Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

MWAV e scan log / What does this log mean?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

having problems

Unread postby cathdeb » October 19th, 2005, 2:16 am

Hello Dobhar,
I followed your directions and when I double clicked on silent runners I received this message Malicious script detected your computer is halted and needs to do something about this script
Activity: Get special folder
File C:\Documents...\silent runners .vbs I clicked to allow it to run and it did for about 30 sec and then nothing.I can't find a log for it.
I received error message:could not open C:\rkfiles zip probable cause file sharing or file permissions .My printer has been disable.I couldn't print out instructions.had to write it out.I am going to start over and download programs again.
ccleaner log
CLEANING COMPLETE - (2.256 secs)
------------------------------------------------------------------------------------------
12.2MB removed.


Details of files deleted
------------------------------------------------------------------------------------------
http://stb.msn.com/i/68/68E755F9F2D40A6 ... 1.jpg(&H41) 7.86KB
http://www.malwareremoval.com/forum/templat ... d.gif(&H41) 1.48KB
http://www.malwareremoval.com/forum/templat ... 2.jpg(&H41) 480 bytes
http://www.mts.net/~kbateman/tiny_nasties.htm(&H41) 19.44KB
http://www.phpbb.com/images/b_styles.gif(&H41) 1.30KB
http://www.malwareremoval.com/forum/login.p ... =30938(&H1) 17.78KB
http://www.malwareremoval.com/forum/templat ... 2.gif(&H41) 877 bytes
http://stb.msn.com/i/DC/DC3D1B62FBAA22A ... A.swf(&H41) 11.24KB
http://www.malwareremoval.com/chatroom.html(&H41) 7.27KB
http://www.phpbb.com/images/b_features.gif(&H41) 1.53KB
http://www.malwareremoval.com/picture_l ... r.gif(&H41) 47.84KB
http://www.malwareremoval.com/forum/groupcp.php?g=150(&H1) 51.67KB
http://www.malwareremoval.com/forum/viewtop ... =30938(&H1) 0.13MB
http://www.malwareremoval.com/forum/faq.php ... d95296(&H1) 54.02KB
http://global.msads.net/ads/4399/000000 ... SNREC(&H41) 13.72KB
http://www.malwareremoval.com/forum/templat ... q.gif(&H41) 219 bytes
http://www.malwareremoval.com/forum/templat ... w.gif(&H41) 733 bytes
http://www.malwareremoval.com/picture_l ... s.jpg(&H41) 12.04KB
http://www.malwareremoval.com/forum/groupcp.php?g=96(&H1) 55.96KB
http://www.malwareremoval.com/forum/viewtop ... =30688(&H1) 0.13MB
http://stj.msn.com/br/gbl/js/1/Gtracking.js(&H41) 4.92KB
http://www.phpbb.com/phpBB/templates/su ... IE.css(&H1) 354 bytes
http://www.malwareremoval.com/picture_l ... 1.gif(&H41) 42.82KB
http://www.malwareremoval.com/forum/login.p ... d95296(&H1) 17.75KB
http://stc.msn.com/br/ushp/css/1/Override.css(&H41) 6.36KB
http://www.pchell.com/images/tangled.gif(&H41) 6.35KB
http://www.phpbb.com/images/bg_top.gif(&H41) 353 bytes
http://www.malwareremoval.com/forum/images/ ... d.gif(&H41) 171 bytes
http://stc.msn.com/br/gbl/css/1/USHP.css(&H41) 9.61KB
http://stc.msn.com/br/ushp/css/1/Decora ... w.gif(&H41) 72 bytes
http://www.pchell.com/images/space.gif(&H41) 58 bytes
http://www.mts.net/~kbateman/gifs/canad ... e.gif(&H41) 9.05KB
http://www.pandasoftware.com/images/act ... en.gif(&H1) 21.43KB
http://www.malwareremoval.com/forum/templat ... B.gif(&H41) 12.91KB
http://www.malwareremoval.com/forum/templat ... E.css(&H41) 354 bytes
http://www.malwareremoval.com/forum/templat ... y.gif(&H41) 1.65KB
http://www.google.com/logos/Logo_25wht.gif(&H41) 1.57KB
http://www.malwareremoval.com/picture_l ... s.jpg(&H41) 12.78KB
hcp://system/panels/firstpage.htm(&H1) 714 bytes
http://www.malwareremoval.com/forum/templat ... g.gif(&H41) 677 bytes
http://www.pchell.com/images/moreinfo.gif(&H41) 1.01KB
http://www.phpbb.com/images/bgMiddle.gif(&H41) 115 bytes
http://www.phpbb.com/images/about.gif(&H41) 278 bytes
http://www.phpbb.com/images/b_comm.gif(&H41) 1.68KB
http://stc.msn.com/br/ushp/css/1/classic.css(&H41) 1.46KB
http://stj.msn.com/br/gbl/js/1/flash.js(&H41) 1.04KB
http://www.malwareremoval.com/forum/templat ... e.gif(&H41) 232 bytes
http://www.malwareremoval.com/forum/login.p ... =30666(&H1) 17.78KB
http://www.malwareremoval.com/forum/login.p ... t=4505(&H1) 17.78KB
http://stj.msn.com/br/ushp/js/1/Home.js(&H41) 4.38KB
http://www.malwareremoval.com/images/mvp-black.GIF(&H41) 2.22KB
http://www.mts.net/~kbateman/gifs/ciao.gif(&H41) 1.94KB
http://stb.msn.com/i/51/51D317D8DD276EA ... D.jpg(&H41) 2.20KB
http://www.malwareremoval.com/forum/templat ... r.gif(&H41) 43 bytes
http://www.malwareremoval.com/forum/templat ... t.gif(&H41) 1.15KB
http://www.pchell.com/banners/pwdrec.jpg(&H41) 5.27KB
http://www.mts.net/~kbateman/(&H41) 23.72KB
http://www.malwareremoval.com/forum/login.p ... =30959(&H1) 17.78KB
http://www.malwareremoval.com/forum/images/ ... e.gif(&H41) 590 bytes
http://www.pchell.com/images/wtbox.gif(&H41) 5.83KB
http://www.malwareremoval.com/forum/profile ... f7274b(&H1) 18.92KB
http://www.netstar.me.uk/pics/ASAPf.jpg(&H41) 17.88KB
http://img25.imageshack.us/img25/734/ki ... o.jpg(&H41) 65.03KB
http://www.malwareremoval.com/forum/images/ ... 0.jpg(&H41) 1.14KB
http://www.pchell.com/images/wttest.gif(&H41) 4.55KB
http://www.malwareremoval.com/forum/templat ... s.gif(&H41) 222 bytes
http://www.malwareremoval.com/forum/templat ... m.gif(&H41) 833 bytes
http://www.malwareremoval.com/myinfo.html(&H41) 7.68KB
http://www.mts.net/~kbateman/css/thome.css(&H41) 1.41KB
http://www.mts.net/~kbateman/gifs/spybutton2.gif(&H41) 2.26KB
http://www.phpbb.com/images/dot.gif(&H41) 138 bytes
hcp://system/css/Behaviors.css(&H1) 1.15KB
http://www.malwareremoval.com/recommended.html(&H41) 5.63KB
http://www.phpbb.com/phpBB/templates/su ... 1.gif(&H41) 246 bytes
http://www.malwareremoval.com/forum/login.p ... =30838(&H1) 17.78KB
http://hp.msn.com/global/c/lg/msft94.gif(&H41) 893 bytes
http://www.pchell.com/images/pestpatrol.jpg(&H41) 7.54KB
http://www.phpbb.com/phpBB/templates/su ... er.css(&H1) 7.91KB
http://www.malwareremoval.com/forum/login.p ... &u=134(&H1) 17.79KB
http://www.malwareremoval.com/forum/templat ... 3.gif(&H41) 874 bytes
hcp://system/panels/Context.htm(&H1) 8.96KB
http://stc.msn.com/br/ushp/css/1/slideshow.css(&H41) 853 bytes
http://www.malwareremoval.com/forum/templat ... w.gif(&H41) 459 bytes
http://www.pchell.com/support/safemode.shtml(&H41) 24.77KB
http://www.pandasoftware.com/cmspanda/i ... er.gif(&H1) 56 bytes
http://www.malwareremoval.com/forum/viewtop ... =30838(&H1) 0.13MB
http://global.msads.net/ads/1/000000000 ... 6.gif(&H41) 85 bytes
http://www.malwareremoval.com/forum/templat ... 3.gif(&H41) 257 bytes
http://www.malwareremoval.com/forum/images/ ... a.gif(&H41) 150 bytes
http://www.mts.net/~kbateman/scripts/parasite.js(&H41) 2.66KB
http://www.phpbb.com/images/b_demo.gif(&H41) 1.30KB
http://stb.msn.com/i/C4/C465EBF85DE97C2 ... 8.gif(&H41) 1.64KB
http://www.malwareremoval.com/forum/images/ ... b.jpg(&H41) 22.86KB
http://www.mts.net/~kbateman/gifs/canuk.gif(&H41) 565 bytes
http://www.pchell.com/images/wbbox.gif(&H41) 5.89KB
http://www.pchell.com/images/popupstopper.gif(&H41) 3.75KB
http://www.malwareremoval.com/forum/viewtop ... =30663(&H1) 0.13MB
http://www.cjwdavis.co.uk/images/mvp.gif(&H41) 6.48KB
http://www.pchell.com/images/errornuker.gif(&H41) 5.32KB
http://www.malwareremoval.com/a-sap.html(&H41) 10.47KB
http://www.malwareremoval.com/forum/viewtop ... f7274b(&H1) 91.04KB
http://www.mts.net/~kbateman/scripts/stm31.js(&H41) 45.25KB
http://www.malwareremoval.com/forum/viewtop ... =30710(&H1) 0.13MB
http://www.malwareremoval.com/forum/viewtop ... tart=0(&H1) 0.22MB
http://www.malwareremoval.com/forum/login.p ... =30834(&H1) 17.78KB
http://www.pchell.com/banners/cdebanner.gif(&H41) 3.75KB
http://www.malwareremoval.com/forum/viewtop ... =30665(&H1) 0.13MB
http://www.malwareremoval.com/forum/login.p ... u=1248(&H1) 17.79KB
http://www.malwareremoval.com/forum/templat ... y.gif(&H41) 135 bytes
http://www.mts.net/~kbateman/gifs/dobha ... m.gif(&H41) 8.75KB
http://www.mts.net/~kbateman/tiny_virus.htm(&H41) 77.41KB
http://www.malwareremoval.com/forum/viewtop ... evious(&H1) 51.18KB
http://www.malwareremoval.com/forum/login.p ... =30748(&H1) 17.78KB
http://stj.msn.com/br/gbl/js/1/ieminwidth.js(&H41) 781 bytes
http://www.malwareremoval.com/forum/templat ... n.gif(&H41) 233 bytes
http://www.malwareremoval.com/forum/viewtop ... =30667(&H1) 0.13MB
http://www.phpbb.com/images/news.gif(&H41) 254 bytes
http://www.malwareremoval.com/forum/login.p ... =30667(&H1) 17.78KB
http://www.malwareremoval.com/forum/viewtop ... d95296(&H1) 91.04KB
http://www.pchell.com/banners/roboform.gif(&H41) 12.15KB
http://www.mts.net/~kbateman/gifs/geezer_20993.gif(&H41) 2.47KB
http://www.malwareremoval.com/forum/login.p ... =30956(&H1) 17.78KB
http://www.malwareremoval.com/forum/templat ... e.gif(&H41) 307 bytes
http://www.phpbb.com/images/shop-logo.gif(&H41) 4.43KB
http://www.malwareremoval.com/forum/viewtop ... =30840(&H1) 0.13MB
hcp://system/panels/NavBar.htm(&H1) 20.34KB
http://stb.msn.com/i/DA/DA97B73FB077467 ... 1.jpg(&H41) 14.85KB
http://www.malwareremoval.com/forum/templat ... k.gif(&H41) 333 bytes
http://www.malwareremoval.com/forum/login.p ... =30663(&H1) 17.78KB
http://global.msads.net/ads/4399/000000 ... SNREC(&H41) 13.72KB
http://www.malwareremoval.com/forum/templat ... 1.gif(&H41) 246 bytes
hcp://help/tshoot/tsctl.htm(&H1) 793 bytes
http://stb.msn.com/i/75/751FEC6C3BBCD4C ... 4.jpg(&H41) 13.23KB
http://www.malwareremoval.com/forum/templat ... w.gif(&H41) 336 bytes
http://www.malwareremoval.com/forum/login.p ... c&f=11(&H1) 17.78KB
http://www.malwareremoval.com/forum/profile ... &u=134(&H1) 24.98KB
http://www.myaffiliateprogram.com/1pxlclr.gif(&H1041) 43 bytes
http://www.malwareremoval.com/images/MV ... 2.gif(&H41) 22.00KB
http://www.malwareremoval.com/forum/faq.php ... f7274b(&H1) 54.02KB
http://www.pandasoftware.com/NR/rdonlyr ... a1.gif(&H1) 804 bytes
hcp://system/panels/NavBar.xml(&H1) 2.45KB
http://www.mts.net/~kbateman/gifs/pixel.gif(&H41) 67 bytes
http://www.malwareremoval.com/forum/images/ ... l.gif(&H41) 172 bytes
http://www.malwareremoval.com/forum/templat ... g.gif(&H41) 663 bytes
http://www.malwareremoval.com/forum/images/ ... k.gif(&H41) 206 bytes
http://www.malwareremoval.com/forum/viewtop ... =30761(&H1) 0.13MB
hcp://system/images/24x24/arrow_green_normal.bmp(&H1) 2.30KB
http://www.malwareremoval.com/forum/viewtop ... f7274b(&H1) 50.73KB
http://www.malwareremoval.com/forum/login.p ... =30710(&H1) 17.78KB
http://stc.msn.com/br/gbl/css/1/Decorat ... t.gif(&H41) 43 bytes
http://www.malwareremoval.com/forum/viewtop ... f7274b(&H1) 36.96KB
http://www.malwareremoval.com/forum/login.p ... =30688(&H1) 17.78KB
hcp://help/tshoot/tsprint_sniff.htm(&H1) 1.46KB
http://www.malwareremoval.com/picture_l ... l.gif(&H41) 17.16KB
http://www.malwareremoval.com/forum/images/ ... a.gif(&H41) 155 bytes
http://www.malwareremoval.com/forum/templat ... t.gif(&H41) 1.13KB
http://www.malwareremoval.com/forum/images/ ... t.gif(&H41) 3.51KB
http://www.malwareremoval.com/forum/groupcp.php?g=7(&H1) 48.33KB
http://www.malwareremoval.com/forum/login.p ... =30840(&H1) 17.78KB
http://www.malwareremoval.com/forum/images/ ... n.gif(&H41) 3.10KB
http://www.pchell.com/images/netdetective.gif(&H41) 4.98KB
http://ads.msn.com/ads/defaultads/TR.gi ... fault(&H41) 85 bytes
http://www.malwareremoval.com/forum/templat ... t.gif(&H41) 122 bytes
http://www.phpbb.com/(&H1) 19.39KB
http://www.malwareremoval.com/donations.html(&H41) 5.89KB
http://www.malwareremoval.com/forum/groupcp.php?g=133(&H1) 56.87KB
http://www.malwareremoval.com/forum/groupcp.php?g=128(&H1) 57.13KB
http://www.malwareremoval.com/picture_l ... 2.gif(&H41) 2.95KB
http://www.malwareremoval.com/forum/templat ... e.gif(&H41) 801 bytes
http://www.pandasoftware.com/CmsPanda/c ... da.css(&H1) 12.20KB
http://www.malwareremoval.com/forum/login.p ... =30747(&H1) 17.78KB
http://www.malwareremoval.com/forum/viewtop ... d95296(&H1) 50.73KB
http://stj.msn.com/br/ushp/js/1/HomeTail.js(&H41) 103 bytes
http://www.malwareremoval.com/forum/images/ ... g.jpg(&H41) 23.30KB
http://www.pchell.com/banners/buildpc.jpg(&H41) 6.28KB
http://www.malwareremoval.com/forum/search. ... f7274b(&H1) 23.58KB
http://www.malwareremoval.com/picture_l ... k.jpg(&H41) 15.80KB
http://www.mts.net/~kbateman/gifs/scotf.gif(&H41) 3.75KB
http://www.malwareremoval.com/forum/groupcp.php?g=753(&H1) 33.61KB
http://www.malwareremoval.com/forum/viewtop ... f7274b(&H1) 34.09KB
http://www.malwareremoval.com/forum/viewtop ... =30959(&H1) 0.13MB
http://www.netstar.me.uk/fairypic/2665.gif(&H41) 10.28KB
http://www.malwareremoval.com/forum/templat ... e.gif(&H41) 929 bytes
http://www.pchell.com/images/spbox.gif(&H41) 7.26KB
http://www.phpbb.com/images/block_change.gif(&H41) 133 bytes
http://global.msads.net/ads/4399/000000 ... SNREC(&H41) 13.72KB
http://www.malwareremoval.com/downloads.html(&H41) 9.51KB
https://www.paypal.com/en_US/i/btn/x-cl ... gif(&H8041) 857 bytes
http://www.phpbb.com/images/home.gif(&H41) 285 bytes
http://stc.msn.com/br/gbl/css/1/Decorat ... e.gif(&H41) 43 bytes
http://stj.msn.com/br/gbl/js/1/themes.js(&H41) 2.96KB
http://www.malwareremoval.com/forum/viewtop ... w=next(&H1) 0.16MB
http://www.malwareremoval.com/forum/login.p ... =30761(&H1) 17.78KB
http://www.malwareremoval.com/forum/images/ ... e.jpg(&H41) 22.67KB
http://www.malwareremoval.com/forum/viewtop ... t=3386(&H1) 0.17MB
http://www.malwareremoval.com/forum/templat ... r.gif(&H41) 344 bytes
http://www.malwareremoval.com/forum/images/ ... a.gif(&H41) 5.06KB
http://www.malwareremoval.com/forum/login.p ... f7274b(&H1) 17.75KB
http://www.malwareremoval.com/picture_l ... p.gif(&H41) 10.80KB
http://www.kolimbo.com/adbannerimages/p ... 1.gif(&H41) 19.38KB
http://www.malwareremoval.com/forum/templat ... g.gif(&H41) 673 bytes
http://www.malwareremoval.com/forum/templat ... t.gif(&H41) 1.59KB
hcp://help/tshoot/tshoot.css(&H1) 1.05KB
http://stj.msn.com/br/gbl/js/1/MozCompat.js(&H41) 3.68KB
http://stj.msn.com/br/ushp/js/1/slideshow.js(&H41) 2.49KB
http://www.malwareremoval.com/forum/templat ... r.gif(&H41) 224 bytes
http://www.pchell.com/images/buynow.gif(&H41) 1000 bytes
http://www.malwareremoval.com/forum/index.php(&H1) 37.50KB
http://www.malwareremoval.com/picture_l ... 2.gif(&H41) 12.73KB
http://www.malwareremoval.com/forum/images/ ... e.jpg(&H41) 19.72KB
http://stj.msn.com/br/gbl/js/1/Navigation.js(&H41) 868 bytes
http://stb.msn.com/i/A5/A59F53AE6221811 ... 5.jpg(&H41) 2.30KB
http://www.phpbb.com/images/mainlogo.gif(&H41) 7.66KB
http://www.phpbb.com/images/b_downloads.gif(&H41) 1.57KB
http://www.malwareremoval.com/forum/viewtopic.php?t=233(&H1) 34.09KB
http://www.malwareremoval.com/forum/images/ ... b.jpg(&H41) 6.11KB
http://www.malwareremoval.com/forum/images/ ... e.gif(&H41) 131 bytes
http://www.malwareremoval.com/picture_l ... n.gif(&H41) 366 bytes
http://www.pandasoftware.com/cmspanda/img/1.gif(&H1) 49 bytes
http://www.mts.net/~kbateman/gifs/twp.gif(&H41) 8.52KB
http://www.malwareremoval.com/forum/viewtop ... =30956(&H1) 0.13MB
http://www.malwareremoval.com/forum/login.p ... =30665(&H1) 17.78KB
http://www.phpbb.com/images/pic-home2.jpg(&H41) 12.06KB
http://www.malwareremoval.com/forum/viewtop ... =30834(&H1) 0.13MB
http://global.msads.net/ads/4399/000000 ... SNREC(&H41) 13.72KB
http://www.malwareremoval.com/forum/search. ... d95296(&H1) 23.58KB
hcp://help/tshoot/tsprint_result.htm(&H1) 3.54KB
http://stb.msn.com/i/19/1920D3E0CAE6B3D ... C.jpg(&H41) 2.05KB
http://www.pchell.com/images/sptest.gif(&H41) 3.69KB
http://www.phpbb.com/images/b_mods.gif(&H41) 1.27KB
http://www.malwareremoval.com/forum/profile ... u=1248(&H1) 24.37KB
http://www.malwareremoval.com/forum/viewtop ... =30666(&H1) 0.13MB
http://www.mts.net/~kbateman/css/tvirus.css(&H41) 1.17KB
http://www.phpbb.com/images/doreo.gif(&H41) 1.17KB
http://www.malwareremoval.com/forum/images/ ... f.jpg(&H41) 20.23KB
http://stc.msn.com/br/ushp/css/1/simple.css(&H41) 1.43KB
http://www.pchell.com/images/wbtest.gif(&H41) 3.64KB
http://www.langa.com/images/flanga1.jpg(&H41) 1.56KB
http://www.phpbb.com/images/b_support.gif(&H41) 1.49KB
http://www.malwareremoval.com/forum/viewtop ... =30748(&H1) 0.13MB
http://stb.msn.com/i/E0/E04ADEA2D33A1E5 ... A.jpg(&H41) 2.06KB
http://www.malwareremoval.com/forum/viewtop ... light=(&H1) 0.13MB
http://www.phpbb.com/images/bg_bottom.gif(&H41) 191 bytes
http://www.malwareremoval.com/picture_l ... 2.gif(&H41) 70.48KB
http://www.malwareremoval.com/forum/templat ... l.gif(&H41) 820 bytes
http://www.malwareremoval.com/images/MV ... n.gif(&H41) 202 bytes
http://www.malwareremoval.com/forum/templat ... e.gif(&H41) 794 bytes
http://www.malwareremoval.com/(&H41) 6.16KB
http://www.pandasoftware.com/cmspanda/i ... jo.gif(&H1) 79 bytes
http://www.mts.net/~kbateman/jpegs/mike-ad.jpg(&H41) 4.67KB
http://www.mts.net/~kbateman/gifs/lockerlink.gif(&H41) 1.65KB
http://www.malwareremoval.com/forum/templat ... h.gif(&H41) 237 bytes
http://www.malwareremoval.com/forum/templat ... y.gif(&H41) 344 bytes
http://www.pandasoftware.com/partners/w ... s.aspx(&H1) 10.26KB
http://www.phpbb.com/images/subBlue.gif(&H41) 584 bytes
http://www.malwareremoval.com/forum/viewtop ... d95296(&H1) 34.09KB
hcp://help/tshoot/tsprint.htm(&H1) 455 bytes
http://www.malwareremoval.com/forum/profile ... d95296(&H1) 18.92KB
http://www.netstar.me.uk/pics/mvplogo.png(&H41) 9.77KB
http://www.malwareremoval.com/forum/viewtop ... d95296(&H1) 36.96KB
http://www.malwareremoval.com/forum/viewtop ... =30747(&H1) 0.13MB
http://www.malwareremoval.com/forum/images/ ... e.gif(&H41) 42.82KB
hcp://system/images/32x32/logo.bmp(&H1) 2.30KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\9P8U4Q0J\buttonForm[1].js 4.26KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\9P8U4Q0J\coUA[1].css 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\9P8U4Q0J\desktop.ini 67 bytes
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\9P8U4Q0J\shared[1].css 5.25KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\9P8U4Q0J\tshoot_shared[1].js 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\9P8U4Q0J\wmiwcon[1].js 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\BIP5CDH0\Common[1].js 3.08KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\BIP5CDH0\desktop.ini 67 bytes
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\BIP5CDH0\shared[1].css 5.25KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\BIP5CDH0\shared[2].css 5.25KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\BIP5CDH0\topvirus[1].aspx 1.97KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\JKXG5IA2\Common[1].js 3.08KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\JKXG5IA2\desktop.ini 67 bytes
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\CounterSpy[1].CAB 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\desktop.ini 67 bytes
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\hpobjinstaller_gmn[1].cab 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\muweb_site[1].cab 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\rootkitrevealer[1].zip 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\wuweb_site[1].cab 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\WURHUQ0X\xscan60[1].cab 8.00KB
C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\desktop.ini 67 bytes
Cookie:deboraho@www.malwareremoval.com/forum/(&H100001) 193 bytes
Cookie:deboraho@www.myaffiliateprogram.com/(&H100001) 110 bytes
C:\Documents and Settings\DEBORAHO\Cookies\deboraho@msn[2].txt 299 bytes
C:\Documents and Settings\DEBORAHO\Cookies\deboraho@www.msn[1].txt 71 bytes
C:\Documents and Settings\DEBORAHO\Local Settings\History\History.IE5\desktop.ini 113 bytes
Marked for deletion: C:\Documents and Settings\DEBORAHO\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\DEBORAHO\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\DEBORAHO\Local Settings\History\History.IE5\index.dat
C:\WINDOWS\TEMP\Cookies\index.dat 16.00KB
C:\WINDOWS\TEMP\History\History.IE5\desktop.ini 113 bytes
C:\WINDOWS\TEMP\History\History.IE5\index.dat 32.00KB
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\8TQJSXE5\desktop.ini 67 bytes
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\E92HA12X\desktop.ini 67 bytes
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat 32.00KB
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\Y5WR2JQX\desktop.ini 67 bytes
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\YN8RKHEZ\desktop.ini 67 bytes
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\7S4D71CC.htm 0.17MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\CUWMNQOX.htm 0.17MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\IDSinst.LOG 6.07KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\KPWZDPKP.htm 18.63KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\LRPatch.exe 41.60KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\LRSetup.exe 1.60MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\LSInstall.log 4.04KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\NAVLiveReg.dat 172 bytes
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\Norton AntiVirus 2004 10-18-2005 7h50m50s.log 2.89MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\NVUPCBV7.htm 0.13MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\SNDSetup544.log 1.76KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\SNDSetup55.log 4.42KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\SNDunin.log 162 bytes
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\SNDUpdater544I.log 0.28MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\SNDUpdater55I.log 0.29MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\symcprop.dat 32.04KB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\SymLCSVC.EXE 0.56MB
C:\DOCUME~1\DEBORAHO\LOCALS~1\Temp\XREXZP4E.htm 0.17MB
C:\WINDOWS\system32\wbem\Logs\wbemess.log 14.88KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 134 bytes
C:\WINDOWS\0.log 0 bytes
C:\WINDOWS\setupapi.log 42.77KB
C:\WINDOWS\Sti_Trace.log 0 bytes
C:\WINDOWS\wiadebug.log 381 bytes
C:\WINDOWS\wiaservc.log 50 bytes
C:\WINDOWS\WindowsUpdate.log 0.20MB
C:\WINDOWS\ntbtlog.txt 79.60KB
C:\WINDOWS\Debug\UserMode\userenv.log 2.30KB
C:\WINDOWS\SchedLgU.Txt 8.17KB
------------------------------------------------------------------------------------------
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida
Advertisement
Register to Remove

is this a log for recent downloaded program?

Unread postby cathdeb » October 19th, 2005, 2:28 am

Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\SysmonLogManager.Snapin]


[HKEY_CLASSES_ROOT\WMPCD]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IMG]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IMG\OpenWithList]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MDM]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MDM\OpenWithList]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\OpenWithList]


[HKEY_CLASSES_ROOT\acrobat\DefaultIcon]
@="C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AcroRd32.exe"


[HKEY_CLASSES_ROOT\ADCS]
@="Directory Class Container"

[HKEY_CLASSES_ROOT\ADCS\CLSID]
@="{89E30300-764D-11d0-B282-00A0C90F56FC}"


[HKEY_CLASSES_ROOT\Connection Manager Profile\DefaultIcon]
@="C:\\WINDOWS\\system32\\CMMGR32.EXE,1"


[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\open]

[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\open\command]
@="C:\\WINDOWS\\system32\\CMMGR32.EXE \"%1\""


[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\Settings...]

[HKEY_CLASSES_ROOT\Connection Manager Profile\shell\Settings...\command]
@="C:\\WINDOWS\\system32\\CMMGR32.EXE /settings \"%1\""


[HKEY_CLASSES_ROOT\HeaderFooter.HeaderFooter.1]
@="Template Printer class"

[HKEY_CLASSES_ROOT\HeaderFooter.HeaderFooter.1\CLSID]
@="{30c3f6cd-98b5-11cf-bb82-00aa00bdce0b}"


[HKEY_CLASSES_ROOT\Applications\moviemk.exe]

[HKEY_CLASSES_ROOT\Applications\moviemk.exe\shell]
"FriendlyCache"="Movie Maker"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe]
@="C:\\WINDOWS\\system32\\cmmgr32.exe"
"Path"="C:\\WINDOWS\\system32"
"CmstpExtensionDll"="C:\\WINDOWS\\system32\\cmcfg32.dll"
"CMInternalVersion"="1.2"
"CmNative"=dword:00000001
"ProfilesUpgraded"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Dell\\Utilities\\Driver Reset Tool\\"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Dell\\Utilities\\"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis]
"DisplayName"="HijackThis 1.99.1"
"UninstallString"="C:\\Documents and Settings\\DEBORAHO\\Local Settings\\Temp\\HijackThis.exe /uninstall"
"DisplayIcon"="C:\\Documents and Settings\\DEBORAHO\\Local Settings\\Temp\\HijackThis.exe"
"DisplayVersion"="1.99.1"
"Publisher"="Soeperman Enterprises Ltd."
"URLInfoAbout"="http://www.spywareinfo.com/~merijn/"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\AVG Anti-Virus 7.0]
"Order"=hex:08,00,00,00,02,00,00,00,72,02,00,00,01,00,00,00,04,00,00,00,9e,00,\
00,00,00,00,00,00,90,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7e,00,32,\
00,08,06,00,00,4f,33,cd,b1,20,00,41,56,47,41,4e,54,7e,31,2e,4c,4e,4b,00,00,\
54,00,03,00,04,00,ef,be,4f,33,cd,b1,50,33,b7,65,14,00,00,00,41,00,56,00,47,\
00,20,00,41,00,6e,00,74,00,69,00,2d,00,56,00,69,00,72,00,75,00,73,00,20,00,\
66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,2e,00,6c,\
00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,\
00,00,00,00,00,00,8e,00,00,00,01,00,00,00,80,00,00,00,41,75,67,4d,02,00,00,\
00,01,00,00,00,6e,00,32,00,0f,06,00,00,4f,33,cd,b1,20,00,41,56,47,43,4f,4e,\
7e,31,2e,4c,4e,4b,00,00,44,00,03,00,04,00,ef,be,4f,33,cd,b1,50,33,b7,65,14,\
00,00,00,41,00,56,00,47,00,20,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,\
20,00,43,00,65,00,6e,00,74,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,\
00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,88,00,\
00,00,02,00,00,00,7a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,68,00,32,\
00,0f,06,00,00,4f,33,cd,b1,20,00,41,56,47,56,49,52,7e,31,2e,4c,4e,4b,00,00,\
3e,00,03,00,04,00,ef,be,4f,33,cd,b1,50,33,b7,65,14,00,00,00,41,00,56,00,47,\
00,20,00,56,00,69,00,72,00,75,00,73,00,20,00,56,00,61,00,75,00,6c,00,74,00,\
2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,\
00,00,00,00,00,00,00,00,00,b2,00,00,00,03,00,00,00,a4,00,00,00,41,75,67,4d,\
02,00,00,00,01,00,00,00,92,00,32,00,25,06,00,00,4f,33,cd,b1,20,00,55,4e,49,\
4e,53,54,7e,31,2e,4c,4e,4b,00,00,68,00,03,00,04,00,ef,be,4f,33,cd,b1,50,33,\
b7,65,14,00,00,00,55,00,6e,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,\
00,41,00,56,00,47,00,20,00,41,00,6e,00,74,00,69,00,2d,00,56,00,69,00,72,00,\
75,00,73,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,\
00,00,1c,00,00,00,00,00,00,00,00,00


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Dell Accessories]
"Order"=hex:08,00,00,00,02,00,00,00,98,00,00,00,01,00,00,00,01,00,00,00,8c,00,\
00,00,00,00,00,00,7e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6c,00,32,\
00,da,06,00,00,4e,33,45,6b,20,00,44,52,49,56,45,52,7e,31,2e,4c,4e,4b,00,00,\
42,00,03,00,04,00,ef,be,4e,33,45,6b,4e,33,45,6b,14,00,00,00,44,00,72,00,69,\
00,76,00,65,00,72,00,20,00,52,00,65,00,73,00,65,00,74,00,20,00,54,00,6f,00,\
6f,00,6c,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,\
00,00,00,1c,00,00,00,00,00,00,00,00,00


[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\DEBORAHO\\Local Settings\\Temp\\RootkitRevealer.exe"="Rootkit detection utility"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\DEBORAHO\\LOCALS~1\\Temp\\VCCBAG.exe"="Rootkit detection utility"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\DEBORAHO\\LOCALS~1\\Temp\\ENSKWVUH.exe"="Rootkit detection utility"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\DEBORAHO\\LOCALS~1\\Temp\\OZHXD.exe"="Rootkit detection utility"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\DEBORAHO\\LOCALS~1\\Temp\\EHORF.exe"="Rootkit detection utility"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\DEBORAHO\\LOCALS~1\\Temp\\RAMUHZG.exe"="Rootkit detection utility"
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

I think I found it!

Unread postby cathdeb » October 19th, 2005, 2:48 am

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 22 seconds, including 6 seconds for message boxes)
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Silent Runners.vbs", revision 41

Unread postby cathdeb » October 19th, 2005, 9:33 am

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccleaner" = ""C:\Program Files\CCleaner\ccleaner.exe" /AUTO" ["CCleaner.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{4b218e3e-bc98-4770-93d3-2731b9329278}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 C:\WINDOWS\inf\ie.inf" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Address Book 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]}
SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
ScriptBlocking Service, SBService, "C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Password Validation, ccPwdSvc, ""C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 9 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 5 seconds.
---------- (total run time: 46 seconds)
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

having problem finding RKFile log.Is this it?

Unread postby cathdeb » October 19th, 2005, 9:41 am

2005-10-19 09:25:09 784 330 Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-10-19 09:25:09 784 330 Misc = Process: C:\WINDOWS\Explorer.EXE
2005-10-19 09:25:09 784 330 Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2005-10-19 09:25:09 784 330 Shutdwn Install at shutdown: no updates to install
2005-10-19 09:25:14 236 7ec Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-10-19 09:25:14 236 7ec Misc = Process: \??\C:\WINDOWS\system32\winlogon.exe
2005-10-19 09:25:14 236 7ec Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2005-10-19 09:25:14 236 7ec Shutdwn FATAL: WUAutoUpdateAtShutdown failed, hr=8024000C
2005-10-19 09:26:41 900 6e8 Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-10-19 09:26:41 900 6e8 Misc = Process: C:\WINDOWS\System32\svchost.exe
2005-10-19 09:26:41 900 6e8 Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2005-10-19 09:26:41 900 6e8 Service *************
2005-10-19 09:26:41 900 6e8 Service ** START ** Service: Service startup
2005-10-19 09:26:41 900 6e8 Service *********
2005-10-19 09:26:41 900 6e8 Agent * WU client version 5.8.0.2469
2005-10-19 09:26:41 900 6e8 Agent * SusClientId = '6293e8a9-f10a-4f12-9245-1ed245a9ce90'
2005-10-19 09:26:41 900 6e8 Agent * Base directory: C:\WINDOWS\SoftwareDistribution
2005-10-19 09:26:41 900 6e8 Agent * Access type: No proxy
2005-10-19 09:26:41 900 6e8 Agent * Network state: Connected
2005-10-19 09:27:26 900 6e8 Agent *********** Agent: Initializing Windows Update Agent ***********
2005-10-19 09:27:26 900 6e8 Agent *********** Agent: Initializing global settings cache ***********
2005-10-19 09:27:26 900 6e8 Agent * WSUS server: <NULL>
2005-10-19 09:27:26 900 6e8 Agent * WSUS status server: <NULL>
2005-10-19 09:27:26 900 6e8 Agent * Target group: (Unassigned Computers)
2005-10-19 09:27:26 900 6e8 Agent * Windows Update access disabled: No
2005-10-19 09:27:27 900 6e8 Agent * Found 3 persisted download calls to restore
2005-10-19 09:27:27 900 6e8 DnldMgr Download manager restoring 2 downloads
2005-10-19 09:27:27 2948 b88 Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-10-19 09:27:27 2948 b88 Misc = Process: C:\WINDOWS\system32\wuauclt.exe
2005-10-19 09:27:27 2948 b88 Misc = Module: C:\WINDOWS\system32\wuaueng.dll
2005-10-19 09:27:27 2948 b88 DtaStor Update service properties: service registered with AU is {7971F918-A847-4430-9279-4A52D1EFE18D}
2005-10-19 09:27:27 900 6e8 Agent * Succeeded to load 3 persisted download calls
2005-10-19 09:27:27 900 6e8 DnldMgr Retrieved 2 persisted download jobs
2005-10-19 09:27:27 900 6e8 DnldMgr *********** DnldMgr: Restoring download [no. 0] ***********
2005-10-19 09:27:27 900 6e8 DnldMgr * BITS JobId = {2D741A10-75BB-47C6-B286-478C335FD1EE}
2005-10-19 09:27:27 900 6e8 DnldMgr * ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2005-10-19 09:27:27 900 6e8 DnldMgr * UpdateId = {BF9F8910-463E-4EEC-B020-8F183C734512}.10
2005-10-19 09:27:28 900 6e8 DnldMgr * Restored download job.
2005-10-19 09:27:28 900 6e8 DnldMgr *********** DnldMgr: Restoring download [no. 1] ***********
2005-10-19 09:27:28 900 6e8 DnldMgr * BITS JobId = {BDDD73F1-8F65-4F0B-9426-1F07FE31394D}
2005-10-19 09:27:28 900 6e8 DnldMgr * ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2005-10-19 09:27:28 900 6e8 DnldMgr * UpdateId = {646178BF-43FA-4E07-9761-B6186E8AA4D3}.100
2005-10-19 09:27:28 900 6e8 DnldMgr * Restored download job.
2005-10-19 09:27:28 900 6e8 AU ########### AU: Initializing Automatic Updates ###########
2005-10-19 09:27:28 900 6e8 AU # Approval type: Scheduled (User preference)
2005-10-19 09:27:28 900 6e8 AU # Scheduled install day/time: Every day at 3:00
2005-10-19 09:27:28 900 6e8 AU # Auto-install minor updates: Yes (User preference)
2005-10-19 09:27:28 900 6e8 AU # Reconnecting download for 2 updates
2005-10-19 09:27:28 900 6e8 AU # Reconnected 2 pending download calls
2005-10-19 09:27:28 900 6e8 AU AU setting pending client directive to 'Download Progress'
2005-10-19 09:27:28 900 394 DnldMgr *********** DnldMgr: Downloading regulation Odf ***********
2005-10-19 09:27:28 900 394 DnldMgr * ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
2005-10-19 09:27:28 900 394 DnldMgr * URL = http://rs.update.microsoft.com/odf/v6odf.xml
2005-10-19 09:27:28 900 394 DnldMgr * Odf parameters...
2005-10-19 09:27:28 900 394 DnldMgr * Refresh interval: 5
2005-10-19 09:27:28 900 394 DnldMgr * Accept rate high: 10000
2005-10-19 09:27:28 900 394 DnldMgr * Accept rate normal: 5631
2005-10-19 09:27:28 900 394 DnldMgr * Accept rate low: 0
2005-10-19 09:27:28 900 394 AU AU checked download status and it changed: Downloading is paused
2005-10-19 09:27:31 960 bdc Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-10-19 09:27:31 960 bdc Misc = Process: C:\WINDOWS\system32\rundll32.exe
2005-10-19 09:27:31 960 bdc Misc = Module: C:\WINDOWS\system32\CDM.DLL
2005-10-19 09:27:31 960 bdc CDM OpenCDMContextEx: Connect if not connected = No
2005-10-19 09:27:31 960 bdc Misc =========== Logging initialized (build: 5.8.0.2469, tz: -0400) ===========
2005-10-19 09:27:31 960 bdc Misc = Process: C:\WINDOWS\system32\rundll32.exe
2005-10-19 09:27:31 960 bdc Misc = Module: C:\WINDOWS\system32\wuapi.dll
2005-10-19 09:27:31 960 bdc COMAPI -------------
2005-10-19 09:27:31 960 bdc COMAPI -- START -- COMAPI: Search [ClientId = CDM]
2005-10-19 09:27:31 960 bdc COMAPI ---------
2005-10-19 09:27:31 960 bdc COMAPI - Online = Yes; Ignore download priority = No
2005-10-19 09:27:31 960 bdc COMAPI - Criteria = "Type='Driver' and DriverMatch='Best' and DeviceInstance='PCI\VEN_8086&DEV_2668&SUBSYS_2A09103C&REV_03\3&11583659&0&D8'"
2005-10-19 09:27:31 960 bdc COMAPI - ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77}
2005-10-19 09:27:31 900 394 Agent *************
2005-10-19 09:27:31 900 394 Agent ** START ** Agent: Finding updates [CallerId = CDM]
2005-10-19 09:27:31 900 394 Agent *********
2005-10-19 09:27:31 960 bdc COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = CDM]
2005-10-19 09:27:32 900 394 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2005-10-19 09:27:32 900 394 PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://update.microsoft.com/v6/ClientW ... lient.asmx
2005-10-19 09:27:38 900 394 PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2005-10-19 09:27:38 900 394 PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://update.microsoft.com/v6/ClientW ... lient.asmx
2005-10-19 09:27:38 900 394 Agent * Found 0 updates and 10 categories in search
2005-10-19 09:27:38 900 394 Report *********** Report: Initializing static reporting data ***********
2005-10-19 09:27:38 900 394 Report * OS Version = 5.1.2600.2.0.65792
2005-10-19 09:27:38 900 394 Report * Computer Brand = HP Pavilion 061
2005-10-19 09:27:38 900 394 Report * Computer Model = PW784AA-ABA M1264N
2005-10-19 09:27:38 900 394 Report * Bios Revision = 3.24
2005-10-19 09:27:38 900 394 Report * Bios Name = BIOS Date: 08/11/05 14:09:51 Ver: 08.00.10
2005-10-19 09:27:38 900 394 Report * Bios Release Date = 2005-08-11T00:00:00
2005-10-19 09:27:38 900 394 Report * Locale ID = 1033
2005-10-19 09:27:39 900 394 Agent *********
2005-10-19 09:27:39 900 394 Agent ** END ** Agent: Finding updates [CallerId = CDM]
2005-10-19 09:27:39 900 394 Agent *************
2005-10-19 09:27:39 960 c9c COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = CDM]
2005-10-19 09:27:39 960 c9c COMAPI - Updates found = 0
2005-10-19 09:27:39 960 c9c COMAPI ---------
2005-10-19 09:27:39 960 c9c COMAPI -- END -- COMAPI: Search [ClientId = CDM]
2005-10-19 09:27:39 960 c9c COMAPI -------------
2005-10-19 09:27:39 960 bdc CDM WARNING: CCdm::ExecuteSearchForOneDriverUpdate failed, error = 0x80240024
2005-10-19 09:27:39 960 bdc CDM WARNING: CCdm::FindMatchingDriver failed, error = 0x80240024
2005-10-19 09:27:39 960 bdc CDM WARNING: FindMatchingDriver failed, error = 0x80240024
2005-10-19 09:27:42 900 6e8 AU No pending client directive
2005-10-19 09:27:42 960 3d4 CDM CancelCDMOperation
2005-10-19 09:27:44 900 394 Report REPORT EVENT: {D76647FB-5685-4C52-A59D-6F504E16BC70} 2005-10-19 09:27:38-0400 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 CDM Success Software Synchronization Agent has finished detecting items.
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

C:\Antispyware\RKFiles

Unread postby cathdeb » October 19th, 2005, 10:04 am

C:\Antispyware\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby cathdeb » October 19th, 2005, 3:29 pm

I chged permissions and deleted some keys that were created that looked suspicious.there were alot of notepad keys that I deleted and then I ran Ewido Security Suite

---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 3:18:24 PM, 10/19/2005
+ Report-Checksum: A332CDAF

0: System Process
4: System Process
132: C:\WINDOWS\System32\alg.exe
260: C:\Program Files\Norton AntiVirus\SAVScan.exe
496: \SystemRoot\System32\smss.exe
544: \??\C:\WINDOWS\system32\csrss.exe
568: \??\C:\WINDOWS\system32\winlogon.exe
612: C:\WINDOWS\system32\services.exe
624: C:\WINDOWS\system32\lsass.exe
788: C:\WINDOWS\system32\svchost.exe
836: C:\WINDOWS\system32\svchost.exe
904: C:\WINDOWS\System32\svchost.exe
932: C:\WINDOWS\Explorer.EXE
996: C:\WINDOWS\system32\svchost.exe
1048: C:\WINDOWS\system32\svchost.exe
1100: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1136: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1388: C:\WINDOWS\system32\spoolsv.exe
1516: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
1520: C:\Program Files\ewido\security suite\ewidoctrl.exe
1540: C:\WINDOWS\system32\igfxtray.exe
1544: C:\Program Files\Norton AntiVirus\navapsvc.exe
1636: C:\WINDOWS\system32\hkcmd.exe
1692: C:\WINDOWS\AGRSMMSG.exe
1720: C:\WINDOWS\system32\svchost.exe
1752: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
1856: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
1868: C:\Program Files\Messenger\msmsgs.exe
2924: C:\Program Files\ewido\security suite\SecuritySuite.exe
3016: C:\WINDOWS\system32\wbem\wmiprvse.exe
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

RootKitReveal Log

Unread postby cathdeb » October 19th, 2005, 3:38 pm

I am not going to do anythimg else until I hear from you.I hope I didn't mess anything up.

RootKitReveal Log
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 10/19/2005 3:24 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 10/19/2005 3:24 PM 4 bytes Data mismatch between Windows API and raw hive data.
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby dobhar » October 21st, 2005, 3:54 am

Sorry for the delay...Just very busy...

I'll be looking at the logs tomorrow. By the way you do not need to post the CCleaner log...that log is for your benefit...let's you see what it is cleaning out. So no need to post.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » October 21st, 2005, 7:45 pm

Hi Debbie...

Well I have good news and bad new...

The good news is that as far as we are concerned, by the logs that you have submitted to us, your PC does not seem to be infected with with any "Nasties". The bad news is that as far as we are concerned, by the logs that you have submitted to us, your PC does not seem to be infected with with any "Nasties". What I mean by this is that we believe that your issues are not "Nasty" related.

We were just wondering if your last install of XP did not go as planned or that maybe your are having a Hardware issue. If this was my PC I would start start from scratch again and reinstall WinXP. I would install it in this manner...I would perform an fdisk, format and reinstall again. Remain disconnected from Internet until install is done. Install your Antivirus & firewall program first. If you still have issues after the install then you could be having a Hardware issue like a problem HDD (Hard Disk Drive). If you know the mfg of your HDD then you can download a diagnostic tool from their web site and test your HDD.

Sorry that it did not work out

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Logfile of HijackThis v1.99.1

Unread postby cathdeb » October 22nd, 2005, 12:46 am

Hello Dobhar,

I had to format and then reinstall back to factory settings.I had denied creator owner on permissions and was unable to log on afterwards.could you check this or should I post a new log?Just want to make sure Iam starting off with a clean system.

Logfile of HijackThis v1.99.1
Scan saved at 4:35:11 AM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.intermute.com/hp_update/?220 ... 464537387D
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby dobhar » October 22nd, 2005, 12:56 am

Hi Debbie...

That looks like a real HijackThis log...LOLOLOL

Let me go through it and I will post back As soon as possible.

Thanks,

Kent
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » October 23rd, 2005, 2:55 am

Hi Debbie...

This log is just about clean...just have some minor enties to remove...

Step 1.
==========

Please download and install CCleaner from here
(Note: DO NOT run this program yet)

Step 2.
==========

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup instructions => http://rstones12.geekstogo.com/adawareSE_setup.htm
(Note: Please do NOT run it yet!)

Step 3.
==========

- Close all Windows and Programs
- Start HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


- Click the "Fix checked" button.
- Close HijackThis

Step 4.
==========

We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the "Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure Recycle Bin is empty

Step 5.
==========


- Start Ad-aware SE 1.06 and do a full scan
- Remove all it finds

Step 6.
==========

- Post back a fresh new HijackThis log
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Logfile of HijackThis v1.99.1

Unread postby cathdeb » October 23rd, 2005, 12:02 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:59:13 AM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby dobhar » October 23rd, 2005, 4:07 pm

Hi Debbie...

Congrats... :) Your log seems to be clean. Nice Job... :)

I can find nothing bad listed so I'm also posting my standard {All Clean} speech below. It has good information and some recommended tools (Recommended by all who deal with Spyware Nasties). Tools like SpywareBlaster => SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. Definitley recommended!!
____________________________________

The last thing I need you to do is to reset your "Hidden files and folders". System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion...
- Open "My Computer".
- Click on "Tools" and from the drop down menu select "Folder Options".
- Select the "View" tab.
- Under the Hidden files and folders heading UNSELECT "Show Hidden files and folders".
- CHECK the "Hide protected operating system files (recommended) option".
- Click "Yes" to confirm.
- Click "OK".
___________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore or Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources
  4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware
  10. Install IE-SPYAD - IE-SPYAD adds a list of sites and domains associated with advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. A tutorial on installing & using IE-SPYAD can be found here:
    Using IE-Spyad to enhance your privacy and security
  11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware