Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help pls

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help pls

Unread postby PJWolf » January 8th, 2006, 5:00 pm

OK here a weird one for you to help me with!

I am getting weird file notification asking me if I wish to allow this file to access the interent via zone alarm notices/alerts.

The name of the file are asrinben.exe and wmsacmgr.exe if i deny the access then I find like 10's or 100's of weird illegeal entries using weird characters. The dreawback is this asrinben.exe and wmsacmgr.exe are 0 bytes file with invalid dates and does not exists anywhere on the hard drive, no idea what process or file start these off....

However if I choose to kill the apps by zone alarm then I get an exception failure warning for the said name file!

Any ideas?

Thanks, PJ
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » January 8th, 2006, 7:14 pm

Can you please provide a HJT log for us to check - see the tab at the top of the forum to :-

New to this board - Click here

Follow that and post the HJT log when done.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby PJWolf » January 9th, 2006, 2:31 pm

Log of HiJackThis as requested, please note I am not using MSIE Internet Explorer I am using Maxthon which uses IE engine and is very similar to Firefox.

Logfile of HijackThis v1.99.1
Scan saved at 18:28:29, on 09/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.1.74.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D888D625-245B-4175-A82E-EE67F2065201}: NameServer = 62.24.128.18 62.24.128.17
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm

Unread postby ChrisRLG » January 9th, 2006, 4:47 pm

Get RootkitRevealer from Sysinternals

http://www.sysinternals.com/Utilities/R ... ealer.html

Download to your desktop - then extract the files to a new folder - on the desktop will do.

Run RootkitRevealer.exe and it will open a window, click the SCAN button.

When it is finished (it will take a long time, copy and paste the log file here as a reply please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby PJWolf » January 10th, 2006, 2:08 pm

As requested RootkitReveal Log!

HKLM\SOFTWARE\CpTWrA34Jj99 12/3/2005 21:40 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Hagel\DU Meter\Totals 1/10/2006 00:21 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 1/10/2006 00:25 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 1/10/2006 00:25 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SSDPSRV 11/6/2005 07:15 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SWWRRAY 12/2/2005 18:36 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\swwd 11/6/2005 09:17 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\swwrray 1/9/2006 18:58 0 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Cookies\pj@www.rootkit[2].txt 1/10/2006 00:31 70 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\3ECZB509\i.m.weasel[1].jpg 1/10/2006 00:29 2.31 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\3ECZB509\rootkit_bookcover[1].jpg 1/10/2006 00:29 17.11 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\3J5BZ10W\ZOverLord[1].jpg 1/10/2006 00:29 2.34 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\77TNVTCW\00002311[1].jpg 1/10/2006 00:29 3.32 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\7FLB39SS\tmeagle[1].jpg 1/10/2006 00:29 8.14 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\AYIBP7SZ\ES_book_small[1].jpg 1/10/2006 00:29 7.52 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\AYIBP7SZ\in[1].gif 1/10/2006 00:29 1006 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\CX2BCDYZ\us[1].gif 1/10/2006 00:29 1006 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\G567GDMZ\valid-rss[1].png 1/10/2006 00:29 1.49 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\GXO1IV4D\00[1].gif 1/10/2006 00:29 879 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\IDRKLS7Y\it[1].gif 1/10/2006 00:29 1006 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\IVUZULQZ\valerino[1].jpg 1/10/2006 00:29 4.08 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\MPVC50F2\ca[1].gif 1/10/2006 00:29 1005 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\P0CYRV26\hoglund[1].jpg 1/10/2006 00:29 4.22 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\P0CYRV26\warl0ck[1].jpg 1/10/2006 00:29 3.01 KB Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\PKW3LTGT\CAQEACBF.HTM 1/10/2006 00:28 788 bytes Hidden from Windows API.
C:\Documents and Settings\PJ\Local Settings\Temporary Internet Files\Content.IE5\Y17GPC7A\favicon[2].ico 1/10/2006 00:29 1.37 KB Hidden from Windows API.
C:\Program Files\Advxerox 1/10/2006 00:07 0 bytes Hidden from Windows API.
C:\Program Files\Advxerox\ace.dll 12/2/2005 18:37 568.00 KB Hidden from Windows API.
C:\Program Files\Advxerox\AI_04-01-2006.log 1/4/2006 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\AI_05-01-2006.log 1/5/2006 00:17 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\AI_06-01-2006.log 1/6/2006 00:04 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\AI_07-01-2006.log 1/7/2006 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\AI_08-01-2006.log 1/8/2006 00:08 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\AI_09-01-2006.log 1/9/2006 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\AI_10-01-2006.log 1/10/2006 00:07 3 bytes Hidden from Windows API.
C:\Program Files\Advxerox\Cache 12/2/2005 18:37 0 bytes Hidden from Windows API.
C:\Program Files\Advxerox\data.bin 12/2/2005 18:37 114.94 KB Hidden from Windows API.
C:\Program Files\Advxerox\ipnating.exe 12/2/2005 18:36 164.00 KB Hidden from Windows API.
C:\Program Files\Advxerox\WinGenerics.dll 12/2/2005 18:37 576.00 KB Hidden from Windows API.
C:\Program Files\Advxerox\wmsacmgr.exe 12/2/2005 18:37 912.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT 1/10/2006 02:31 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002894.STA 1/9/2006 18:49 69 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002895.CON 1/9/2006 18:49 14 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002896.CON 1/9/2006 18:49 2.55 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002897.CON 1/9/2006 18:49 3.02 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002898.CON 1/9/2006 18:50 10.56 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002899.STA 1/9/2006 18:50 69 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002900.dat 1/9/2006 18:50 548 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002901.dat 1/9/2006 18:50 93 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002902.CON 1/9/2006 18:50 14 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002903.CON 1/9/2006 18:50 3.02 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002904.STA 1/9/2006 18:50 69 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002905.CON 1/9/2006 18:50 12.29 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002907.edb 1/9/2006 19:07 64.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002908.cab 1/9/2006 19:30 15.45 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002909.dat 1/9/2006 19:30 161 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002910.INI 1/9/2006 19:30 116 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002911.sol 1/9/2006 19:30 53 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002912.edb 1/9/2006 19:35 64.00 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002913.dat 1/9/2006 19:54 88 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002914.dat 1/9/2006 19:54 61 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002915.DAT 1/9/2006 19:54 108 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002916.DAT 1/9/2006 19:54 274 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002917.DAT 1/9/2006 19:54 55 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002918.DAT 1/9/2006 19:54 75 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002919.DAT 1/9/2006 19:54 237 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002920.DAT 1/9/2006 19:54 732 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002921.BMP 1/9/2006 21:13 3.00 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002922.LOG 1/10/2006 00:07 3 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002923.XML 1/10/2006 00:13 53 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002924.XML 1/10/2006 00:13 53 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002925.XML 1/10/2006 00:13 53 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002926.XML 1/10/2006 00:14 53 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002927.SYS 1/10/2006 00:25 7.49 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002928 1/10/2006 00:27 21.92 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002929 1/10/2006 00:27 3.82 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002930 1/10/2006 00:41 28.05 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00002931.txt 1/10/2006 02:31 14.81 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\cheatbook.edb 6/28/2005 20:30 536 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\NPROTECT.LOG 1/9/2006 18:51 631.38 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP65\change.log 9/30/2006 23:28 51.67 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP65\change.log.2 1/10/2006 02:05 66.33 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP65\drivetable.txt 1/10/2006 03:04 400 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66 1/10/2006 03:04 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\A0020872.RDB 1/10/2006 03:03 1.95 MB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\change.log 1/10/2006 04:28 1.15 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\RestorePointSize 1/10/2006 03:04 8 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\rp.log 1/10/2006 03:04 536 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot 1/10/2006 03:04 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_MACHINE_SAM 1/10/2006 03:04 28.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_MACHINE_SECURITY 1/10/2006 03:03 52.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_MACHINE_SOFTWARE 1/10/2006 03:04 21.91 MB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_MACHINE_SYSTEM 1/10/2006 03:04 4.68 MB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_.DEFAULT 1/10/2006 03:03 268.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18 11/6/2005 10:39 256.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19 1/10/2006 03:03 228.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20 1/10/2006 03:03 228.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-1645522239-162531612-682003330-1003 1/10/2006 03:03 4.10 MB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19 1/10/2006 03:03 8.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20 1/10/2006 03:03 8.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-1645522239-162531612-682003330-1003 1/10/2006 03:03 12.00 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\ComDb.Dat 11/6/2005 20:05 23.15 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\domain.txt 1/10/2006 03:04 42 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository 1/10/2006 03:04 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\$WinMgmt.CFG 1/9/2006 19:01 20 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS 1/10/2006 03:04 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\INDEX.BTR 1/9/2006 19:30 1.27 MB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\INDEX.MAP 1/10/2006 03:03 748 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\MAPPING.VER 1/10/2006 03:03 4 bytes Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\MAPPING1.MAP 1/10/2006 02:24 3.77 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\MAPPING2.MAP 1/10/2006 03:03 3.77 KB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\OBJECTS.DATA 1/9/2006 19:30 5.74 MB Hidden from Windows API.
C:\System Volume Information\_restore{5107306B-4273-4F33-818B-0FB735A7D4D4}\RP66\snapshot\Repository\FS\OBJECTS.MAP 1/10/2006 03:03 3.04 KB Hidden from Windows API.
C:\WINDOWS\Internet Logs\ZALog2006.01.09.txt 1/10/2006 02:27 14.81 MB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_496.xml 9/1/2006 01:18 57.85 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_498.xml 9/1/2006 01:18 1.42 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_500.xml 9/1/2006 01:18 17.86 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_502.xml 9/1/2006 01:18 3.53 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_504.xml 9/1/2006 01:18 16.29 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_506.xml 9/1/2006 01:18 4.91 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_508.xml 9/1/2006 01:18 1.54 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_510.xml 9/1/2006 01:18 27.25 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_512.xml 9/1/2006 01:18 1.99 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_514.xml 9/1/2006 01:18 395.93 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_516.xml 9/1/2006 01:18 171.15 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_518.xml 9/1/2006 01:18 71.72 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_520.xml 9/1/2006 01:18 316 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_522.xml 9/1/2006 01:18 140.15 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_524.xml 9/1/2006 01:18 72.54 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_526.xml 1/10/2006 02:22 57.85 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_528.xml 1/10/2006 02:22 1.42 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_530.xml 1/10/2006 02:22 17.86 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_532.xml 1/10/2006 02:22 3.53 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_534.xml 1/10/2006 02:22 16.29 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_536.xml 1/10/2006 02:22 4.91 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_537.xml 1/10/2006 02:22 5.32 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_538.xml 1/10/2006 02:22 1.54 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_540.xml 1/10/2006 02:22 27.25 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_542.xml 1/10/2006 02:22 1.99 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_544.xml 1/10/2006 02:22 395.93 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_546.xml 1/10/2006 02:22 172.46 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_547.xml 1/10/2006 02:22 1.75 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_548.xml 1/10/2006 02:22 71.72 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_550.xml 1/10/2006 02:23 316 bytes Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_552.xml 1/10/2006 02:23 140.15 KB Hidden from Windows API.
C:\WINDOWS\PCHEALTH\HELPCTR\DataColl\CollectedData_554.xml 1/10/2006 02:23 72.54 KB Hidden from Windows API.
C:\WINDOWS\system32\asrinben.exe 12/2/2005 18:36 488.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\taplnknb.sys 12/2/2005 18:36 12.00 KB Hidden from Windows API.
D:\RECYCLER\NPROTECT 1/9/2006 18:59 0 bytes Hidden from Windows API.
D:\RECYCLER\NPROTECT\NPROTECT.LOG 1/9/2006 18:51 631.38 KB Hidden from Windows API.
E:\Recycled\NPROTECT 5/16/2004 20:21 0 bytes Hidden from Windows API.
E:\Recycled\NPROTECT\NPROTECT.LOG 1/9/2006 18:51 631.38 KB Hidden from Windows API.
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm

Unread postby wng_z3r0 » January 11th, 2006, 9:12 am

Chris asked me to step in for a bit. Hope you don't mind.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix © Swandog46 from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby PJWolf » January 11th, 2006, 2:54 pm

That is ok, ok did what you asked me to do and here is the Aproposfix log...

Log of AproposFix v1

************

Running from directory:
C:\malwareremoval\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CpTWrA34Jj99]
@="9DD88vFHIIHIIJIn6zCz4AHIIHXKIrdiYjrnI9F9Az3ONIy8:Cz89IAv62414wJ9F9"
"Device"="\\\\.\\Spevent"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\taplnknb.sys"
"DriverName"="swwrray"
"HideUninstallerName"="C:\\Program Files\\Advxerox\\ipnating.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\wtsocurs.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{E9748494-50CA-42F8-AD4C-D22CF860EE42}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\pdhrlmon.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X3062ffa-eab0-0440-26fa-d909ef1b3f1b}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Advxerox\\wmsacmgr.exe"

************

Removing hidden service:
Service swwrray removed.

Removing hidden folder:
Deletion of folder Advxerox succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\taplnknb.sys succeeded!
Deletion of file C:\WINDOWS\system32\asrinben.exe succeeded!
Deletion of file C:\WINDOWS\system32\pdhrlmon.dll succeeded!
Deletion of file C:\WINDOWS\system32\wtsocurs.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CpTWrA34Jj99]
[-HKEY_LOCAL_MACHINE\Software\CpTWrA34Jj99]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9748494-50CA-42F8-AD4C-D22CF860EE42}]

Done!

Finished!

ANd then the HIJackThis log as well... (Note I use maxthon not IE, MAxthon is based on IE engline but similair to firefox).

Logfile of HijackThis v1.99.1
Scan saved at 18:45:16, on 11/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.1.74.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm

Unread postby wng_z3r0 » January 11th, 2006, 5:08 pm

I use maxthon myself :) great browser.

Can I also get another RKR log? Just to be sure? How's the computer doing?
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby PJWolf » January 13th, 2006, 6:02 am

RootKitRevealer Log as requested.

It now seem all fine now thanks, zone alarm is no longer being filled up with junk entries and asrinben and wmsacmgr is also not being added after the entries been removed.

Only thing I did notices, shall do a scandisc later is that my window explorer when I open it soon after short seconds it then demands 100% CPU, only way to overcome this is to eliminate the explorer process and restart the explorer. But not to open window explorer again.

Otherwise all seem fine thanks for your help :)

HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 1/13/2006 01:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 1/13/2006 01:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\HackCount 1/13/2006 01:05 4 bytes Data mismatch between Windows API and raw hive data.
C:\RECYCLER\NPROTECT 1/13/2006 01:19 0 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000000.SYS 1/13/2006 01:05 7.49 KB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000001 1/13/2006 01:06 21.92 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000002 1/13/2006 01:06 3.82 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\00000003 1/13/2006 01:19 28.93 MB Hidden from Windows API.
C:\RECYCLER\NPROTECT\cheatbook.edb 6/28/2005 20:30 536 bytes Hidden from Windows API.
C:\RECYCLER\NPROTECT\NPROTECT.LOG 1/11/2006 18:35 631.38 KB Hidden from Windows API.
D:\RECYCLER\NPROTECT 1/12/2006 00:16 0 bytes Hidden from Windows API.
D:\RECYCLER\NPROTECT\NPROTECT.LOG 1/11/2006 18:35 631.38 KB Hidden from Windows API.
E:\Recycled\NPROTECT 5/16/2004 20:21 0 bytes Hidden from Windows API.
E:\Recycled\NPROTECT\NPROTECT.LOG 1/11/2006 18:35 631.38 KB Hidden from Windows API.
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm

Unread postby wng_z3r0 » January 13th, 2006, 7:21 pm

Let's seee if we can figure that explorer thing out.

Pleae follow ONLY post 1 of this
http://www.malwareremoval.com/forum/viewtopic.php?t=2787

Then double click on runme.bat
From the dos menu that opens up, choose option 1
Paste the contents of the notepd window back to me.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby PJWolf » January 13th, 2006, 7:52 pm

OK this is the results of the log from your instructions...


Module information for 'explorer.exe'
MODULE BASE SIZE PATH
explorer.exe 1000000 1044480 C:\WINDOWS\explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 (xpsp_sp2_gdr.051228-1427) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.2781 (xpsp_sp2_gdr.051020-1730) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8474624 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.2763 (xpsp_sp2_gdr.050922-1642) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.2802 (xpsp_sp2_gdr.051123-1230) Shell Browser UI Library
SHDOCVW.dll 77760000 1499136 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.2805 (xpsp_sp2_gdr.051130-1554) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINDOWS\system32\WININET.dll 6.00.2900.2781 (xpsp_sp2_gdr.051020-1730) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
comctl32.dll 773d0000 1056768 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
THSec.dll 61000000 114688 C:\Program Files\TrojanHunter 4.2\THSec.dll
MSCTF.dll 74720000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\WINDOWS\System32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
msi.dll 14b0000 2908160 C:\WINDOWS\system32\msi.dll 3.1.4000.2435 Windows Installer
urlmon.dll 77260000 651264 C:\WINDOWS\system32\urlmon.dll 6.00.2900.2790 (xpsp_sp2_gdr.051104-1529) OLE32 Extensions for Win32
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 286720 C:\WINDOWS\System32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
stobject.dll 76280000 135168 C:\WINDOWS\System32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\System32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\System32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
RASAPI32.dll 76ee0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access API
rasman.dll 76e90000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76eb0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows(TM) Telephony API Client DLL
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
shdoclc.dll 30b0000 557056 C:\WINDOWS\system32\shdoclc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
browselc.dll 13b0000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
AcroIEHelper.dll 1430000 57344 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 7.0.5.2005092300 Adobe Acrobat IE Helper Version 7.0 for ActiveX
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
gdiplus.dll 4ec50000 1716224 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158) Microsoft GDI+
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
wmvcore.dll 86d0000 2383872 C:\WINDOWS\system32\wmvcore.dll 10.00.00.3802 built by: dnsrv(bld4act) Windows Media Playback/Authoring DLL
WMASF.DLL 70d0000 237568 C:\WINDOWS\system32\WMASF.DLL 10.00.00.3802 built by: dnsrv(bld4act) Windows Media ASF DLL
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 3770000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
mlang.dll 75cf0000 593920 C:\WINDOWS\System32\mlang.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
drmv2clt.dll 9860000 516096 C:\WINDOWS\system32\drmv2clt.dll 10.00.00.3802 DRMv2 Client DLL
DRMClien.DLL 97e0000 266240 C:\WINDOWS\system32\DRMClien.DLL 10.00.00.3802 DRM Client DLL
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MARTA provider
cryptnet.dll 75e60000 77824 C:\WINDOWS\system32\cryptnet.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto Network Related API
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
SensApi.dll 722b0000 20480 C:\WINDOWS\system32\SensApi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
mscms.dll 73b30000 86016 C:\WINDOWS\system32\mscms.dll 5.1.2600.2709 (xpsp_sp2_gdr.050628-1518) Microsoft Color Matching System DLL
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
quartz.dll 74810000 1490944 C:\WINDOWS\system32\quartz.dll
rarext.dll 18d0000 180224 C:\Program Files\WinRAR\rarext.dll
contmenu.dll 2e00000 335872 C:\PROGRA~1\TROJAN~1.2\contmenu.dll
NavShExt.dll 10000000 98304 C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll 10.00.13 Norton AntiVirusNAVShellExt Module
MSVCP70.dll 7c080000 487424 C:\WINDOWS\system32\MSVCP70.dll 7.00.9466.0 Microsoft® C++ Runtime Library
MSVCR70.dll 7c000000 344064 C:\WINDOWS\system32\MSVCR70.dll 7.00.9466.0 Microsoft® C Runtime Library
NDRVEX.DLL 13d0000 73728 C:\Program Files\Norton SystemWorks\Norton Utilities\NDRVEX.DLL 17.0.0.82 Norton Shared Component
actxprxy.dll 71d40000 114688 C:\WINDOWS\System32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
MLSHEXT.DLL 35270000 28672 C:\Program Files\Microsoft Office\Office10\MLSHEXT.DLL 10.0.2625 Microsoft Shell Extension Library
spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection
MSVBVM60.DLL 66000000 1384448 C:\WINDOWS\system32\MSVBVM60.DLL 6.00.9782 Visual Basic Virtual Machine
dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
PDFShell.dll 3790000 114688 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 7.0.0.0 PDF Shell Extension
MSISIP.DLL 60980000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows Script Host
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
ScrTrust.dll 37e0000 65536 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrTrust.dll 1, 1, 1, 131 ScriptBlocking Trust Verifier
MCPS.DLL 365a0000 90112 C:\PROGRA~1\MICROS~3\Office10\MCPS.DLL 10.0.6313 Media Catalog Proxy/Stub
MSVCP60.DLL 76080000 413696 C:\WINDOWS\system32\MSVCP60.DLL 6.02.3104.0 Microsoft (R) C++ Runtime Library
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm

Unread postby wng_z3r0 » January 18th, 2006, 6:39 pm

try temporarily disabling norton to see if that helps. Also, please go to start->run
paste this in:
sfc /scannow

and then hit enter. If prompted, insert your XP cd.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby PJWolf » January 19th, 2006, 6:26 pm

OK, Disabled the Norton Virus scanner, still the same and ran sfc /scannow command as you suggested and did it thing and at the end no report ot nothing came up.

And still the same, but since then found a neat small free software called FreeCommander, is like window explorer but have more features BUT this software does not take up 100% CPU as window explorer did.

And please do not suggest to me I should reformat my hard drive, because I has to re-install XP about 2 months ago after a weird power outages that causes me to lose net access full stop re-installed xp and only to find it has cause the corruption of 2 hard drives got them fixed but missing files so got an on track to recover the files but lack disk space on 1 drive so awaiting for a new hard drive (once I saved up enough). Before you help window explorer wasnt taking 100% but after removing those malware it started to take 100%.

Thanks in advance, PJ
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm

Unread postby wng_z3r0 » January 19th, 2006, 11:08 pm

Hey, we're not going down the reformat road.... At least not until there's nothing else left in the bag of tricks. And trust me, I got lotsa tricks in this bag :)


Try this:

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.
Please print these instructions as you will be going into safe mode.
Reboot your computer into Safe Mode by following the following steps:

Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby PJWolf » January 21st, 2006, 4:46 am

OK WinPFind log as requested posted...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/17/2005 02:26:42 536428544 C:\WINDOWS\MEMORY.DMP
FSG! 11/17/2005 02:26:42 536428544 C:\WINDOWS\MEMORY.DMP
PEC2 11/17/2005 02:26:42 536428544 C:\WINDOWS\MEMORY.DMP
aspack 11/17/2005 02:26:42 536428544 C:\WINDOWS\MEMORY.DMP
abetterinternet.com 11/17/2005 02:26:42 536428544 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
UPX! 7/9/2005 10:03:06 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/23/2001 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 1/5/2006 03:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/5/2006 03:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 3/31/2004 17:55:24 172544 C:\WINDOWS\SYSTEM32\npkcsvc.exe
aspack 8/4/2004 00:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 00:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 22:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/21/2006 02:20:02 S 2048 C:\WINDOWS\bootstat.dat
1/11/2006 18:34:24 H 24 C:\WINDOWS\ppcpK
1/18/2006 18:42:16 H 54156 C:\WINDOWS\QTFont.qfn
12/16/2005 03:20:20 RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
12/16/2005 03:20:20 RH 0 C:\WINDOWS\assembly\pubpol1.dat
12/16/2005 20:52:38 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index16.dat
12/16/2005 20:52:44 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index17.dat
1/20/2006 18:04:28 H 35869 C:\WINDOWS\system32\vsconfig.xml
1/8/2006 02:27:28 H 4212 C:\WINDOWS\system32\zllictbl.dat
12/1/2005 04:17:10 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/2/2005 00:12:48 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 23:09:36 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/21/2006 02:19:54 H 8192 C:\WINDOWS\system32\config\default.LOG
1/21/2006 02:20:20 H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/21/2006 02:20:04 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/21/2006 02:20:40 H 61440 C:\WINDOWS\system32\config\software.LOG
1/21/2006 02:20:12 H 1011712 C:\WINDOWS\system32\config\system.LOG
1/11/2006 18:13:38 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/21/2006 02:18:34 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
5/25/2004 15:06:58 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 00:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 00:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
7/29/2004 12:56:00 221184 C:\WINDOWS\SYSTEM32\cttune.cpl
Microsoft Corporation 8/4/2004 00:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 00:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 00:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 00:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 00:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 00:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 8/26/2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 00:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 00:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 00:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 6/23/2003 02:24:00 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 00:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 00:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 00:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 00:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 00:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 00:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 00:56:58 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 00:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 00:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 00:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 00:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 00:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 00:56:58 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 00:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 00:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 00:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 00:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 00:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 00:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 00:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 00:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 00:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 00:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
C-Media Corporation 4/21/2003 06:19:30 933888 C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\cmicnfg.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/7/2005 16:45:20 1757 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
11/6/2005 07:10:02 HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
11/7/2005 15:18:56 1730 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/6/2005 07:00:22 HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/6/2005 07:10:02 HS 84 C:\Documents and Settings\Administrator.PJO-HOME\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/6/2005 07:00:22 HS 62 C:\Documents and Settings\Administrator.PJO-HOME\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
Maxthon = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll
=

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\FileEncrypt
{90A07ACC-0331-4aee-9AAD-A854A9C37667} = C:\Program Files\Advanced System Optimizer\ShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Quick Par
{D120D80B-BD26-4A74-8E43-2C2AF0966139} = C:\QuickPar2\QuickParShlExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\FileEncrypt
{90A07ACC-0331-4aee-9AAD-A854A9C37667} = C:\Program Files\Advanced System Optimizer\ShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
GhostStartTrayApp C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
AcctMgr C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
SpeedTouch USB Diagnostics "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
DU Meter C:\Program Files\DU Meter\DUMeter.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Creative WebCam Tray C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
LogonStudio "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
BootSkin Startup Jobs "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CoolSwitch
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item taskswitch
hkey HKLM
command C:\WINDOWS\system32\taskswitch.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/21/2006 08:16:16
PJWolf
Active Member
 
Posts: 12
Joined: January 8th, 2006, 4:43 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware