Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis Log

Started by eaglet , Sep 01 2005 02:40 AM

  • Please log in to reply

#1
eaglet
Posted 01 September 2005 - 02:40 AM

eaglet

    Member

  • Member
  • PipPip
  • 55 posts
I seem to have HClean and Rdsdin viruses on my computer as well as a number of others such as A0004350.exe, A0004602.exe and a few others with similar numbers in my 'systemvolumeinformation' folder. I have been through all the cleaning procedures laid down in your guide but to no avail. Please help!! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 09:29:19, on 01/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\csrss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOW\System32\ScsiAccess.EXE
C:\WINDOW\System32\wdfmgr.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpfc.prem...uk/page/Welcome
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
O4 - HKLM\..\Run: [srvprc] C:\WINDOW\System32/srvprc.exe /i
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125476817452
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125476791795
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...566/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FEEA85-2356-4BBB-BA15-CE11D19C9845}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{83EC49F0-5351-488B-8B75-494AFA746BF6}: NameServer = 195.95.218.18 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOW\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOW\system32\ZONELABS\vsmon.exe
  • 0

Advertisements

#2
bricat
Posted 01 September 2005 - 08:01 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Hi eaglet and welcome to Geeks to Go. :tazz:

You have a few problems there I see but to receive help on Geeks to Go you have to have the latest Service Packs installed (or can show the ability to install them).

At the moment you have no Service Packs which can often point towards an unlicensed copy of Windows. Any fix we provide in such circumstances would only be temporary if unlicensed.

Please click HERE to download and install Service Pack 1a.

Then post a fresh log in THIS thread after rebooting.
  • 0

#3
eaglet
Posted 02 September 2005 - 08:41 AM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi bricat

I do have a registered copy of WinXP. When I went to the MS Download site it told me that SP1 would be installed automatically so I chose express installation. Seems it installed a lot of Security patches but no Service Pack. This time I chose Custom Installation and declined SP2 but installed SP1. :tazz:

Here's the revised log

Logfile of HijackThis v1.99.1
Scan saved at 15:39:34, on 02/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\csrss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOW\System32\ScsiAccess.EXE
C:\WINDOW\System32\wdfmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
C:\DOCUME~1\DADDY\LOCALS~1\TEMP\zauninst.exe
C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
C:\DOCUME~1\DADDY\LOCALS~1\TEMP\zauninst.exe
C:\WINDOW\System32\wuauclt.exe
C:\WINDOW\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpfc.prem...uk/page/Welcome
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
O4 - HKLM\..\Run: [srvprc] C:\WINDOW\System32/srvprc.exe /i
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125476817452
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125476791795
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...566/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FEEA85-2356-4BBB-BA15-CE11D19C9845}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{83EC49F0-5351-488B-8B75-494AFA746BF6}: NameServer = 195.95.218.18 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CS3\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOW\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOW\System32\ScsiAccess.EXE
  • 0

#4
bricat
Posted 02 September 2005 - 11:07 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
there's not a lot in your HJT log, is system volume the only place on your computer that these trojans are showing up.


Download WINPFIND.ZIP and extract it to your C:\ folder. This will create a folder called WinPFind
in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program. Once it is launched,
click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next post.
  • 0

#5
eaglet
Posted 03 September 2005 - 07:31 AM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
According to my McAfee, the Hclean32 path is: C:\window\system32\hclean32.exe and the rdsndin path C:\Window\system32\rdsndin.exe\rdsndin.exe. However i can't find either of these files.

Here's the WPFind extract:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
qoologic 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
SAHAgent 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
UPX! 31/08/2005 07:20:26 1044560 C:\WINDOW\vsapi32.dll
aspack 31/08/2005 07:20:26 1044560 C:\WINDOW\vsapi32.dll
UPX! 31/08/2005 07:20:28 170053 C:\WINDOW\tsc.exe
PECompact2 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
qoologic 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
SAHAgent 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809

Checking %System% folder...
PEC2 18/08/2001 12:00:00 41397 C:\WINDOW\SYSTEM32\dfrg.msc
winsync 18/08/2001 12:00:00 1309184 C:\WINDOW\SYSTEM32\wbdbase.deu
PTech 03/08/2005 10:33:42 520456 C:\WINDOW\SYSTEM32\LegitCheckControl.DLL
PECompact2 04/08/2005 10:01:54 1449304 C:\WINDOW\SYSTEM32\MRT.exe
aspack 04/08/2005 10:01:54 1449304 C:\WINDOW\SYSTEM32\MRT.exe
Umonitor 29/08/2002 11:41:10 631808 C:\WINDOW\SYSTEM32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOW\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
24/08/2005 15:26:14 RH 749 C:\WINDOW\WindowsShell.Manifest
03/09/2005 11:55:52 S 2048 C:\WINDOW\bootstat.dat
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\ncpa.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\nwc.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\sapi.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\wuaucpl.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\cdplayer.exe.manifest
24/08/2005 15:26:28 RH 488 C:\WINDOW\system32\logonui.exe.manifest
24/08/2005 15:26:28 RH 488 C:\WINDOW\system32\WindowsLogon.manifest
24/08/2005 17:37:18 H 4212 C:\WINDOW\system32\zllictbl.dat
03/09/2005 12:00:38 H 1024 C:\WINDOW\system32\config\system.LOG
03/09/2005 12:13:02 H 1024 C:\WINDOW\system32\config\software.LOG
03/09/2005 11:57:24 H 1024 C:\WINDOW\system32\config\default.LOG
24/08/2005 14:53:52 H 1024 C:\WINDOW\system32\config\userdiff.LOG
24/08/2005 14:53:50 H 1024 C:\WINDOW\system32\config\TempKey.LOG
03/09/2005 11:56:08 H 1024 C:\WINDOW\system32\config\SAM.LOG
03/09/2005 12:06:12 H 1024 C:\WINDOW\system32\config\SECURITY.LOG
31/08/2005 17:37:04 H 1024 C:\WINDOW\system32\config\systemprofile\ntuser.dat.LOG
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Local Settings\desktop.ini
24/08/2005 15:27:14 HS 113 C:\WINDOW\system32\config\systemprofile\Local Settings\History\desktop.ini
24/08/2005 15:27:14 HS 113 C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
24/08/2005 15:27:14 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
24/08/2005 15:27:14 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NW7ULK0S\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EMK2V8GT\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\71MN7CE5\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G8VUX12F\desktop.ini
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Start Menu\desktop.ini
24/08/2005 15:29:06 HS 205 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\desktop.ini
24/08/2005 15:29:06 HS 482 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
24/08/2005 15:29:06 HS 84 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
24/08/2005 15:29:06 HS 348 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
24/08/2005 15:29:06 HS 84 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
24/08/2005 15:26:32 HS 181 C:\WINDOW\system32\config\systemprofile\SendTo\desktop.ini
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Application Data\desktop.ini
27/08/2005 11:58:34 HS 388 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\cf81c631-793c-4f64-8a21-ed442f8e4119
27/08/2005 11:58:34 HS 24 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\Preferred
02/09/2005 12:56:30 HS 388 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\User\83d06362-c076-44ea-8294-3311c520a179
02/09/2005 12:56:30 HS 24 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\User\Preferred
24/08/2005 15:29:12 H 237568 C:\WINDOW\repair\ntuser.dat
31/08/2005 09:27:54 H 0 C:\WINDOW\inf\oem6.inf
01/09/2005 13:09:04 H 0 C:\WINDOW\inf\oem7.inf
24/08/2005 15:27:58 HS 67 C:\WINDOW\Fonts\desktop.ini
03/09/2005 11:56:00 H 6 C:\WINDOW\Tasks\SA.DAT
24/08/2005 15:27:10 RHS 242478 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_1.cab
24/08/2005 15:27:10 RHS 19959 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_2.cab
24/08/2005 15:27:10 RHS 727 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_3.cab
02/09/2005 11:30:46 RHS 70111 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_5.cab
24/08/2005 15:26:30 H 65 C:\WINDOW\Downloaded Program Files\desktop.ini
24/08/2005 15:26:30 H 65 C:\WINDOW\Offline Web Pages\desktop.ini

Checking for CPL files...
Microsoft Corporation 29/08/2002 11:41:28 121856 C:\WINDOW\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 11:41:28 578560 C:\WINDOW\SYSTEM32\appwiz.cpl
Microsoft Corporation 18/08/2001 12:00:00 150016 C:\WINDOW\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 11:41:28 292352 C:\WINDOW\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 11:41:28 65536 C:\WINDOW\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 12:00:00 187904 C:\WINDOW\SYSTEM32\main.cpl
Microsoft Corporation 18/08/2001 12:00:00 559616 C:\WINDOW\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 12:00:00 35840 C:\WINDOW\SYSTEM32\ncpa.cpl
Microsoft Corporation 18/08/2001 12:00:00 256000 C:\WINDOW\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18/08/2001 12:00:00 36864 C:\WINDOW\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18/08/2001 12:00:00 109056 C:\WINDOW\SYSTEM32\powercfg.cpl
Microsoft Corporation 18/08/2001 12:00:00 28160 C:\WINDOW\SYSTEM32\telephon.cpl
Microsoft Corporation 18/08/2001 12:00:00 90112 C:\WINDOW\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOW\SYSTEM32\access.cpl
Apple Computer, Inc. 23/09/2004 18:57:40 323072 C:\WINDOW\SYSTEM32\QuickTime.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOW\SYSTEM32\wuaucpl.cpl
Sun Microsystems, Inc. 03/06/2005 03:52:54 49265 C:\WINDOW\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 29/08/2002 11:41:28 268288 C:\WINDOW\SYSTEM32\sysdm.cpl
Microsoft Corporation 29/08/2002 11:41:28 129024 C:\WINDOW\SYSTEM32\desk.cpl
Microsoft Corporation 18/08/2001 12:00:00 36864 C:\WINDOW\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOW\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18/08/2001 12:00:00 150016 C:\WINDOW\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 18/08/2001 12:00:00 187904 C:\WINDOW\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 12:00:00 35840 C:\WINDOW\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 12:00:00 559616 C:\WINDOW\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18/08/2001 12:00:00 256000 C:\WINDOW\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18/08/2001 12:00:00 109056 C:\WINDOW\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18/08/2001 12:00:00 28160 C:\WINDOW\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 12:00:00 90112 C:\WINDOW\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/08/2005 15:29:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
24/08/2005 14:55:36 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
24/08/2005 15:29:06 HS 84 C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
24/08/2005 14:55:36 HS 62 C:\Documents and Settings\Daddy\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B}
= C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B}
= C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOW\System32\msdxm.ocx
{ACB1E670-3217-45C4-A021-6B829A8A27CB} = McAfee VirusScan : C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpeedTouch USB Diagnostics "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
NavRegReminder "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
srvprc C:\WINDOW\System32/srvprc.exe /i
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
OneTouch Monitor C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOW\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
McAfee.InstantUpdate.Monitor "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
PPWebCap C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOW\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOW\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 03/09/2005 12:16:20
  • 0

#6
bricat
Posted 03 September 2005 - 02:56 PM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Download Killbox from here.

Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:


C:\window\system32\hclean32.exe
C:\Window\system32\rdsndin.exe


Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.

this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.

Then


Download CCLEANER


then run the scan under the windows tab.


then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running and if you are still getting alerts.
  • 0

#7
eaglet
Posted 05 September 2005 - 01:35 AM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi bricat

Well I thought that had done the trick but, although the hclean32 alert has not reappeared, the RDSNDIN has. The path that is being shown for this is:

C:\WINDOW\SYSTEM32\rdsndin.exe\RDSNDIN.EXE

Should I try using this path in Killbox?

Also, despite constant deleting, files keep regenerating in my 'systemvolumeinformation' folder. Latest ones: A0014737.exe, A0014746.exe and another 4 or 5. Is this a separate or related problem?
  • 0

#8
bricat
Posted 05 September 2005 - 03:31 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
can you run killbox and enter these 2 files for delete on reboot.

C:\WINDOW\System32/srvprc.exe
C:\WINDOW\SYSTEM32\rdsndin.exe

let your computer reboot.


then :-


please run PANDA ACTIVESCAN

do a full system scan.

Save the scan log and post it back here.
  • 0

#9
eaglet
Posted 05 September 2005 - 02:47 PM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Okay here's the result of the Panda scan:


Incident Status Location

Adware:adware/sbsoft No disinfected C:\WINDOW\rdt.ini
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Virus:W32/Sdbot.EVY.worm Disinfected C:\WINDOW\system32\wooxx.exe
Virus:Trj/Agent.AJZ Disinfected C:\WINDOW\system32\trapi12.exe
Virus:W32/Sdbot.EVY.worm Disinfected C:\System Volume Information\_restore{28D0AC64-3704-4FC9-8C88-C698CCEBD023}\RP45\A0015963.exe
Virus:Trj/Agent.AJZ Disinfected C:\System Volume Information\_restore{28D0AC64-3704-4FC9-8C88-C698CCEBD023}\RP45\A0015964.exe

I don't know whether it's relevant but during the scan I was getting pop-ups from my virus program, McAfee Virus Alert saying 'Access to file was denied', quoting C:\window\system 32\hclean32.exe and c:\window\system32\rdsndin.exe\rdsndin.exe. It said it was unable to clean them and suggested deleting, but when I hit delete button it said access to file denied. Same when I tried quarantine button, so I had to exclude them.
  • 0

#10
bricat
Posted 05 September 2005 - 04:35 PM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure....light/try.shtml
Double-click BLbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show, have blacklite rename them except for "wbemtest.exe"
Do not rename "wbemtest.exe" its a windows file!!
The tool will ask if you want to reboot (restart) choose yes.

After you have rebooted :-


Copy the bold text below to NOTEPAD.

call it fix.REG

save it to your desktop.

on your desktop double click on fix.REG and allow it to merge with the registry when it asks.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""


Download Find T.zip to root (C:\ )
http://forums.net-in...=post&id=156424
Extract the files inside also to root (C:\).
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Open the "Find T" folder and doubleclick runthis.bat

It really needs to be extracted on your root (C:\) or it might not work!!

Post back with the log Backlite created, it will be on your desktop also,
named fsbl.xxxxxxx.log (the xxxxxxx stand for numbers) + post the log Find T created and a new hijackthislog.
  • 0

Advertisements

#11
eaglet
Posted 06 September 2005 - 02:00 AM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
The link for the Find T.zip file appears not to work. I'm getting a HTTP 404 - File not found response.
  • 0

#12
bricat
Posted 06 September 2005 - 02:23 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
sorry about that.

instead :-

Download WINPFIND.ZIP and extract it to your C:\ folder. This will create a folder called WinPFind
in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program. Once it is launched,
click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next post.
  • 0

#13
eaglet
Posted 06 September 2005 - 03:36 AM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Whilst WinPfind was unning I got two alerts, one for a file nemed CSXAO.exe.ren and one for RDSNDIN.exe.ren

Here are the various logs:

Blacklight:

09/06/05 08:43:06 [Info]: BlackLight Engine 1.0.23 initialized
09/06/05 08:43:06 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/06/05 08:43:06 [Note]: 4019 0
09/06/05 08:43:06 [Note]: 4019 1
09/06/05 08:43:07 [Note]: 4019 2
09/06/05 08:43:07 [Note]: 4019 3
09/06/05 08:43:07 [Note]: 4019 4
09/06/05 08:43:07 [Note]: 4005 0
09/06/05 08:43:22 [Note]: 4006 0
09/06/05 08:43:22 [Note]: 4011 1356
09/06/05 08:43:23 [Note]: 4018 1344
09/06/05 08:43:23 [Info]: Hidden process: C:\WINDOW\System32\rdsndin.exe
09/06/05 08:43:23 [Note]: 4018 3968
09/06/05 08:43:23 [Info]: Hidden process: C:\WINDOW\System32\ntfsnlpa.exe
09/06/05 08:43:24 [Note]: FSRAW library version 1.7.1011
09/06/05 08:43:28 [Info]: Hidden file: C:\WINDOW\SYSTEM32\WBEM\WBEMTEST.EXE
09/06/05 08:43:29 [Info]: Hidden file: C:\WINDOW\SYSTEM32\HCLEAN32.EXE
09/06/05 08:43:30 [Note]: 4002 5
09/06/05 08:43:30 [Note]: 4003 1
09/06/05 08:43:30 [Info]: Hidden file: C:\WINDOW\System32\rdsndin.exe
09/06/05 08:43:30 [Note]: 4002 5
09/06/05 08:43:30 [Note]: 4003 1
09/06/05 08:43:30 [Info]: Hidden file: C:\WINDOW\System32\ntfsnlpa.exe
09/06/05 08:43:30 [Info]: Hidden file: C:\WINDOW\SYSTEM32\CSXAO.EXE
09/06/05 08:43:30 [Note]: 4002 32
09/06/05 08:43:30 [Note]: 4003 1
09/06/05 08:43:32 [Info]: Hidden file: C:\WINDOW\SYSTEM32\LOADCT~1.EXE
09/06/05 08:47:08 [Note]: 4007 0

WinPfind:

»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
qoologic 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
SAHAgent 31/08/2005 07:20:24 15707121 C:\WINDOW\VPTNFILE.809
UPX! 31/08/2005 07:20:26 1044560 C:\WINDOW\vsapi32.dll
aspack 31/08/2005 07:20:26 1044560 C:\WINDOW\vsapi32.dll
UPX! 31/08/2005 07:20:28 170053 C:\WINDOW\tsc.exe
PECompact2 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
qoologic 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809
SAHAgent 31/08/2005 07:20:24 15707121 C:\WINDOW\LPT$VPN.809

Checking %System% folder...
UPX! 06/09/2005 08:36:56 45568 C:\WINDOW\SYSTEM32\ntfsnlpa.exe.ren
PEC2 18/08/2001 12:00:00 41397 C:\WINDOW\SYSTEM32\dfrg.msc
winsync 18/08/2001 12:00:00 1309184 C:\WINDOW\SYSTEM32\wbdbase.deu
PTech 03/08/2005 10:33:42 520456 C:\WINDOW\SYSTEM32\LegitCheckControl.DLL
PECompact2 04/08/2005 10:01:54 1449304 C:\WINDOW\SYSTEM32\MRT.exe
aspack 04/08/2005 10:01:54 1449304 C:\WINDOW\SYSTEM32\MRT.exe
Umonitor 29/08/2002 11:41:10 631808 C:\WINDOW\SYSTEM32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOW\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
04/09/2005 19:59:14 H 54156 C:\WINDOW\QTFont.qfn
24/08/2005 15:26:14 RH 749 C:\WINDOW\WindowsShell.Manifest
06/09/2005 08:48:52 S 2048 C:\WINDOW\bootstat.dat
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\ncpa.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\nwc.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\sapi.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\wuaucpl.cpl.manifest
24/08/2005 15:26:14 RH 749 C:\WINDOW\system32\cdplayer.exe.manifest
24/08/2005 15:26:28 RH 488 C:\WINDOW\system32\logonui.exe.manifest
24/08/2005 15:26:28 RH 488 C:\WINDOW\system32\WindowsLogon.manifest
24/08/2005 17:37:18 H 4212 C:\WINDOW\system32\zllictbl.dat
06/09/2005 08:51:42 H 1024 C:\WINDOW\system32\config\system.LOG
06/09/2005 09:34:20 H 1024 C:\WINDOW\system32\config\software.LOG
06/09/2005 08:51:08 H 1024 C:\WINDOW\system32\config\default.LOG
24/08/2005 14:53:52 H 1024 C:\WINDOW\system32\config\userdiff.LOG
24/08/2005 14:53:50 H 1024 C:\WINDOW\system32\config\TempKey.LOG
06/09/2005 08:49:36 H 1024 C:\WINDOW\system32\config\SAM.LOG
06/09/2005 08:59:02 H 1024 C:\WINDOW\system32\config\SECURITY.LOG
31/08/2005 17:37:04 H 1024 C:\WINDOW\system32\config\systemprofile\ntuser.dat.LOG
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Local Settings\desktop.ini
24/08/2005 15:27:14 HS 113 C:\WINDOW\system32\config\systemprofile\Local Settings\History\desktop.ini
24/08/2005 15:27:14 HS 113 C:\WINDOW\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
24/08/2005 15:27:14 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
24/08/2005 15:27:14 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\NW7ULK0S\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EMK2V8GT\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\71MN7CE5\desktop.ini
31/08/2005 09:31:04 HS 67 C:\WINDOW\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G8VUX12F\desktop.ini
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Start Menu\desktop.ini
24/08/2005 15:29:06 HS 205 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\desktop.ini
24/08/2005 15:29:06 HS 482 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
24/08/2005 15:29:06 HS 84 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
24/08/2005 15:29:06 HS 348 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
24/08/2005 15:29:06 HS 84 C:\WINDOW\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
24/08/2005 15:26:32 HS 181 C:\WINDOW\system32\config\systemprofile\SendTo\desktop.ini
24/08/2005 14:55:36 HS 62 C:\WINDOW\system32\config\systemprofile\Application Data\desktop.ini
27/08/2005 11:58:34 HS 388 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\cf81c631-793c-4f64-8a21-ed442f8e4119
27/08/2005 11:58:34 HS 24 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\Preferred
02/09/2005 12:56:30 HS 388 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\User\83d06362-c076-44ea-8294-3311c520a179
02/09/2005 12:56:30 HS 24 C:\WINDOW\system32\Microsoft\Protect\S-1-5-18\User\Preferred
24/08/2005 15:29:12 H 237568 C:\WINDOW\repair\ntuser.dat
31/08/2005 09:27:54 H 0 C:\WINDOW\inf\oem6.inf
01/09/2005 13:09:04 H 0 C:\WINDOW\inf\oem7.inf
24/08/2005 15:27:58 HS 67 C:\WINDOW\Fonts\desktop.ini
06/09/2005 08:48:54 H 6 C:\WINDOW\Tasks\SA.DAT
24/08/2005 15:27:10 RHS 242478 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_1.cab
24/08/2005 15:27:10 RHS 19959 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_2.cab
24/08/2005 15:27:10 RHS 727 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_3.cab
02/09/2005 11:30:46 RHS 70111 C:\WINDOW\PCHEALTH\HELPCTR\PackageStore\package_5.cab
24/08/2005 15:26:30 H 65 C:\WINDOW\Downloaded Program Files\desktop.ini
24/08/2005 15:26:30 H 65 C:\WINDOW\Offline Web Pages\desktop.ini

Checking for CPL files...
Microsoft Corporation 29/08/2002 11:41:28 121856 C:\WINDOW\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 11:41:28 578560 C:\WINDOW\SYSTEM32\appwiz.cpl
Microsoft Corporation 18/08/2001 12:00:00 150016 C:\WINDOW\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 11:41:28 292352 C:\WINDOW\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 11:41:28 65536 C:\WINDOW\SYSTEM32\joy.cpl
Microsoft Corporation 18/08/2001 12:00:00 187904 C:\WINDOW\SYSTEM32\main.cpl
Microsoft Corporation 18/08/2001 12:00:00 559616 C:\WINDOW\SYSTEM32\mmsys.cpl
Microsoft Corporation 18/08/2001 12:00:00 35840 C:\WINDOW\SYSTEM32\ncpa.cpl
Microsoft Corporation 18/08/2001 12:00:00 256000 C:\WINDOW\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18/08/2001 12:00:00 36864 C:\WINDOW\SYSTEM32\odbccp32.cpl
Microsoft Corporation 18/08/2001 12:00:00 109056 C:\WINDOW\SYSTEM32\powercfg.cpl
Microsoft Corporation 18/08/2001 12:00:00 28160 C:\WINDOW\SYSTEM32\telephon.cpl
Microsoft Corporation 18/08/2001 12:00:00 90112 C:\WINDOW\SYSTEM32\timedate.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOW\SYSTEM32\access.cpl
Apple Computer, Inc. 23/09/2004 18:57:40 323072 C:\WINDOW\SYSTEM32\QuickTime.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOW\SYSTEM32\wuaucpl.cpl
Sun Microsystems, Inc. 03/06/2005 03:52:54 49265 C:\WINDOW\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 29/08/2002 11:41:28 268288 C:\WINDOW\SYSTEM32\sysdm.cpl
Microsoft Corporation 29/08/2002 11:41:28 129024 C:\WINDOW\SYSTEM32\desk.cpl
Microsoft Corporation 18/08/2001 12:00:00 36864 C:\WINDOW\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 18/08/2001 13:00:00 66048 C:\WINDOW\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 18/08/2001 12:00:00 150016 C:\WINDOW\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 18/08/2001 12:00:00 187904 C:\WINDOW\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18/08/2001 12:00:00 35840 C:\WINDOW\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18/08/2001 12:00:00 559616 C:\WINDOW\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18/08/2001 12:00:00 256000 C:\WINDOW\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18/08/2001 12:00:00 109056 C:\WINDOW\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 18/08/2001 12:00:00 28160 C:\WINDOW\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 18/08/2001 12:00:00 90112 C:\WINDOW\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/08/2005 15:29:06 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
24/08/2005 14:55:36 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
24/08/2005 15:29:06 HS 84 C:\Documents and Settings\Daddy\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
24/08/2005 14:55:36 HS 62 C:\Documents and Settings\Daddy\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B}
= C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B}
= C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOW\System32\msdxm.ocx
{ACB1E670-3217-45C4-A021-6B829A8A27CB} = McAfee VirusScan : C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{08BEC6AA-49FC-4379-3587-4B21E286C19E} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpeedTouch USB Diagnostics "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
NavRegReminder "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
srvprc C:\WINDOW\System32/srvprc.exe /i
dmfvt.exe C:\WINDOW\System32\dmfvt.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
hclean32.exe C:\WINDOW\System32\hclean32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOW\System32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
McAfee.InstantUpdate.Monitor "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
PPWebCap C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOW\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOW\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

HiJack This:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:28, on 06/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WinPFind\WinPFind.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpfc.prem...uk/page/Welcome
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
O4 - HKLM\..\Run: [srvprc] C:\WINDOW\System32/srvprc.exe /i
O4 - HKLM\..\Run: [dmfvt.exe] C:\WINDOW\System32\dmfvt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOW\System32\hclean32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125476817452
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125476791795
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...566/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FEEA85-2356-4BBB-BA15-CE11D19C9845}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{83EC49F0-5351-488B-8B75-494AFA746BF6}: NameServer = 195.95.218.18 85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOW\system32\drivers\KodakCCS.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

#14
bricat
Posted 06 September 2005 - 04:14 AM

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Download Killbox from here.

Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:

C:\WINDOW\System32/srvprc.exe
C:\WINDOW\System32\dmfvt.exe
C:\WINDOW\System32\hclean32.exe
C:\WINDOW\SYSTEM32\CSXAO.EXE
C:\WINDOW\SYSTEM32\LOADCT~1.EXE



Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Rerun HJT,and put a checkmark beside these :-


O4 - HKLM\..\Run: [srvprc] C:\WINDOW\System32/srvprc.exe /i
O4 - HKLM\..\Run: [dmfvt.exe] C:\WINDOW\System32\dmfvt.exe
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOW\System32\hclean32.exe


now close all windows and browsers and click FIX CHECKED


then reboot and post a fresh Hijackthis log. let me know if there are any more alerts.
  • 0

#15
eaglet
Posted 06 September 2005 - 05:15 AM

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Killbox doesn't seem to be working. When I use the paste from clipboard option, all that is being pasted is:

C:\WINDOW\System32/
C:\WINDOW\System32/

Yet the entire list of filepaths you provided are on my clipboard as i can paste them into notepad without problem.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP