Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Scanner Twain problems

Started by Ardent , Dec 28 2005 02:42 PM

Please log in to reply

#121
Ardent

Posted 21 January 2006 - 12:16 AM

Member

Topic Starter
Member
155 posts

here is the rootkitrevealer log

HKLM\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341\ProductName 1/1/2005 5:30 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\CsijFA26cg4m 11/23/2005 12:11 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}\DisplayName 1/1/2005 5:30 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WAC1394 11/17/2005 6:54 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\d346prt\Cfg\0Jf40 8/19/2005 10:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\WAC1394 1/20/2006 4:39 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Aaron\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1WXGN67\Type=click&FlightID=4302&AdID=6817&TargetID=37&Segments=3,7,21,26,36,42,43,45,260,309,336,337,437,438,594&Targets=4,458,602,718,816,157,24,1182,12,32,37&Valu 1/16/2006 4:23 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\Aaron\Local Settings\Temp\Temporary Internet Files\Content.IE5\KZGRM5UL\Type=click&FlightID=4302&AdID=6817&TargetID=37&Segments=3,7,21,26,36,42,43,45,260,309,336,337,437,438,594&Targets=4,458,602,718,816,157,24,1182,12,32,37&Valu 1/16/2006 4:23 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\C9IVWX6N\lclDocs[2].xml 1/20/2006 4:43 PM 2.48 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\UHPMRMD0\lclDocs[1].xml 1/20/2006 4:50 PM 2.48 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiCL0001.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP10000.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiP20000.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiPT0000.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSL0001.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiSP0000.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiST0000.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiVP0000.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\INDEX.000:KAVICHS 1/16/2006 4:12 PM 36 bytes Hidden from Windows API.
C:\WINDOWS\SYSTEM32\DRIVERS\penarrow.sys 11/17/2005 6:54 PM 12.00 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\wpwacmgr.exe 11/17/2005 6:54 PM 488.00 KB Hidden from Windows API.

#122
Ardent

Posted 21 January 2006 - 12:54 AM

Member

Topic Starter
Member
155 posts

Ok here are the 3 saved text files from regedit, adchannel and contextplus

The item I found under HKEY_LOCAL_MACHINE\Software ddin't have 16-20 letters but I did find one called CsijFA26cg4m. I save it as aproposreg.reg. I can't attache it don't know why.Let me know what I should do with it. When I click on it it asks if I want to save it in my registry.

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.4

; Results at 1/20/2006 10:31:25 PM for strings:
; 'contextplus'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m\AU2]
"SU"="http://au.contextplu...vices/AUServer"

; End Of The Log...

Another log
REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.4

; Results at 1/20/2006 10:26:03 PM for strings:
; 'adchannel'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

#123
Swandog46

Posted 21 January 2006 - 10:45 AM

Malware Expert

Member
1,026 posts

Perfect! It's exactly what I thought it was. You're a saint --- a live case, too! If you don't mind, I am going to harvest just a little more information from you before we remove this, so that I can update my removal tool to help others with this.

1) The key called HKEY_LOCAL_MACHINE\Software\CsijFA26cg4m is exactly the one I want. If you exported the whole HKEY_LOCAL_MACHINE\Software\CsijFA26cg4m key last time then you don't need to do it again. Right-click on the .reg file you saved (aproposreg.reg I think you said) and choose "Edit". It will open in Notepad. Then you can copy and paste it into this thread.

2) Then please reboot back into Safe Mode. Run regedit again, and navigate to each of the following registry keys in turn:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WAC1394
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt

For each of these keys, please highlight the key in the left-hand panel, right-click on it and choose Export. Save it to the desktop like you did before, and I'll ask you at the end please to post them all for me.

3) Now let's remove this monster. Now navigate to the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WAC1394
HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m

and for each one, right-click on it, and choose Delete. Then check to see if there is a registry key here:

HKEY_CURRENT_USER\SOFTWARE\CsijFA26cg4m

and if it exists, delete it too. (Please let me know whether you found this key.)

Then close regedit.

Open My Computer, and navigate to C:\WINDOWS\System32\drivers. Delete the file penarrow.sys.
Then back up and navigate to C:\WINDOWS\System32. Delete the file wpwacmgr.exe.
(If you can't find these files, you may need to enable showing of hidden files as follows: )
1) Click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

We'll re-hide the hidden files once this is all done. :tazz:

Then please reboot back into normal mode, and post the contents of all those exported registry keys for me. For each file, right-click on it, choose Edit, it will open in Notepad, and copy and paste it here for me.

Thank you so much --- I have been looking for a live case of this for some time.

Edited by Swandog46, 21 January 2006 - 10:45 AM.

#124
Ardent

Posted 21 January 2006 - 11:10 AM

Member

Topic Starter
Member
155 posts

here is the reg file you wanted

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m]
@="tXZOQWRJKKJKKLK5Axff \\JKKJZMKtfkaltpKBHBC\\5QPK A1E\\ABK8\\6xAA7FLBHB"
"Device"="\\\\.\\mraIIde"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\penarrow.sys"
"DriverName"="WAC1394"
"UninstallerParams"="/CTUN"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80
"AutoUpdater"="C:\\WINDOWS\\system32\\wpwacmgr.exe"
"Version"="2.0.128"
"NxRestTm"="2005:11:21-17:03:23:741"
"LastAURestoreMsgTS"="2005:11:21-16:03:23:928"

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m\AU2]
"AP"="/DVNM=\"\\\\.\\mraIIde\" /INSC=\"AU\""
"SU"="http://au.contextplu...vices/AUServer"
"NPT"="2006:01:21-08:46:38:717"
@="2006:01:21-02:46:38:717"
"TO"=dword:01499700
"NxRestTm"="2005:11:20-23:47:00:482"
"LastCLRestoreMsgTS"="2005:11:20-22:47:00:498"

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m\AU2\RGR]

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m\AU2\RGR\Messages]

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m\AU2\RGR\Properties]
"CP.cv"=hex:43,50,2e,63,76,00,32,2e,30,2e,31,32,38,00,31,36,30,31,3a,30,31,3a,\
30,31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.id"=hex:43,50,2e,69,64,00,7b,58,32,62,32,35,30,39,65,2d,37,61,30,61,2d,37,\
37,31,64,2d,66,63,33,36,2d,62,62,35,38,34,35,64,30,32,63,31,65,7d,00,31,36,\
30,31,3a,30,31,3a,30,31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.pc"=hex:43,50,2e,70,63,00,43,50,2e,49,53,54,32,00,31,36,30,31,3a,30,31,3a,\
30,31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.st"=hex:43,50,2e,73,74,00,49,00,31,36,30,31,3a,30,31,3a,30,31,2d,30,30,3a,\
30,30,3a,30,30,3a,30,30,30,00,00
"CP.is"=hex:43,50,2e,69,73,00,4c,52,00,31,36,30,31,3a,30,31,3a,30,31,2d,30,30,\
3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.it"=hex:43,50,2e,69,74,00,32,30,30,35,31,31,31,38,30,32,35,35,31,30,00,31,\
36,30,31,3a,30,31,3a,30,31,2d,30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00
"CP.os"=hex:43,50,2e,6f,73,00,5b,32,5d,20,35,2e,31,2e,32,36,30,30,20,22,53,65,\
72,76,69,63,65,20,50,61,63,6b,20,32,22,00,31,36,30,31,3a,30,31,3a,30,31,2d,\
30,30,3a,30,30,3a,30,30,3a,30,30,30,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m\AU2\TDH]

#125
Ardent

Posted 21 January 2006 - 11:52 AM

Member

Topic Starter
Member
155 posts

I am glad I can be of some help to you...also deleting those files was strangely satisfying.
here are the content of those 4 exported files

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341]
"ProductName"=" "
"PackageCode"="C445CA572F2C1F5499F1A86CFC867767"
"Language"=dword:00000409
"Version"=dword:032e0000
"Assignment"=dword:00000001
"AdvertiseFlags"=dword:00000184
"ProductIcon"="C:\\WINDOWS\\Installer\\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}\\_daemoncp.exe"
"InstanceType"=dword:00000000
"AuthorizedLUAApp"=dword:00000000
"Clients"=hex(7):3a,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341\SourceList]
"PackageName"="daemon.msi"
"LastUsedSource"=hex(2):6e,00,3b,00,31,00,3b,00,43,00,3a,00,5c,00,44,00,6f,00,\
63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,\
00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,6c,00,6c,00,20,00,\
55,00,73,00,65,00,72,00,73,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,\
00,74,00,73,00,5c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341\SourceList\Media]
"1"=";"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B3D5AC652003B7E409EF70D1F8FD8341\SourceList\Net]
"1"=hex(2):43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,\
73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,\
00,73,00,5c,00,41,00,6c,00,6c,00,20,00,55,00,73,00,65,00,72,00,73,00,5c,00,\
44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,5c,00,00,00

next

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"="DAEMON'S HOME"
"DisplayVersion"="3.46.0"
"HelpLink"=hex(2):73,00,75,00,70,00,70,00,6f,00,72,00,74,00,40,00,64,00,61,00,\
65,00,6d,00,6f,00,6e,00,2d,00,74,00,6f,00,6f,00,6c,00,73,00,2e,00,63,00,63,\
00,00,00
"HelpTelephone"=""
"InstallDate"="20050101"
"InstallLocation"=""
"InstallSource"="C:\\Documents and Settings\\All Users\\Documents\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,49,00,7b,00,35,00,36,00,43,00,41,00,35,00,44,00,33,00,\
42,00,2d,00,33,00,30,00,30,00,32,00,2d,00,34,00,45,00,37,00,42,00,2d,00,39,\
00,30,00,46,00,45,00,2d,00,30,00,37,00,31,00,44,00,38,00,46,00,44,00,46,00,\
33,00,38,00,31,00,34,00,7d,00,00,00
"Publisher"="DAEMON'S HOME"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:0000025d
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,49,00,7b,00,35,00,36,00,43,00,41,00,35,00,44,00,33,\
00,42,00,2d,00,33,00,30,00,30,00,32,00,2d,00,34,00,45,00,37,00,42,00,2d,00,\
39,00,30,00,46,00,45,00,2d,00,30,00,37,00,31,00,44,00,38,00,46,00,44,00,46,\
00,33,00,38,00,31,00,34,00,7d,00,00,00
"URLInfoAbout"="http://www.daemon-tools.cc"
"URLUpdateInfo"=""
"VersionMajor"=dword:00000003
"VersionMinor"=dword:0000002e
"WindowsInstaller"=dword:00000001
"Version"=dword:032e0000
"Language"=dword:00000409
"DisplayName"=" "

Third

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WAC1394]
"Device"=hex:6d,00,72,00,61,00,49,00,49,00,64,00,65,00,00,00
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,65,00,6e,00,\
61,00,72,00,72,00,6f,00,77,00,2e,00,73,00,79,00,73,00,00,00
"Debg"=hex:02,00,00,00,43,00,4f,00,4e,00,57,00,45,00,58,00,45,00,43,00,2e,00,\
45,00,58,00,45,00,00,00,57,00,50,00,57,00,41,00,43,00,4d,00,47,00,52,00,2e,\
00,45,00,58,00,45,00,00,00
"File"=hex:02,00,00,00,5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,\
43,00,55,00,4d,00,45,00,7e,00,31,00,5c,00,4d,00,61,00,72,00,6b,00,5c,00,4c,\
00,4f,00,43,00,41,00,4c,00,53,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,\
5c,00,43,00,50,00,54,00,46,00,00,00,5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,\
00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,\
65,00,6d,00,33,00,32,00,5c,00,77,00,70,00,77,00,61,00,63,00,6d,00,67,00,72,\
00,2e,00,65,00,78,00,65,00,00,00
"Keys"=hex:02,00,00,00,5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,\
5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,74,\
00,77,00,61,00,72,00,65,00,5c,00,43,00,73,00,69,00,6a,00,46,00,41,00,32,00,\
36,00,63,00,67,00,34,00,6d,00,00,00,5c,00,52,00,65,00,67,00,69,00,73,00,74,\
00,72,00,79,00,5c,00,55,00,73,00,65,00,72,00,5c,00,53,00,2d,00,31,00,2d,00,\
35,00,2d,00,32,00,31,00,2d,00,36,00,33,00,38,00,32,00,38,00,31,00,35,00,35,\
00,2d,00,32,00,35,00,35,00,38,00,37,00,37,00,34,00,30,00,37,00,32,00,2d,00,\
33,00,35,00,30,00,33,00,38,00,36,00,39,00,30,00,34,00,33,00,2d,00,31,00,30,\
00,30,00,36,00,5c,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,00,65,00,5c,00,\
43,00,73,00,69,00,6a,00,46,00,41,00,32,00,36,00,63,00,67,00,34,00,6d,00,00,\
00,98,6d,66,00
"Auto"=hex:01,00,00,00,5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,\
4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,\
00,32,00,5c,00,77,00,70,00,77,00,61,00,63,00,6d,00,67,00,72,00,2e,00,65,00,\
78,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WAC1394\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WAC1394\Enum]
"0"="Root\\LEGACY_WAC1394\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Last

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,64,00,33,00,34,00,36,00,70,00,72,\
00,74,00,2e,00,73,00,79,00,73,00,00,00
"Group"="SCSI miniport"
"Tag"=dword:00000043

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt\Cfg]
"khjeh"=hex:90,01,00,00,db,cf,66,3b,44,a7,39,a4,a6,38,b4,12,90,72,cb,a4,91,ac,\
48,63,43,2e,7a,d8,3a,cb,ba,9f,05,84,5f,50,84,57,9a,d0,d0,da,ed,33,8c,20,cf,\
fa,cd,05,fb,c9,6a,19,32,6e,5b,d8,9a,ce,d2,97,55,db,7c,a7,56,aa,ad,f4,b6,ff,\
0f,13,36,6e,36,b9,58,b2,61,9d,95,58,b0,10,e5,89,54,98,b2,12,f8,8b,e5,0c,11,\
89,44,7f,c6,9b,f7,29,87,69,d7,4d,6e,48,a5,d4,d8,56,de,c7,39,84,43,e9,0b,85,\
7d,14,42,4d,ae,4b,8d,58,9b,d0,ec,0d,6c,9c,98,de,4f,84,f4,54,6b,cf,f5,a6,4d,\
f3,d2,b5,87,4f,03,d0,7c,14,3a,9e,15,dd,e4,ba,78,a6,d5,43,fe,fd,77,c8,81,f7,\
de,02,bd,57,69,cb,13,d5,18,e2,e1,1e,9c,d3,ab,f9,a0,77,15,75,99,bb,f5,90,ae,\
9b,fc,25,cf,f7,be,53,36,96,af,98,c0,67,d3,f7,a1,6e,9d,f0,f3,1f,1f,27,ea,4d,\
29,1d,35,b0,9a,0c,f4,1a,39,c6,40,57,5e,64,dc,71,59,94,fd,ee,d7,49,3a,b1,14,\
57,cb,ab,76,5f,82,03,63,46,6c,f9,2a,70,fd,19,3f,34,bf,57,16,5c,e6,22,dc,d2,\
11,94,aa,97,e0,e2,36,6e,c4,0f,1c,5f,08,f8,6e,78,01,61,d2,23,96,a4,a8,b6,f7,\
a8,0f,be,1e,8b,08,fe,c8,8d,d0,45,49,c0,98,99,bb,1c,26,7d,32,75,e6,ab,bd,a2,\
b1,d1,dc,36,46,72,08,21,33,9b,04,fa,2d,6e,e5,9d,fa,fb,a2,af,06,f8,73,ca,21,\
c2,ea,b8,84,89,94,46,b9,09,e5,f6,83,8d,e7,ca,c9,e6,8e,b9,fd,e5,19,f8,84,ff,\
48,b2,e3,c2,0c,2f,07,dd,f0,9b,5c,cc,89,85,25,12,7e,86,36,15,3f,bc,a0,2b,e6,\
27,78,cf

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt\Parameters\PnpInterface]
"0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\d346prt\Enum]
"0"="PCI\\d346prt\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

#126
Swandog46

Posted 21 January 2006 - 12:06 PM

Malware Expert

Member
1,026 posts

Yes, that is definitely a help -- thank you. I think we cleaned up everything, too! Did your device manager come back? How does it seem to be running?

It would be a good idea to update your antivirus definitions and run a full scan, and make sure everything comes up clean.

#127
Ardent

Posted 21 January 2006 - 12:14 PM

Member

Topic Starter
Member
155 posts

Glory be I have a device manager again! Thanks
I will run a scan again but here is the question. I have had Norton Corporate Edition Anti virus and I am very good about updating my dat files and I run a scan every day and it didn't catch it. I am currently using a program called AVG free edition but I want to find something that will really do the job. Do you have any suggestions? I have heard NOD? is good any advice would be apprecitaed.

#128
Swandog46

Posted 21 January 2006 - 12:28 PM

Malware Expert

Member
1,026 posts

I am always cautious about recommending specific antivirus products because there is so much variation even among experts in what really amounts to personal preference. I use Symantec Corporate Edition and have no problems with it. However, a lot of people do not like it (it is bloated, a slow and bulky piece of software, although I personally think if you keep it updated religiously and watch what you download, etc., it does the job well). AVG is the best-known of the free antiviruses, if you want to elect that route, but it doesn't have the same detection as some of the subscription services (for obvious reasons). I have never used NOD32 but everyone I know who has *loves* it --- it is supposed to be one of the best (if not THE best). Kaspersky is excellent too, but also a little on the bloated side.

So a lot of it is personal preference.

And an antivirus alone no longer protects sufficiently against all threats! Many AVs do not catch all of the spyware that is out there. If you are looking for recommendations for other sorts of products too, I'll give you a whole list of prevention recommendations, although I usually recommend free products since most users prefer that. If you are looking for not-free products, I can recommend some of those too. :tazz:

EDIT: can I see one more HijackThis log to confirm you are fully clean? And also the results of the antivirus scan please.

Edited by Swandog46, 21 January 2006 - 12:29 PM.

#129
Ardent

Posted 21 January 2006 - 12:32 PM

Member

Topic Starter
Member
155 posts

heres the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:32:03 AM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijakthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DynDNS Updater] "C:\WINDOWS\DynDNS.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab40641.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com...tiveXWebCam.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lim/install.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: JYCG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mark\LOCALS~1\Temp\JYCG.exe
O23 - Service: NKPDXYW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mark\LOCALS~1\Temp\NKPDXYW.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: UFDP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mark\LOCALS~1\Temp\UFDP.exe

#130
Swandog46

Posted 21 January 2006 - 01:07 PM

Malware Expert

Member
1,026 posts

Looks great to me --- any results from the antivirus scan? :tazz:

How is it running?

#131
Ardent

Posted 21 January 2006 - 02:03 PM

Member

Topic Starter
Member
155 posts

Its running great! THANKS!!
Also I am on a small LAN in my home office, my son and wife have the other 2 pcs. What is the likely hood that virus infested them? And is there a quick way to find out?

The scan was negative

#132
Swandog46

Posted 21 January 2006 - 02:44 PM

Malware Expert

Member
1,026 posts

What is the likelihood --- hard to say. I've never investigated what this does on a network. I would check, if I were you...

Here's how you would check: Run the pcs in Safe Mode, and run regedit, and look for a key like the one you found on the other machine. It should be under HKEY_LOCAL_MACHINE\Software, start with a 'C' and then a lot of other random letters. (the other one was HKEY_LOCAL_MACHINE\SOFTWARE\CsijFA26cg4m). If you find it, export it, and post it here for me.

Let me know! :tazz:

Edited by Swandog46, 21 January 2006 - 02:45 PM.

#133
Ardent

Posted 21 January 2006 - 07:41 PM

Member

Topic Starter
Member
155 posts

My wifes machine seemed clear and my son's did too, except for HKEY_CURRENT_USER|SOFTWARE\co7ft5y
That was the only thing that caught my eye. I tried to export it but for some reason when I saved it it didn't show up. IS it worth doing regedit again and trying to show you the file?
Also my wifes machine is also experiencing some problems too. Slow, querky things happening in Outlook. Her device manager is ok unlike mine.

Otherwise all seems to be fine. I was actually able to solsve the original problem of my scanner, which now works! Thanks to all of your help.

I appreciate your advice on the antivirus software. I know there is not one perfect product out there, I just like to hear what the Pro's think. I'll shop around and be sure to keep my AVG dat files up to date or do you think its better to run Norton Corporate Edition instead?

#134
Swandog46

Posted 21 January 2006 - 10:01 PM

Malware Expert

Member
1,026 posts

Strange as it may look, this one:
HKEY_CURRENT_USER\SOFTWARE\co7ft5y

is a legitimate Windows key. Feel free to post a HijackThis log from the other machine and I'll take a look at it, even if the problem is not Apropos. :tazz:

If you have an updated subscription to Norton, that's fine, but if (it sounds like from the way you phrased it) you do not, then stick with AVG and make sure you keep it up-to-date!

#135
Jack123

Posted 22 January 2006 - 12:52 PM

Trusted Tech

Retired Staff
944 posts

Scanner Twain Problem-[PMW-#7]
21st Jan 2006

Swandog46 did a superb surgical procedure on your PC –

Glory be I have a device manager again! Thanks

Lets get this Scanner functional again – now that PC seems to be purged of Malware –
__________________________________________________________________

1st – Lets verify some facts -

Lets check on [Device Manager] – You seemed hesitant about this Process – on Non Present Devices

1-Right Click [My Computer]
2-Open [Properties Page]
3- Click on [Advanced Tab] @ top of Page
4-Click on Environment Variables Tab] @ Middle of Page
5-Scan/browse down [System Variables] @ Bottom for this Entry – devmgr_show_nonpresent_devices-
6-Click on that entry to highlight
7-Click [Edit Tab]
8-Now Verify or Correct this – [Variable Name Entry] – devmgr_show_nonpresent_devices
9- And Verify or Correct this – [Variable Value Entry] – 1
10-When both [Entries are Correct] then Click [OK] to exit the [Edit Window]
11-Click [OK] on [Variable Windows Page] to exit
12- Click [OK] to Exit Properties Page to exit

These following steps must be followed – You need to open [Device Manager] via [Command Window] in order to [Set] the [Environmental Variable] Entry – devmgr_show_nonpresent_devices -

Open [Device Manager] via Command Window

13 – Click on [START] Button > Then click on [RUN] –
14 – Type – devmgmt.msc – and then Click [OK] – This will open [DEVICE MANAGER] via [Command Window] –

15– Click [VIEW] on Menu > Click [Show Hidden Devices] on Pop Down Menu –

16 – Now you should be able to - View [Hidden Devices] – Indicated by Faded Gray Print – (Close when completed) –

17 – Restart Computer – (To ensure that the [Environmental Variable Entry] has been [Entered] -
______________________________________________________________________

Now whenever you open [Device Manager] – the Normal Way – Usually –
1- Right Click [My Computer]
2- Open [Properties Page]
3- Click [Hardware Tab] @ top of Page
4- Click [Device Manager Tab]

[Device Manager] should Open - Now to View Non Present Devices –
1- Click on [View Tab]
2- Check [Show Hidden Devices] – [This step – must be checked each time]
3- Do not concern yourself with – [Non PnP Devices] – now – Just Minimize that folder by Clicking on [–] Sign
4- Now expand [Imaging Devices] - [Other/Unknown Devices] – All USB Folders
5- Open all Folders & Sub Folders by either Double Clicking or Right Clicking on all Entries and [+] Signs

You should now be able to see all the Non Present Instances of all Installed Devices – whether Present or Non Present –
_____________________________________________________________________

Now don’t really do anything as of now – until you read the rest of this Post -

Just report back all that you see in [Device Manager] – Some of the [Non Present Devices] are – Legit – Some are preventing you from Reinstalling Scanner – and some may be causing – the Scanner Busy Issue –

Now that [Device Manager] is working again – this should be possible to clear up –
__________________________________________________________________

2nd – General USB Notes -

Factors that may have some bearing –
1- Other USB Devices including HUBS -
2- All Imaging Devices
3- Wireless Network Devices
4- [??]
5- Other Peripheral Cards installed
6- Which slots they are connected – [Determines PC Resources used]

Normally this is USB Scanner Installation Process – but not always -
1- [Load] Software & Drivers from Installation CD 1st [Without Device Connected]
2- Reboot PC to [Install] Software & Drivers – Note difference between – [Load] & [Install]
3- Connect Scanner & Turn – [ON]

Now – [PnP] should – [Find new Hardware] & Install -

Now your USB Chipset on Motherboard is VIA – [Per Everest Report] – which has – Documented Anomalies – which may depend on the above mentioned – [Factors] – and the Order of Installation – plus – these [Hardware Conditions]
1- Inrush Current
2- Current Spikes
3- EMI
4- Propagation Delay
5- [???]

Sometimes the only way around these problems/issues is to just add a – Internal PCI Peripheral USB Card – and/or change the Installation Order of USB Devices – and/or matching/changing USB Ports –

The Rear USB Ports are Physically Hard Wired directly with Connector to Motherboard – They have less problems – while the Front Jacks are Convenient – they have wiring problems – noise/grounding problems – depends what devices are connected & the order that Windows connects when [Installing during boot up]

Ideally you should be able to connect up to 127 USB Devices – But finding the – [Correct Combination] has probably worse odds than winning the lottery – The older the Computer – The harder it is – USB is relatively new – So the Anomalies are still being worked out - ?? –
_________________________________________________________________

The Plan is to Uninstall all Scanner Instances – using [Device Manager] – by Uninstalling Driver –for each of these instances – and then – do a new Scanner Installation – And then determine which device is conflicting with Scanner – and Uninstalling that device via [Device Manager] by Uninstalling that driver – And then you may have to go back & update the Scanner Driver –
_______________________________________________________________

Sometimes – The only way – that works – is to have Scanner Disconnected from PC – Then Turn PC – [ON] and then when after Windows is up & running – You connect the Scanner – And it is Ready to go – It is just that the Port has to be installed & settled down before the scanner is connected – Then when PC is shut down – Disconnect Scanner from PC – So PC can be turned – [ON] – without Scanner Connected -
_______________________________________________________________

You can read & digest this – and then Post back your questions/issues plus what [Device Manager] is displaying – regarding scanner - and I can give guidelines – There is no finite method – to correct this – just experience –
________________________________________________________________

I just knew you had a larger problem that had to be taken care of 1st – and that you were in the wrong area – Now I don’t know how long this problem existed – Only you can determine that – but I do know – that you can help – Swandog46 – out immensely – if you could Post him – More detailed report of Internet Activities and some details regarding the Malware issues – so he could apply his experience to this info – in order to help and/or prevent others from having to experience this problem –

Now have had an audience of over 1600 viewers – Keep us posted – I may not have the answer – but will be able to locate someone that does – The key to help – is disclosure of information –

Keep in mind when looking for [Anti Spy ware/Antivirus Programs] – that there are a lot of [Malware versions] out there – see this Post – about [Look Alikes] -
http://www.geekstogo...ams-t17776.html

Have a Good Day & keep us Posted
Jack123