Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

spy axe hijacker [resolved]


  • This topic is locked This topic is locked

#1
hlee814

hlee814

    Member

  • Member
  • PipPip
  • 24 posts
i had the same problem as this person here

http://www.geekstogo...ST&f=37&t=77602


i did some steps from that link and right now my IE is back to normal but the

" your computer is infected, windows has detected spyware infection
it is recommended to use special antispyware tools to prevent data loss"

bubble still popups , i uninstall spy axe and everytime i restart it reinstalls itself...

also i installed ewido security suite and everytime i run the scare it shows me that i have

Downloader.Zlob.az, at windows\system32\id8fco.tmp file, which it cant remove, it says " error during cleanup"

i tried to locate the file manually and i cant find it..


here's my hijack THis log

Logfile of HijackThis v1.99.1
Scan saved at 2:00:19 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
D:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwaterloo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.micr...pdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome hlee814 to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Launch ewido, there should be an icon on your desktop double-click it.

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows
You will need to allow the popups for this site!

Run the Free use Panda Active Scan.
  • Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
  • A new window will open
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on my computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
  • 0

#3
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
thx, here are the logs,

but each time i restart windows i still get a downloader.zlob.az file in my windows\system32 folder
the name of the file changes, but its usually id8fa something .tmp... when i click clean it says error when cleaning... in safe mode, ewido does not detect this file...

the system tray "security" icon that tells me my computer is infected is still there
here are the logs



smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 11/12/2005
The current time is: 12:26:05.71

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:




IN SAFE MODE
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:22:28 PM, 11/12/2005
+ Report-Checksum: 11FD4AD9

+ Scan result:

No infected objects found.


::Report End


the panda scan didnt pick up anything either


Logfile of HijackThis v1.99.1
Scan saved at 1:54:21 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Wireless Console\wcourier.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uwaterloo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.micr...pdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\ASUS Probe\AsusProb.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
c:\windows\system32\id8fco.tmp

Please check to see if this is the correct file and path.

***

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Edited by g2i2r4, 12 November 2005 - 01:26 PM.

  • 0

#5
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
yes, i've had that before, but everytime i startup its a different file name


i tried manually locating that file, but i havent been able to find it...
  • 0

#6
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
norton gave me the msg, malacious ware detected, and prompt me to block it when i ran silent runner
  • 0

#7
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok i let it run and got the following logs



"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"WebCamRT.exe" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HControl" = "C:\WINDOWS\ATK0100\HControl.exe" [empty string]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]
"Wireless Console" = "C:\Program Files\ASUS\Wireless Console\wcourier.exe" [empty string]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Power_Gear" = "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1" ["ASUSTeK Computer Inc."]
"(Default)" = (empty string)
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"EOUApp" = "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" ["Intel Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"ASUS Probe" = "C:\Program Files\ASUS\ASUS Probe\AsusProb.exe" ["ASUSTeK Computer Inc"]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Program Files\Logitech\ImageStudio\ISStart.exe" ["Logitech Inc."]
"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" ["Logitech Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [file not found]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\logitech\imagestudio\NameSpc.dll" ["Logitech Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Hugh_\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Hugh_" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Bluetooth Manager" -> shortcut to: "C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Hugh_" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
OwnershipProtocol, OwnershipProtocol, "C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe" ["Intel Corporation"]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Is there more text in the log? Please post me that missing part if there is more.

Can you check the Norton log and post me the content?
  • 0

#9
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"WebCamRT.exe" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HControl" = "C:\WINDOWS\ATK0100\HControl.exe" [empty string]
"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]
"Wireless Console" = "C:\Program Files\ASUS\Wireless Console\wcourier.exe" [empty string]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Power_Gear" = "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1" ["ASUSTeK Computer Inc."]
"(Default)" = (empty string)
"IntelWireless" = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"EOUApp" = "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" ["Intel Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = ""C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"ASUS Probe" = "C:\Program Files\ASUS\ASUS Probe\AsusProb.exe" ["ASUSTeK Computer Inc"]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Program Files\Logitech\ImageStudio\ISStart.exe" ["Logitech Inc."]
"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" ["Logitech Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [file not found]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\logitech\imagestudio\NameSpc.dll" ["Logitech Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Hugh_\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Hugh_" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Bluetooth Manager" -> shortcut to: "C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Hugh_" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
OwnershipProtocol, OwnershipProtocol, "C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe" ["Intel Corporation"]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 18 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 4 seconds.
---------- (total run time: 61 seconds)




that's the complete 1, the norton said the script of silent runners is a malware, but i just authorized it and let it run, and got this script above
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thanks.

Did you find the Norton log? Can you post me that one too?
  • 0

Advertisements


#11
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
here is my "threats alert" log from norton


Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
11/12/2005 2:33:05 PM,Script Blocking,Suspicious script,Authorized,Script,N/A,FileSystem Object : GetFile,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/12/2005 2:32:58 PM,Script Blocking,Suspicious script,Activity allowed once,Script,N/A,FileSystem Object : GetFile,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/12/2005 2:32:56 PM,Script Blocking,Suspicious script,Activity allowed once,Script,N/A,FileSystem Object : GetFile,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/12/2005 2:32:54 PM,Script Blocking,Suspicious script,Activity allowed once,Script,N/A,FileSystem Object : CreateTextFile,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/12/2005 2:32:38 PM,Script Blocking,Suspicious script,Activity allowed once,Script,N/A,FileSystem Object : GetSpecialFolder,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/12/2005 2:32:30 PM,Script Blocking,Suspicious script,Activity allowed once,Script,N/A,FileSystem Object : GetSpecialFolder,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/12/2005 2:29:29 PM,Script Blocking,Suspicious script,Blocked,Script,N/A,FileSystem Object : GetSpecialFolder,Unknown,Unknown,Hugh_,HUGH,Source: C:\Documents and Settings\Hugh_\Desktop\Silent Runners.vbs
11/10/2005 10:56:50 AM,Auto-Protect,Download.Trojan,Automatically deleted,File,N/A,N/A,200511090009,11.0.16.2,SYSTEM,HUGH,Source: C:\WINDOWS\system32\1024\ld5B40.tmp
8/16/2005 9:23:31 PM,Virus scanner,Spyware.e2give,Manually deleted,File,N/A,N/A,200508150041,11.0.11.4,Hugh_,HUGH,"Threat category: SpywareSource: C:\Documents and Settings\HUGH_\Local Settings\Temporary Internet Files\Content.IE5\E7EFAH6B\upi[1].js,Description: The file C:\Documents and Settings\HUGH_\Local Settings\Temporary Internet Files\Content.IE5\E7EFAH6B\upi[1].js is a Spyware threat."
8/14/2005 11:27:02 PM,Virus scanner,Spyware.e2give,Manually deleted,File,N/A,N/A,200508140017,11.0.11.4,Hugh_,HUGH,"Threat category: SpywareSource: C:\Documents and Settings\HUGH_\Local Settings\Temporary Internet Files\Content.IE5\KFXVYYZ1\upi[1].js,Description: The file C:\Documents and Settings\HUGH_\Local Settings\Temporary Internet Files\Content.IE5\KFXVYYZ1\upi[1].js is a Spyware threat."



here are my " worm detection alerts log"


Category: Alerts
Date,Message,Details
11/10/2005 2:28:57 PM,The user has created a rule to "block" communications.,"The user has created a rule to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,1030). Remote address,service is (222.38.148.30,34419). Process name is ""C:\Program Files\Sygate\SPF\smc.exe""."
11/8/2005 11:03:28 AM,Rule "Default Block Phinneas Phucker Trojan horse" blocked communication.,"Rule ""Default Block Phinneas Phucker Trojan horse"" blocked communication. Local address: All local network adapters(2801). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
11/8/2005 11:03:28 AM,Rule "Default Block Phinneas Phucker Trojan horse" blocked communication.,"Rule ""Default Block Phinneas Phucker Trojan horse"" blocked communication. Local address: All local network adapters(2801). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
11/6/2005 11:40:04 PM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,46400). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:30:54 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56285). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:30:46 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56270). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:30:39 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56190). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:26:49 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,39129). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:26:44 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,39050). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:20:07 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,59053). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:19:59 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,58974). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:17:02 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,41904). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:16:59 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,41889). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/6/2005 11:16:55 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,41809). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:52:14 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,41917). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:52:11 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,41838). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:47:21 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,53257). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:47:19 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,53179). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:41:55 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,49843). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:40:26 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,49828). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:40:21 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,49750). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:36:45 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,32821). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:36:42 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,60975). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:31:37 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,50404). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:31:34 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,50326). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:27:16 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,33370). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:27:13 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,33292). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:19:52 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,34660). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:19:49 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,34582). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:16:59 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,45988). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:16:57 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,45910). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:13:13 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51478). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:13:11 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51401). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:09:23 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51873). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:09:20 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51858). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:09:18 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51778). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:04:07 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,38215). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/4/2005 12:04:05 AM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,38138). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:57:10 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,48821). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:57:06 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,48801). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:56:57 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,49088). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:56:52 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,49011). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:48:28 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,53007). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:48:26 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,52965). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 11:07:10 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),4917). Remote address,service is (129.97.232.72,4352). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 8:58:33 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,37345). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 8:58:30 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,37266). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:19:31 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3616). Remote address,service is (129.97.232.105,ms-sna-server(1477)). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:16:58 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3606). Remote address,service is (129.97.233.57,1205). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:13:25 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3603). Remote address,service is (129.97.233.57,1193). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:11:47 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3597). Remote address,service is (129.97.232.105,1469). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:10:08 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3591). Remote address,service is (129.97.233.57,1188). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:08:47 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3587). Remote address,service is (129.97.232.105,1466). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:08:21 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3584). Remote address,service is (129.97.233.57,1178). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:07:17 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3583). Remote address,service is (129.97.233.57,1175). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:05:42 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3571). Remote address,service is (129.97.232.72,3967). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/3/2005 6:01:22 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),3506). Remote address,service is (129.97.232.72,3953). Process name is ""C:\Program Files\MSN Messenger\msnmsgr.exe""."
11/2/2005 10:52:21 PM,Rule "Default Block WinCrash Trojan horse" blocked communication.,"Rule ""Default Block WinCrash Trojan horse"" blocked communication. Local address: All local network adapters(4092). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
11/2/2005 10:52:14 PM,Rule "Default Block WinCrash Trojan horse" blocked communication.,"Rule ""Default Block WinCrash Trojan horse"" blocked communication. Local address: All local network adapters(4092). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/28/2005 10:07:32 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,3667). Remote address,service is (129.97.232.72,2670). Process name is ""D:\Program Files\softnyx\GunboundWC\GunBound.gme""."
10/27/2005 8:39:35 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,8363). Remote address,service is (129.97.232.72,8363). Process name is ""D:\Program Files\softnyx\GunboundWC\GunBound.gme""."
10/27/2005 8:39:31 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,8363). Remote address,service is (129.97.232.72,8363). Process name is ""D:\Program Files\softnyx\GunboundWC\GunBound.gme""."
10/27/2005 3:07:02 PM,Rule "Default Block Spy Sender Trojan horse" blocked communication.,"Rule ""Default Block Spy Sender Trojan horse"" blocked communication. Local address: All local network adapters(1807). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/27/2005 3:07:01 PM,Rule "Default Block Spy Sender Trojan horse" blocked communication.,"Rule ""Default Block Spy Sender Trojan horse"" blocked communication. Local address: All local network adapters(1807). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/27/2005 11:20:42 AM,Rule "Default Block Backdoor/SubSeven Trojan horse" blocked communication.,"Rule ""Default Block Backdoor/SubSeven Trojan horse"" blocked communication. Local address: All local network adapters(Backdoor-g-1(1243)). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/20/2005 9:55:07 PM,Rule "Default Block SubSeven 2.1/2.2 Trojan horse" blocked communication.,"Rule ""Default Block SubSeven 2.1/2.2 Trojan horse"" blocked communication. Local address: All local network adapters(4267). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/20/2005 9:55:06 PM,Rule "Default Block SubSeven 2.1/2.2 Trojan horse" blocked communication.,"Rule ""Default Block SubSeven 2.1/2.2 Trojan horse"" blocked communication. Local address: All local network adapters(4267). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/19/2005 11:10:55 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,39526). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 11:10:51 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,39447). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 11:08:49 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,53411). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 11:08:46 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,53333). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 11:02:48 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56359). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 11:02:45 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56306). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 10:48:10 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,34352). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 10:48:08 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,34335). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 10:48:05 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,34256). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 9:07:43 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56160). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 9:07:41 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,56095). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 9:02:47 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,55897). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 9:02:45 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,55817). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:56:25 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,38972). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:56:22 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,38892). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:50:37 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,50714). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:50:32 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,50634). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:16:42 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51297). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:16:39 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,51217). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:10:10 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,44833). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/19/2005 8:10:00 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound TCP connection. Local address,service is (HUGH(129.97.232.71),http(80)). Remote address,service is (129.97.128.230,44753). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
10/13/2005 1:55:50 PM,Rule "Default Block Extreme Trojan horse" blocked communication.,"Rule ""Default Block Extreme Trojan horse"" blocked communication. Local address: All local network adapters(1090). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/13/2005 1:55:50 PM,Rule "Default Block Extreme Trojan horse" blocked communication.,"Rule ""Default Block Extreme Trojan horse"" blocked communication. Local address: All local network adapters(1090). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/13/2005 12:26:51 PM,Rule "Default Block FTP99CMP Trojan horse" blocked communication.,"Rule ""Default Block FTP99CMP Trojan horse"" blocked communication. Local address: All local network adapters(1492). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/13/2005 12:26:50 PM,Rule "Default Block FTP99CMP Trojan horse" blocked communication.,"Rule ""Default Block FTP99CMP Trojan horse"" blocked communication. Local address: All local network adapters(1492). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/11/2005 1:03:29 PM,Rule "Default Block DeepThroat Trojan horse" blocked communication.,"Rule ""Default Block DeepThroat Trojan horse"" blocked communication. Local address: All local network adapters(2140). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/11/2005 1:03:28 PM,Rule "Default Block DeepThroat Trojan horse" blocked communication.,"Rule ""Default Block DeepThroat Trojan horse"" blocked communication. Local address: All local network adapters(2140). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/8/2005 10:32:33 PM,Rule "Default Block RASmin Trojan horse" blocked communication.,"Rule ""Default Block RASmin Trojan horse"" blocked communication. Local address: All local network adapters(1045). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/8/2005 10:32:32 PM,Rule "Default Block RASmin Trojan horse" blocked communication.,"Rule ""Default Block RASmin Trojan horse"" blocked communication. Local address: All local network adapters(1045). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/8/2005 9:08:58 PM,Rule "Default Block Filenail Trojan horse" blocked communication.,"Rule ""Default Block Filenail Trojan horse"" blocked communication. Local address: All local network adapters(4567). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/8/2005 9:08:57 PM,Rule "Default Block Filenail Trojan horse" blocked communication.,"Rule ""Default Block Filenail Trojan horse"" blocked communication. Local address: All local network adapters(4567). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
10/7/2005 8:54:01 AM,Rule "Default Block Extreme Trojan horse" blocked communication.,"Rule ""Default Block Extreme Trojan horse"" blocked communication. Local address: All local network adapters(1090). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/22/2005 2:23:32 PM,Rule "Default Block TransScout" blocked communication.,"Rule ""Default Block TransScout"" blocked communication. Local address: All local network adapters(2002). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/22/2005 2:23:32 PM,Rule "Default Block TransScout" blocked communication.,"Rule ""Default Block TransScout"" blocked communication. Local address: All local network adapters(2000). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/22/2005 2:23:31 PM,Rule "Default Block TransScout" blocked communication.,"Rule ""Default Block TransScout"" blocked communication. Local address: All local network adapters(2000). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/22/2005 2:19:33 PM,Rule "Default Block ShockRave Trojan horse" blocked communication.,"Rule ""Default Block ShockRave Trojan horse"" blocked communication. Local address: All local network adapters(1981). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/22/2005 2:19:19 PM,Rule "Default Block ShockRave Trojan horse" blocked communication.,"Rule ""Default Block ShockRave Trojan horse"" blocked communication. Local address: All local network adapters(1981). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/22/2005 12:50:28 PM,Rule "Default Block FTP99CMP Trojan horse" blocked communication.,"Rule ""Default Block FTP99CMP Trojan horse"" blocked communication. Local address: All local network adapters(1492). Process name is ""C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe""."
9/4/2005 1:46:36 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,1965). Remote address,service is (129.97.232.72,orasrv(1525)). Process name is ""D:\Program Files\softnyx\GunboundWC\GunBound.gme""."
9/4/2005 1:45:00 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,1913). Remote address,service is (129.97.232.72,orasrv(1525)). Process name is ""D:\Program Files\softnyx\GunboundWC\GunBound.gme""."
8/25/2005 8:36:01 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (203.131.89.195,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/23/2005 3:15:28 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (24.83.96.101,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/22/2005 3:47:26 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (4.11.75.44,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/20/2005 7:11:58 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (203.210.227.81,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:17:57 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (69.234.227.57,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:14:53 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (82.55.115.127,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:14:24 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (68.228.130.98,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:12:30 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (80.100.242.75,50587). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:11:16 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (203.210.217.207,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:08:36 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (68.228.68.235,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:07:36 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (201.240.184.95,25619). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 3:06:08 PM,The new firewall rule does not affect this connection. Default action is to "block" communications.,"The new firewall rule does not affect this connection. Default action is to ""block"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (24.127.23.222,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/19/2005 1:35:11 PM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,8363). Remote address,service is (201.138.14.240,8363). Process name is ""D:\Program Files\softnyx\GunboundWC\GunBound.gme""."
8/15/2005 9:23:51 PM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Inbound TCP connection. Local address,service is (192.168.2.103,1165). Remote address,service is (24.156.55.231,1606). Process name is ""C:\Program Files\MSN Messenger\MsnMsgr.Exe""."
8/13/2005 6:40:52 PM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7600). Remote address,service is (69.109.235.228,7700). Process name is ""C:\Program Files\MAIET\Gunz\Gunz.exe""."
8/12/2005 3:46:16 PM,Rule "Default Block Backdoor/SubSeven Trojan horse" blocked communication.,"Rule ""Default Block Backdoor/SubSeven Trojan horse"" blocked communication. Local address: All local network adapters(Backdoor-g-1(1243)). Process name is ""D:\Program Files\MAIET\Gunz\GunzLauncher.exe""."
7/19/2005 2:33:00 PM,Rule "Default Block Extreme Trojan horse" blocked communication.,"Rule ""Default Block Extreme Trojan horse"" blocked communication. Local address: All local network adapters(1090). Process name is ""D:\Program Files\MAIET\Gunz\GunzLauncher.exe""."
7/15/2005 10:53:51 PM,Rule "Default Block Extreme Trojan horse" blocked communication.,"Rule ""Default Block Extreme Trojan horse"" blocked communication. Local address: All local network adapters(1090). Process name is ""D:\Program Files\MAIET\Gunz\GunzLauncher.exe""."
7/14/2005 8:01:23 PM,Rule "Default Block Extreme Trojan horse" blocked communication.,"Rule ""Default Block Extreme Trojan horse"" blocked communication. Local address: All local network adapters(1090). Process name is ""D:\Program Files\MAIET\Gunz\GunzLauncher.exe""."
7/13/2005 11:01:22 PM,The user has created a rule to "permit" communications.,"The user has created a rule to ""permit"" communications. Inbound UDP packet. Local address,service is (0.0.0.0,7700). Remote address,service is (68.66.106.254,7700). Process name is ""D:\Program Files\MAIET\Gunz\Gunz.exe""."
  • 0

#12
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download the Killbox version 2.0.0.473 .
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:

C:\WINDOWS\system32\1024\ld5B40.tmp

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Let me see what's in there:
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post
***

Also, let me know what Norton thinks now.
  • 0

#13
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
when ihave the " delete on reboot" button selected, kil box doesnt do anything when i click on the delete file button, when i have it deselected, i tried to deleted ita nd it says the file doesnt seem to exist
  • 0

#14
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok nvm now it lets me click the button and when i click "yes", it says verifying registry entry, please wait, and then it shows an error message " pendingrename operations, pending file rename oeprations registry data has been removed by external process
  • 0

#15
hlee814

hlee814

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
i actually manually removed the 1024 folder, nvctrl file and hp18b8 temp file form my system32 drive

a couple days ago,

inside the 1024 folder, theres a id3D86, id1165 file
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP