I come here and cannot find my topic at all... Was it deleted for some reason? Did I do something incorrectly? Luckily, I saved the message to a notepad, so here it is again:

I guess I'm gonna have to go through this again. Since my last topic, I have done the repair installation of XP and now, not only does my audio still not work, but I believe I'm compromised again and after about 20 minutes my computer starts to s l o w d o w n and I lose my connection. All those programs I've downloaded aren't doing much to help me. I need to speak to someone who can help me resolve whatever malware I have now, get SP2 installed again without incident and get my sound working again. If there's a better place to take these difficulties, please, please let me know. I've searched all over and I can't figure out where to go with this. If all I can do is get back to where I was when my last topic closed, that's better than my current situation, but keep in mind that I very, very much want to repair this audio problem, too. That way I won't do something stupid trying to fix it later and have to come back here all over again.

Thank you very much for being here <3



Logfile of HijackThis v1.99.1
Scan saved at 5:55:25 PM, on 11/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DVD@ccess.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37350.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...566/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66D2BCDA-A19F-48DF-97E8-A214D301484E}: NameServer = 207.236.176.26 206.47.244.89
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I closed the other thread.

Which was here: http://www.geekstogo...showtopic=72351

Your HijackThis log looks OK, but that doesn't automatically mean your computer is clean.

Let's have a c,loser look.
Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder)

Regards,
  • 0

#3
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I'm very sorry that I double posted... My subscription was gone, the search didn't turn up my post and I went through every single page :tazz:

Anyway, here's the scan results:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 10/10/2005 6:48:38 PM 12767 C:\WINDOWS\KB842773.log
SAHAgent 10/10/2005 6:49:22 PM 17022 C:\WINDOWS\KB893803v2.log
SAHAgent 8/16/2005 4:24:32 PM 9661 C:\WINDOWS\KB898461.log
PECompact2 10/15/2005 8:20:14 PM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/15/2005 8:20:14 PM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/15/2005 8:20:14 PM 16050847 C:\WINDOWS\LPT$VPN.893
UPX! 10/15/2005 8:20:14 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/15/2005 8:20:14 PM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/15/2005 8:20:14 PM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/15/2005 8:20:14 PM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 10/15/2005 8:57:48 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/15/2005 8:57:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 8/21/2005 3:01:14 PM 3608 C:\WINDOWS\SYSTEM32\1b9b01f2.ini
SAHAgent 8/16/2005 4:07:42 PM 35 C:\WINDOWS\SYSTEM32\31r07ta1.ini
SAHAgent 8/21/2005 7:10:42 PM 1401 C:\WINDOWS\SYSTEM32\5960j8bg.ini
SAHAgent 8/16/2005 4:07:42 PM 35 C:\WINDOWS\SYSTEM32\7slk93ot.ini
SAHAgent 9/14/2005 4:32:16 PM 35 C:\WINDOWS\SYSTEM32\cni121c9.ini
PEC2 3/31/2003 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
SAHAgent 8/28/2005 2:42:04 PM 35 C:\WINDOWS\SYSTEM32\l8dg31ig.ini
PTech 8/3/2005 9:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
SAHAgent 9/14/2005 4:32:16 PM 35 C:\WINDOWS\SYSTEM32\nauda3k0.ini
SAHAgent 9/14/2005 4:32:38 PM 3166 C:\WINDOWS\SYSTEM32\ps9ir65l.ini
Umonitor 3/31/2003 7:00:00 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 8/21/2005 7:10:40 PM 35 C:\WINDOWS\SYSTEM32\s9ootguk.ini
aspack 10/18/2005 1:56:06 PM RHS 103424 C:\WINDOWS\SYSTEM32\System.exe
SAHAgent 8/28/2005 2:42:08 PM 1347 C:\WINDOWS\SYSTEM32\u0b5jcb0.ini
winsync 3/31/2003 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 8/25/2005 9:58:24 PM 374924 C:\WINDOWS\SYSTEM32\wngua.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 10/23/2005 8:28:38 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 10/23/2005 8:28:38 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 10/23/2005 8:28:38 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 10/23/2005 8:28:38 AM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/13/2005 3:54:10 PM S 2048 C:\WINDOWS\bootstat.dat
11/13/2005 3:42:24 PM H 54156 C:\WINDOWS\QTFont.qfn
10/11/2005 12:20:32 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
10/11/2005 12:20:42 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
10/11/2005 12:21:36 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
10/21/2005 12:19:18 PM H 10820 C:\WINDOWS\Help\nocontnt.GID
10/11/2005 9:02:46 AM H 0 C:\WINDOWS\inf\oem10.inf
10/11/2005 9:02:46 AM H 0 C:\WINDOWS\inf\oem10.PNF
10/11/2005 9:10:00 AM H 0 C:\WINDOWS\inf\oem11.inf
10/11/2005 9:10:00 AM H 0 C:\WINDOWS\inf\oem11.PNF
10/9/2005 9:39:48 PM H 0 C:\WINDOWS\inf\oem8.inf
10/11/2005 9:16:42 AM H 0 C:\WINDOWS\inf\oem9.inf
10/11/2005 9:16:42 AM H 0 C:\WINDOWS\inf\oem9.PNF
10/11/2005 12:20:42 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
9/29/2005 11:40:06 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_53.cab
10/11/2005 12:22:30 PM H 544768 C:\WINDOWS\repair\ntuser.dat
10/11/2005 12:20:32 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
10/11/2005 12:20:42 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
10/11/2005 12:20:32 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
10/11/2005 12:20:32 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
10/11/2005 12:20:32 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
10/18/2005 1:56:06 PM RHS 103424 C:\WINDOWS\system32\System.exe
11/13/2005 3:27:34 PM H 31767 C:\WINDOWS\system32\vsconfig.xml
10/11/2005 12:20:42 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
10/11/2005 12:20:32 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
10/21/2005 1:13:34 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
11/13/2005 3:54:02 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/9/2005 4:27:24 PM H 0 C:\WINDOWS\system32\config\default.tmp.LOG
11/13/2005 3:55:54 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/13/2005 3:54:12 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
11/13/2005 3:56:44 PM H 69632 C:\WINDOWS\system32\config\software.LOG
10/9/2005 4:27:22 PM H 0 C:\WINDOWS\system32\config\software.tmp.LOG
11/13/2005 3:55:38 PM H 786432 C:\WINDOWS\system32\config\system.LOG
10/9/2005 4:27:02 PM H 0 C:\WINDOWS\system32\config\system.tmp.LOG
10/11/2005 8:04:20 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
10/11/2005 12:22:32 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
10/11/2005 12:22:32 PM H 1024 C:\WINDOWS\system32\config\userdifr.LOG
9/30/2005 12:24:40 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
10/10/2005 6:41:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\51ZZ6HFL\desktop.ini
10/10/2005 6:41:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L8BZHPXA\desktop.ini
10/10/2005 6:41:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OSPNXOCK\desktop.ini
10/10/2005 6:41:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QT2E0UIE\desktop.ini
10/11/2005 12:55:10 PM RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
11/13/2005 3:53:22 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 3/31/2003 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 3/18/2004 9:44:32 PM R 14250496 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 3/31/2003 7:00:00 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 2:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/4/2005 2:36:44 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Wacom Technology, Corp. 12/4/2003 11:58:48 AM 958464 C:\WINDOWS\SYSTEM32\pentablet.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/3/2004 1:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 2:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/11/2005 12:22:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
6/30/2005 2:50:34 PM 585 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD@ccess.lnk
6/20/2005 10:17:46 AM 1323 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
6/21/2005 6:20:58 PM 1628 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/11/2005 12:08:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
5/21/2005 12:01:10 AM HS 84 C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/22/2005 11:36:30 AM 1066 C:\Documents and Settings\Nicole\Application Data\AdobeDLM.log
5/20/2005 7:50:14 PM HS 62 C:\Documents and Settings\Nicole\Application Data\desktop.ini
5/22/2005 10:10:14 AM 0 C:\Documents and Settings\Nicole\Application Data\dm.ini
7/8/2005 5:35:58 PM 20416 C:\Documents and Settings\Nicole\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=WeeD22MaN =
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CuteFTP
{8f7261d0-d2b9-11d2-9909-00605205b24c} = C:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SiSUSBRG C:\WINDOWS\SiSUSBrg.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
Creative WebCam Tray C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
SoundMan SOUNDMAN.EXE
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9Ӝ3rWC:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/13/2005 4:06:02 PM
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Definitely a ShopAtHome infection.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\1b9b01f2.ini
C:\WINDOWS\SYSTEM32\31r07ta1.ini
C:\WINDOWS\SYSTEM32\5960j8bg.ini
C:\WINDOWS\SYSTEM32\7slk93ot.ini
C:\WINDOWS\SYSTEM32\cni121c9.ini
C:\WINDOWS\SYSTEM32\l8dg31ig.ini
C:\WINDOWS\SYSTEM32\nauda3k0.ini
C:\WINDOWS\SYSTEM32\ps9ir65l.ini
C:\WINDOWS\SYSTEM32\s9ootguk.ini
C:\WINDOWS\SYSTEM32\System.exe
C:\WINDOWS\SYSTEM32\u0b5jcb0.ini
C:\WINDOWS\SYSTEM32\wngua.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If the computer does not reboot automatically now, then initiate it manually.

Let me know how the computer is behaving after the reboot.

Regards,
  • 0

#5
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ok, I followed your directions. The situation seems to be pretty much the same, though. Computer slows down to barely responding, can't get a connection shortly after that, ZoneAlarm says that TrueVector Internet Monitor has shut down (would I like to restart it) and Trojan Guard lets me know repeatedly that it can't get a snapshot of the running processes. Last time it seemed to start slowing down sooner and disconnecting later... But everything still happened eventually.
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
That doesn't sound too good.

Can you download and install RootkitRevealer from:
http://www.sysintern...itRevealer.html

Run it and post the log it makes.
I'd like to make sure there is nothing really evil hiding.

Regards,
  • 0

#7
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I hate to say this, but I hope there's something in there...

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\# L"h'9 8/18/2005 8:06 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2} 11/17/2005 9:06 PM 220 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer 11/17/2005 9:06 PM 48 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpDomain 11/17/2005 9:06 PM 50 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpServer 11/17/2005 9:06 PM 24 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Lease 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\LeaseObtainedTime 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\T1 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\T2 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\LeaseTerminatesTime 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpIPAddress 11/17/2005 9:06 PM 26 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpSubnetMask 11/17/2005 9:06 PM 28 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpNameServer 11/17/2005 9:06 PM 48 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpDefaultGateway 11/17/2005 9:06 PM 26 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpDomain 11/17/2005 9:06 PM 50 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\DhcpSubnetMaskOpt 11/17/2005 9:06 PM 30 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\DhcpIPAddress 11/17/2005 9:06 PM 26 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\DhcpSubnetMask 11/17/2005 9:06 PM 28 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\DhcpServer 11/17/2005 9:06 PM 24 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\Lease 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\LeaseObtainedTime 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\T1 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\T2 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\LeaseTerminatesTime 11/17/2005 9:06 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\DhcpDefaultGateway 11/17/2005 9:06 PM 26 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip\DhcpSubnetMaskOpt 11/17/2005 9:06 PM 30 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 11/17/2005 9:05 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
It certainly deserves a closer look.
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Reboot into safe mode
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • {6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#9
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ok!



REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}" 11/18/2005 5:28:44 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General]
"InterfaceList"="\\DEVICE\\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2]
"ServiceName"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001]
"NetCfgInstanceId"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]
"SymbolicLink"="\\\\?\\PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Connection]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Configurations\Alternate_{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters]
"{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"=hex:0c,00,00,00,00,00,00,00,07,00,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces\Tcpip_{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Parameters\Adapters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\2]
"InterfaceName"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Adapters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001]
"NetCfgInstanceId"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]
"SymbolicLink"="\\\\?\\PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Connection]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Dhcp\Configurations\Alternate_{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\NetBT\Parameters\Interfaces\Tcpip_{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PSched\Parameters\Adapters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\RemoteAccess\Interfaces\2]
"InterfaceName"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Adapters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001]
"NetCfgInstanceId"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]
"SymbolicLink"="\\\\?\\PCI#VEN_1039&DEV_0900&SUBSYS_0C4D105B&REV_91#3&61aaa01&0&20#{ad498944-762f-11d0-8dcb-00c04fc3358c}\\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Connection]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Configurations\Alternate_{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters]
"{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"=hex:0c,00,00,00,00,00,00,00,07,00,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PSched\Parameters\Adapters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Interfaces\2]
"InterfaceName"="{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6CF45B0C-B7E5-4C7B-9C28-28387D4887B2}\Parameters\Tcpip]
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Go to your control panel and open your network connections.
Select the first network adaptor listed.
Right Click on it, and select Properties.
On the "general" Tab, highlight Internet Protocol (TCP/IP)
Select "Properties"

See what it listed in the Use the following DNS server addresses as the Preferred and Alternate DNS Servers.

Post back the results.

Also Click the Advanced Tab
Then click on the DNS Tab
Look at DNS Server Addresses, in order of use.

Post the names of the DNS servers in the order of use box.

Regards,
  • 0

Advertisements


#11
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Well, my whole connection is a tad jury-rigged (I'm blaming the internet company for this whole fiasco in the first place). Under Network Connections I have a "broadband" titled Bell Sympatico, but it doesn't seem to have the things you are talking about (under the "general" tab it just says "Service Name:") so under the "LAN or High-Speed Internet" titled Local Area Connection it says:

"Obtain DNS server address automatically" is chosen instead of "Use the following DNS server addresses". So, nothing is listed under "DNS Server Addresses", either. :tazz:
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
That's strange. Your HijackThis log shows:

O17 - HKLM\System\CCS\Services\Tcpip\..\{66D2BCDA-A19F-48DF-97E8-A214D301484E}: NameServer = 207.236.176.26 206.47.244.89

They resolve as:
Bell Canada BELLGLOBAL-2
Bell Canada WORLDLINX03

How many connections do you have listed?

Regards,
  • 0

#13
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Just the two... I'm pretty sure it's only supposed to be one, but... I don't really know :tazz:
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
No problem. :tazz:

Locate the file C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\Rasphone.pbk

Open it with notepad and post the content.

Regards,
  • 0

#15
Nike

Nike

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
The places on your computer you didn't even know existed :tazz:

[Bell Sympatico]
Encoding=1
Type=5
AutoLogon=0
UseRasCredentials=1
DialParamsUID=4884042
Guid=1855FDDBF1A6E4439E9DB1A5D21CA6C5
BaseProtocol=1
VpnStrategy=0
ExcludedProtocols=3
LcpExtensions=1
DataEncryption=8
SwCompression=1
NegotiateMultilinkAlways=0
SkipNwcWarning=0
SkipDownLevelDialog=0
SkipDoubleDialDialog=0
DialMode=1
DialPercent=75
DialSeconds=120
HangUpPercent=10
HangUpSeconds=120
OverridePref=15
RedialAttempts=3
RedialSeconds=60
IdleDisconnectSeconds=0
RedialOnLinkFailure=1
CallbackMode=0
CustomDialDll=
CustomDialFunc=
CustomRasDialDll=
AuthenticateServer=0
ShareMsFilePrint=0
BindMsNetClient=0
SharedPhoneNumbers=0
GlobalDeviceSettings=0
PrerequisiteEntry=
PrerequisitePbk=
PreferredPort=
PreferredDevice=
PreferredBps=0
PreferredHwFlow=0
PreferredProtocol=0
PreferredCompression=0
PreferredSpeaker=0
PreferredMdmProtocol=0
PreviewUserPw=0
PreviewDomain=0
PreviewPhoneNumber=0
ShowDialingProgress=0
ShowMonitorIconInTaskBar=1
CustomAuthKey=-1
AuthRestrictions=632
TypicalAuth=1
IpPrioritizeRemote=1
IpHeaderCompression=0
IpAddress=0.0.0.0
IpDnsAddress=0.0.0.0
IpDns2Address=0.0.0.0
IpWinsAddress=0.0.0.0
IpWins2Address=0.0.0.0
IpAssign=1
IpNameAssign=1
IpFrameSize=1006
IpDnsFlags=0
IpNBTFlags=0
TcpWindowSize=0
UseFlags=1
IpSecFlags=0
IpDnsSuffix=

NETCOMPONENTS=
ms_server=0
ms_msclient=0
ms_psched=1

MEDIA=rastapi
Port=PPPoE6-0
Device=WAN Miniport (PPPOE)

DEVICE=PPPoE
PhoneNumber=
AreaCode=
CountryCode=1
CountryID=1
UseDialingRules=0
Comment=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP