[JSntgRvr]

Hi, playsoldier3

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\inetinfo.exe "
• Put a link to this thread in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  • C:\WINDOWS\system32\inetinfo.exe
• Click Open.
• Click Post.

Let me see the Silent Runners log.

[Advertisements]

ok im running the thing now, i found the inetinfo, its an .exe file, is that bad?
could the hacker be remote control thing?
will the guys that you refered me to help me?

[playsoldier3]

ok im running the thing now, i found the inetinfo, its an .exe file, is that bad?
could the hacker be remote control thing?
will the guys that you refered me to help me?

[playsoldier3]

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"EPSON Stylus CX4600 Series" = ""C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" /P26 "EPSON Stylus CX4600 Series" /M "Stylus CX4600" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"AlwaysReady Power Message APP" = "ARPWRMSG.EXE" ["Microsoft"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"HPHUPD08" = ""c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"" ["Hewlett-Packard"]
"HPBootOp" = ""C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run" ["Hewlett-Packard Company"]
"LSBWatcher" = "c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" ["Hewlett-Packard Company"]
"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"" ["Hewlett-Packard Co."]
"EPSON Stylus CX4600 Series" = ""C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"" ["SEIKO EPSON CORPORATION"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"AGEIA PhysX SysTray" = ""C:\Program Files\AGEIA Technologies\TrayIcon.exe"" [null data]
"MSPY2002" = ""C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC" [null data]
"PHIME2002A" = ""C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName" [MS]
"PHIME2002ASync" = ""C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC" [MS]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"inetinfo" = "C:\WINDOWS\system32\inetinfo.exe" [MS]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray" ["Webroot Software, Inc."]
"ALUAlert" = "C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE" ["Symantec Corporation"]
"CdnCtr" = "C:\Program Files\CNNIC\Cdn\cdnup.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DBFB267C-334F-4F19-A304-63B7130C20C7}" = "MediaCenter Property Page"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "arpower.dll" ["Microsoft"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"
-> {HKLM...CLSID} = "Portable Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"
-> {HKLM...CLSID} = "Portable Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e SsiEfr.e" [file not found], [MS], [file not found], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Desktop Background.bmp"


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\I386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\SYSTEM.SAV\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\TOOLS\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]


Startup items in "HP_Administrator" & "All Users" startup folders:
------------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Norton AntiVirus - Run Full System Scan - HP_Administrator" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"wrSpySweeper20060316203855" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeper20060316203855" ["Webroot Software, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{C4069E3A-68F1-403E-B40E-20066696354B}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{C4069E3A-68F1-403E-B40E-20066696354B}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2D4D26B-0180-43A4-B05F-462D6D54C789}\
"ButtonText" = "Connection Help"
"MenuText" = "Connection Help"
"Script" = "C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ARSVC, ARSVC, "C:\WINDOWS\arservice.exe" ["Microsoft"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Messenger Sharing USN Journal Reader service, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Program Files\MSN Messenger\usnsvc.dll" [MS]}
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Norton Protection Center Service, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"" ["Symantec Corporation"]
SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Symantec AVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc."]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
WinSSL, WinSSL, "C:\WINDOWS\system32\OpenSSL.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "arkbcfltr" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus CX4600 Series 2KMonitor5A\Driver = "E_FLM9AA.DLL" ["SEIKO EPSON CORPORATION"]
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 136 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 71 seconds.
---------- (total run time: 311 seconds)

[JSntgRvr]

Hello, playsoldier3

ok im running the thing now, i found the inetinfo, its an .exe file, is that bad?
could the hacker be remote control thing?
will the guys that you refered me to help me?

Someone from the Spykiller forum will let us know if that file is a threat to your computer. The inetinfo file could be legit and could also be a trojan. That's the reason we need to check it first.

I will analize the Silent Runners log and let you know if something else is found.

[JSntgRvr]

Hi, playsoldier3

Nothing found in the log.

[playsoldier3]

ok , how you found any thing in the online scanner log i posted?

[JSntgRvr]

Hi, playsoldier3

All I found were files already in Quarantine by Norton, Spyweeper and backups of the Avenger and System Restore. You should Purge the Quarantine of these programs. To clean the the System Restore backup follow these steps:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..
Create a Restore point.

We will wait for someone from the Spykiller forun on the inetinfo file. Chances are that is legit.

[playsoldier3]

Hi, my windows suddenly problem today, it says windows explorer has encountered problem needs to close, i said dont send, and then my spyshield block access to "www.zto1.com" i think that was the website..or was it zt01.com....
just weird

[JSntgRvr]

Hi, playsoldier3

Lets see if we have remnants of CDN.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Directory"
  • Enter: C:\
• In the box labeled "File"
  • Enter: cdn*.*
• Now click on the "Search" button
• Once the utility has found the files click on "Export"
• A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
• NOTE: The notepad is saved on your C:\ drive as "Export.txt"
• Make a copy of the file and save it in your desktop as cdnfiles.

Perform the Same Steps from 1 to 8, except that on line 3 indicate the following:

cns*.*

And on Line 8 save the report to your desktop as cnsfiles.

These Scans will take acosiderably amount of time, so be patient.

Post the contents of the two reports saved.

Edited by JSntgRvr, 04 October 2006 - 05:49 PM.

[playsoldier3]

oh ya hi, how do i become geek in training? if i want to help out here later on, do i need certain experience?

[JSntgRvr]

Hi, playsoldier3

oh ya hi, how do i become geek in training? if i want to help out here later on, do i need certain experience?

You can join the Geeks to go University

[playsoldier3]

it says the link is broken

[JSntgRvr]

Contact an Administrator and request Admission. See if the following link brings you to KAT's contact page.

http://www.geekstogo...?showuser=28023

Send a Private Message.

[playsoldier3]

Nothing came up for the first scan

This is from the second scan

C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS-EUC-H - 11555 Bytes
C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS-EUC-V - 12635 Bytes
C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS1-H - 4667 Bytes
C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS1-V - 1841 Bytes
C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS2-H - 3254 Bytes
C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Cmaps\CNS2-V - 1578 Bytes

[JSntgRvr]

Hi, playsoldier3

I do not believe your computer is infected. You will always be under attack. What you have to do is tighten your Security Settings.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Concerning Explorer, I wish if you can run SFC /ScanNow. That will chech if Windows Protected Files are in their original Version. Having a HP Computer, you may not need the Installation CD. Usually, the installation files are in a i386 folder in the Windows folder. Check if this folder exists and run SCF /ScanNow. In the event you are prompted for the installation CD, redirect the wizard to the C:\Windows\i386 folder.

Use file search and search for Explorer.ex_, if found, the location of that file is the location of your installation files.

Keep me posted.