Post by: hotrod4x5 on May 17, 2005, 03:45:35 PM
I have Ad-Aware, SpyBot S&D, MS ANTIspyware, Norton Antivirus (which I cannot understand why it finds these trojans, but is unable to fix them?? what good is it then?)
I see all the hoops people jump through with hijack this logs and cleaning tools.
To me I think it seems more logical to just reinstall windows.
But how do I keep them from re-infecting my computer?
I have another XP machine on my network that is also majorly infected.
If I reinstall winXP on my main machine, but not on the other infected one, will they migrate across the network?
I am not running firewall, I tried zone alarm, the free version, and it blocked my network completely. I do not have a hardware firewall either, just a hub.
Should I get a hardware firewall even if I am still on dialup?
I am not opposed to the idea of a fresh install, but will I be safe from then on...?
I use outlook express and get about 20-30 spams a day, half of them porn and half viagra type things and the like.
does the spyware and trojans come with these emails? Should I use mailwasher and never download the email to my machine. Help!! I am tired of this cr*p!
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
Post by: roofy on May 17, 2005, 09:11:02 PM
Quote
I have Ad-Aware, SpyBot S&D, MS ANTIspyware, Norton Antivirus (which I cannot understand why it finds these trojans, but is unable to fix them?? what good is it then?)First off, the reason why Nortans is not able to delete the viruses that where found is because the viruses are currently running. You can not delete any kind of file while it is opened or running. Eventhough Nortans sucks, this is not a defect in Nortans. It is the way how a lot of todays viruses run.
Quote
To me I think it seems more logical to just reinstall windows.
Have you ever try doing this before? I wouldn't suggest this!!!!! Hust reinstalling WindowsXP, will possibly reinfect your computer. If you wanted to reinstall windows without the risks of being infected, you would have to format your hard drive and reinstall everything which I think that is more of a headache then following our instructions. In addition, because you are networked with 2 computers, just only cleaning one machine doesn't mean that you would get reinfected. Meaning, usually once one machine gets infected, then all the computers on your network can get infected.
Quote
I am not running firewall, I tried zone alarm, the free version, and it blocked my network completely. I do not have a hardware firewall either, just a hub.
Should I get a hardware firewall even if I am still on dialup?
Taking about ZoneAlarm, some people have said that it doesn't work that well on Windows XP. To answser about getting a hardware firewall with dial-up, I am not that sure. It use to be a firewall where made for broadband internet becuase the internet is still active even if your not using the computer. However with hackers being able to automatically dial-out to the internet, recomendation rules could of changed now. You could call your ISP if there software includes firewall software, or if it is ok to use a hardware firewall. If it is and to make things cheaper get a router that includes a firewall. You can get a Linksys Firewall router for about $100 US Dollars.
Though here is what you can do. Lets start off by seeing if you can download a program called Hijackthis, by merlin. You can find merlin's web site, who created Hijackthis, here (http://\"http://www.spywareinfo.com/~merijn/downloads.html\").
Also because you are not giving any details of what your computer is doing, meaning like is it automatically sending email without your permission or when surfing the net you are re-directed to a searchengine site instead of the place you actually wanted to go to etc, you could find some troubles downloading this file. Though the link that I gave you, has all the possible reasons why you can't download Hijackthis, and it also gives you alternitive routes on what to do. Once you download Hijackthis, it is very important where you install Hijackthis. The best location to installed this is by making new folder in this location...
c:\Hijackthis
Now, once Hijackthis has been installed, open up Hijackthis, and click on the button that says, "Do a system scan and save a logfile". When the scan is complete, Hijackthis will open up notepad and display your results. Next in notepad, go to edit->select all, and then edit-> copy. Then come back in here and and past you log in this thread. Also please keep in mind that this program does not replace nortan's. You must still use Nortan's, for its other features of protecting you. So after you post back, someone will get back to you to assist you.
Post by: hotrod4x5 on May 17, 2005, 10:29:56 PM
Thanks for your reply. I do appreciate you taking your time to help and want to preface my following statements that I am by no means trying to sound arrogant, and if it comes across that way, chalk it up to the fact that you can't read my body language or hear the tone in my voice. Sometimes I hate online communication!
I should have stated my computer knowledge level when I asked about reinstalling.
I have built all the computers on my home network, currently 3 systems, and have a drawer full of old DIMMS and even SIMMS, video cards, small hard drives, mobos, etc. Tthe first system I built was a P75 with 16 megs of ram and a 1.6 gig drive!
Anyway, the point is, I am not scared about reinstalling windows, and yes I would reformat the drive first.
Currently I am not running SP2, because when I installed it, my network didn't work.
And I want to add, that while I have built many systems, I would say I know enough to barely get by. I count on things working when I put them together and if they don't, well, I have been luccky so far, I guess. IOW, I am not a computer guru, and that is why I am seeking help and advice,.
I guess what my concern is, if I do the re-install, how do I keep this cr*p off my system?!?!?!
So you are saying that the other system would infect my fresh install?
If that is the case, I can easily reinstall windows on all machines if needed, of course that is time comsuming!
You asked what is happening on my system? Well, at present, it likes to freeze when I try to open Mozilla, after I have connected. If I open mozilla, then connect it seems ok. I am not able to get my email with outlook express, I am currently having to use my ISP's webmail interface for email. OE just says server not found, or some other errror, that I can't recall at the moment. I don't think this is a server issue, as it has been doing this for nearly 24 hours.
What else... hmmm, ramdom Mozilla windows opening, with an address for a file on my harddrive, not a website. Messages asking me to approve the installation of ad programs that I didn't even download or want to install.
It is a nightmare!
I guess I will go ahead and do a hijack this log. I already have the program, I tried posting a log on computer cops a few months ago,m but they are too busy, I guess to help.
In the mean time, if someone, or you, can advise how to keep this stuff off for good if I do a reinstall, that would be helpful. I usually do a reinstall or an upgrade of mobo and processor every 12-18 months anyway.
Thanks again for the quick reply!
Rodney
Post by: guestolo on May 17, 2005, 10:43:54 PM
How about just for the Heck of it you post a Hijackthis log and let's see what's going on
If you still want to reinstall later, by all means, that's your choice
If you don't have the latest version of Hijackthis
you can also download Hijackthis from my signature below
Save it too a permanent folder
Run a scan and save log file
Copy and paste back the Whole contents of the log
Don't fix anything yet as it is all important
EDIT>>Don't forget about this link I added to the top of the forum
http://www.thetechguide.com/forum/index.php?showtopic=15894 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
Post by: hotrod4x5 on May 18, 2005, 12:39:56 AM
Should I do it in safe mode? Will that work, or do I need to find a way to do this in normal mode?
Post by: guestolo on May 18, 2005, 12:46:40 AM
But if you can hang in there, I've seen this problem before
Can you do a couple things for me
==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Could you now restart into safe mode
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Restart back to Normal mode
Back in windows
Could you post the log produced by Rkfiles.bat
Also
Could you download and UNZIP to a folder Hijackthis 1.98.2 (http://\"http://www.merijn.org/files/hijackthis1982.zip\")
Do a scan with this version of Hijackthis and save the log
Post it back here
I'll look at it first thing when I get off work tomorrow
Post by: hotrod4x5 on May 18, 2005, 06:31:48 PM
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
Could you post the log produced by Rkfiles.bat[/quote]C:\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\Dwapilib.tlb: dwProvSpec2
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\gr.exe: UPX!
Finished
bye
Quote
AlsoI wasn't able to run this version of hijack this either. Same results as before, it ran for a second, then shut down.
Could you download and UNZIP to a folder Hijackthis 1.98.2 (http://\"http://www.merijn.org/files/hijackthis1982.zip\")
Do a scan with this version of Hijackthis and save the log
Post it back here
I'll look at it first thing when I get off work tomorrow[post=\"41645\"]<{POST_SNAPBACK}>[/post]
In the mean time, MS anitspyware has run automatically and found more spyware, big surprise! A new one that has popped up recently that I didn't have before is PeopleOnPage. Also it found AproposMedia and IST.IST bar. the usual suspects there.
I'm going to allow MS to try and clean the system. I know if I run SPYBOT and AdAware, it will find more and different ones.
Do you want me to clean my system today, the same way I do every darn day?
Any ideas abotu running a succesful hijack this?
Post by: Guest on May 19, 2005, 05:21:24 AM
Both Kerio and AntiVir are the best period! No nonsence programs that are free and easy to use.
Post by: hotrod4x5 on May 24, 2005, 09:52:02 AM
Post by: guestolo on May 24, 2005, 04:09:38 PM
Can you get Hijackthis to run in safe mode?
If not can you do the following for me please
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
Can you again do the following
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
AGAIN>>Do this step anyways, if you can get Hijackthis to run in Safe mode
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then Click OK
regedit /e C:\find3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"
Now, navigate to these files, any that exist, open them, copy and paste them back in your next reply
C:\find.txt == C:\find2.txt ==C:\find3.txt
Post by: hotrod4x5 on May 24, 2005, 04:22:01 PM
FIND TEXT PASTED:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DataCaching"=""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"Ink Monitor"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"Compaq32 Service Drivers"="msconfig32.exe"
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
FIND TEXT 2 Pasted:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"Microsoft Update"="Svhost.exe"
"Dns Resolver"="dnsrslve.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"cwwtRkj9X"="loaoice.exe"
"Compaq32 Service Drivers"="msconfig32.exe"
Post by: guestolo on May 24, 2005, 09:18:51 PM
Sorry for keeping you delayed, and thanks for your patience
I got back from a short holiday and had to catch up on yard work
As soon as you post the below information, I'll make sure I check your post as soon as I can
Download and UNZIP to desktop Grab.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=241\")
So you now have Grab.bat on the desktop
Double click on Grab.bat and a text file will open
Copy and paste back the contents please
It may be a little long but I'll edit out what we don't need if anything found
Also, this will help a lot if you can run it
==Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Post by: hotrod4x5 on May 24, 2005, 11:05:01 PM
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,90,04,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,07,00,0b,00,00,00,00,\
00,07,00,0b,00,00,00,3f,00,00,00,02,00,00,00,04,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,44,00,00,00,01,00,56,00,61,00,72,00,46,00,69,\
00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\
72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\
04,e4,04,f0,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\
6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,cc,03,00,00,01,00,30,00,34,00,30,\
00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,19,00,01,00,43,00,6f,00,6d,00,\
6d,00,65,00,6e,00,74,00,73,00,00,00,43,00,72,00,79,00,73,00,74,00,61,00,6c,\
00,20,00,53,00,51,00,4c,00,20,00,44,00,65,00,73,00,69,00,67,00,6e,00,65,00,\
72,00,20,00,37,00,2e,00,30,00,00,00,00,00,88,00,34,00,01,00,43,00,6f,00,6d,\
00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,65,00,\
61,00,67,00,61,00,74,00,65,00,20,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,\
00,65,00,20,00,49,00,6e,00,66,00,6f,00,72,00,6d,00,61,00,74,00,69,00,6f,00,\
6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,74,00,20,\
00,47,00,72,00,6f,00,75,00,70,00,2c,00,20,00,49,00,6e,00,63,00,2e,00,00,00,\
ae,00,45,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,\
00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\
68,00,74,00,20,00,28,00,63,00,29,00,20,00,31,00,39,00,39,00,31,00,2d,00,31,\
00,39,00,39,00,10,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe]
"ApplicationGoo"=hex:54,09,00,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,a8,11,2e,04,00,00,02,\
00,a8,11,2e,04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,\
01,00,30,00,30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,\
67,00,6e,00,61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,\
00,42,00,11,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,\
6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,\
00,61,00,6c,00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,\
46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,\
00,6f,00,6e,00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,\
74,00,65,00,6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,\
00,6f,00,77,00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,\
56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,32,00,30,\
00,2e,00,32,00,2e,00,30,00,2e,00,31,00,30,00,37,00,30,00,00,00,32,00,09,00,\
01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,\
00,00,00,46,00,45,00,57,00,46,00,52,00,4f,00,4e,00,54,00,00,00,00,00,7a,00,\
2b,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,\
00,67,00,68,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
04,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,23,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,00,53,00,5f,\
00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,\
00,00,00,00,bd,04,ef,fe,00,00,01,00,03,00,9e,11,26,04,00,00,03,00,9e,11,26,\
04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,\
00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,01,00,30,00,\
30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,00,43,00,6f,\
00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,67,00,6e,00,\
61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,42,00,11,\
00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,\
00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,00,61,00,6c,\
00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,\
6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,\
00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,\
6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,\
72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,31,00,30,00,2e,00,33,\
00,2e,00,30,00,2e,00,31,00,30,00,36,00,32,00,00,00,32,00,09,00,01,00,49,00,\
6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,46,\
00,45,00,57,00,46,00,52,00,4f,00,4e,00,54,00,00,00,00,00,7a,00,2b,00,01,00,\
4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,\
00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,\
23,00,54,02,00,00,00,02,00,00,20,03,34,00,00,00,56,00,53,00,5f,00,56,00,45,\
00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,\
bd,04,ef,fe,00,00,01,00,00,00,04,00,f0,03,00,00,00,00,04,00,f0,03,00,00,3f,\
00,00,00,00,00,00,00,04,00,01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,7e,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,\
00,65,00,49,00,6e,00,66,00,6f,00,00,00,5a,02,00,00,01,00,30,00,34,00,30,00,\
39,00,30,00,34,00,45,00,34,00,00,00,2e,00,07,00,01,00,43,00,6f,00,6d,00,70,\
00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,41,00,50,00,\
20,00,41,00,47,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,6c,00,65,00,44,\
00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,\
53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,6e,00,64,00,20,\
00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,\
00,00,36,00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,\
00,6f,00,6e,00,00,00,00,00,34,00,2e,00,30,00,2e,00,30,00,2e,00,31,00,30,00,\
30,00,38,00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,\
00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,46,00,52,00,4f,00,4e,00,54,00,\
00,00,5e,00,1d,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,\
00,72,00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,\
67,00,68,00,74,00,20,00,a9,00,20,00,31,00,39,00,39,00,33,00,2d,00,31,00,39,\
00,39,00,37,00,20,00,53,00,41,00,50,00,20,00,41,00,47,00,00,00,00,00,28,00,\
00,00,01,00,4c,00,65,00,67,00,61,00,6c,00,54,00,72,00,61,00,64,00,02,00,00,\
00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,00,00,00,00,\
65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,00,76,00,69,\
00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,23,00,54,02,\
00,00,00,02,00,00,18,03,34,00,00,00,56,00,53,00,5f,00,56,00,45,00,52,00,53,\
00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,bd,04,ef,fe,\
00,00,01,00,00,00,04,00,dd,03,00,00,00,00,04,00,dd,03,00,00,3f,00,00,00,00,\
00,00,00,04,00,01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,78,02,\
00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,00,65,00,49,\
00,6e,00,66,00,6f,00,00,00,54,02,00,00,01,00,30,00,34,00,30,00,39,00,30,00,\
34,00,45,00,34,00,00,00,2e,00,07,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,\
00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,\
47,00,00,00,00,00,5a,00,19,00,01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,\
00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,53,00,41,00,\
50,00,20,00,46,00,72,00,6f,00,6e,00,74,00,65,00,6e,00,64,00,20,00,66,00,6f,\
00,72,00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,00,00,00,00,34,00,\
0a,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,\
00,00,00,00,00,34,00,2e,00,30,00,2e,00,30,00,2e,00,39,00,38,00,39,00,00,00,\
2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,\
00,6d,00,65,00,00,00,46,00,52,00,4f,00,4e,00,54,00,00,00,5e,00,1d,00,01,00,\
4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,\
a9,00,20,00,31,00,39,00,39,00,33,00,2d,00,31,00,39,00,39,00,37,00,20,00,53,\
00,41,00,50,00,20,00,41,00,47,00,00,00,00,00,28,00,00,00,01,00,4c,00,65,00,\
67,00,61,00,6c,00,54,00,72,00,61,00,64,00,65,00,6d,00,02,00,00,00,00,00,00,\
00,01,00,00,00,4c,00,00,00,3c,fd,06,00,04,00,00,00,00,00,00,00,65,05,00,00,\
02,00,00,00,03,00,00,00,00,00,01,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\
00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,23,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe]
"ApplicationGoo"=hex:58,02,00,00,54,02,00,00,00,02,00,00,6c,07,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,\
00,05,00,07,00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,cc,06,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,54,03,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,\
43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,\
00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,\
72,00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,\
00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,\
69,00,6f,00,6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,\
00,74,00,20,00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,\
65,00,72,00,76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,\
00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,\
6e,00,00,00,00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,\
00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,\
6c,00,4e,00,61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9c,\
00,3c,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,\
69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,20,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
05,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,02,00,00,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
34,00,00,00,23,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe]
"ApplicationGoo"=hex:58,02,00,00,54,02,00,00,00,02,00,00,44,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,01,00,01,00,0c,00,00,00,01,\
00,01,00,0c,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,44,00,00,00,00,00,56,00,61,00,72,00,46,00,69,\
00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\
72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\
04,b0,04,a4,01,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\
6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,80,01,00,00,01,00,30,00,34,00,30,\
00,39,00,30,00,34,00,42,00,30,00,00,00,40,00,20,00,01,00,43,00,6f,00,6d,00,\
70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,44,00,65,00,4c,\
00,6f,00,72,00,6d,00,65,00,20,00,4d,00,61,00,70,00,70,00,69,00,6e,00,67,00,\
00,00,44,00,22,00,01,00,50,00,72,00,6f,00,64,00,75,00,63,00,74,00,4e,00,61,\
00,6d,00,65,00,00,00,00,00,52,00,65,00,67,00,20,00,28,00,44,00,4c,00,69,00,\
62,00,62,00,79,00,5c,00,6d,00,73,00,66,00,29,00,00,00,00,00,34,00,14,00,01,\
00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,\
00,00,31,00,2e,00,30,00,31,00,2e,00,30,00,30,00,31,00,32,00,00,00,38,00,14,\
00,01,00,50,00,72,00,6f,00,64,00,75,00,63,00,74,00,56,00,65,00,72,00,73,00,\
69,00,6f,00,6e,00,00,00,31,00,2e,00,30,00,31,00,2e,00,30,00,30,00,31,00,32,\
00,00,00,34,00,12,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,\
4e,00,61,00,6d,00,65,00,00,00,4d,00,4e,00,47,00,52,00,45,00,47,00,33,00,32,\
00,00,00,00,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
04,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,03,00,00,00,00,00,01,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,23,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE]
"GlobalFlag"="0x00200000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE]
"GlobalFlag"="0x00200000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,b4,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,35,00,07,00,00,00,00,00,35,\
00,07,00,00,00,00,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,12,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,ee,01,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,42,00,11,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,50,00,65,00,6f,00,70,00,6c,00,65,00,53,00,6f,00,66,00,74,00,2c,00,20,\
00,49,00,6e,00,63,00,2e,00,00,00,00,00,28,00,00,00,01,00,46,00,69,00,6c,00,\
65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,\
00,00,00,2a,00,05,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,\
69,00,6f,00,6e,00,00,00,00,00,37,00,2e,00,35,00,33,00,00,00,00,00,9c,00,3c,\
00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,\
67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,\
00,20,00,a9,00,20,00,31,00,39,00,38,00,38,00,2d,00,31,00,39,00,39,00,38,00,\
20,00,50,00,65,00,6f,00,70,00,6c,00,65,00,53,00,6f,00,66,00,74,00,2c,00,20,\
00,49,00,6e,00,63,00,2e,00,20,00,20,00,41,00,6c,00,6c,00,20,00,52,00,69,00,\
67,00,68,00,74,00,73,00,20,00,52,00,65,00,73,00,65,00,72,00,76,00,65,00,64,\
00,00,00,3c,00,0a,00,01,00,4f,00,72,00,69,00,67,00,69,00,6e,00,61,00,6c,00,\
46,00,69,00,6c,00,65,00,6e,00,61,00,6d,00,65,00,00,00,70,00,73,00,64,00,6d,\
00,74,00,2e,00,10,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe]
"ApplicationGoo"=hex:00,07,00,00,54,02,00,00,00,02,00,00,84,07,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,\
00,05,00,07,00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,e4,06,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,60,03,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,\
43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,\
00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,\
72,00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,\
00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,\
69,00,6f,00,6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,\
00,74,00,20,00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,\
65,00,72,00,76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,\
00,0b,00,01,00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,\
6e,00,00,00,00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,\
00,00,00,00,00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,\
6c,00,4e,00,61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9e,\
00,3d,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,\
69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,\
00,74,00,20,00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,\
05,00,00,00,00,00,00,00,65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,\
00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,\
33,00,00,00,24,00,54,02,00,00,00,02,00,00,a4,08,34,00,00,00,56,00,53,00,5f,\
00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,\
00,00,00,00,bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,00,05,00,07,\
00,a8,07,3f,00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,04,08,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,\
00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,f0,03,00,00,01,00,30,00,\
34,00,30,00,39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,00,43,00,6f,\
00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,43,00,6f,00,\
6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,4d,00,69,\
00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,72,00,70,00,\
6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,00,46,00,69,\
00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,\
6e,00,00,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,\
00,45,00,78,00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,65,00,72,00,\
76,00,65,00,72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,00,0b,00,01,\
00,46,00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,\
00,00,35,00,2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,00,00,00,00,\
00,2c,00,06,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,\
61,00,6d,00,65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,a6,00,41,00,01,\
00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\
68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,\
00,02,00,00,00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,05,00,00,00,\
00,00,00,00,65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,\
24,00,54,02,00,00,00,02,00,00,18,04,34,00,00,00,56,00,53,00,5f,00,56,00,45,\
00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,46,00,4f,00,00,00,00,00,\
bd,04,ef,fe,00,00,01,00,05,00,05,00,07,00,a8,07,05,00,05,00,07,00,a8,07,3f,\
00,00,00,00,00,00,00,04,00,04,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,78,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,6c,\
00,65,00,49,00,6e,00,66,00,6f,00,00,00,54,03,00,00,01,00,30,00,34,00,30,00,\
39,00,30,00,34,00,42,00,30,00,00,00,18,00,00,00,01,00,43,00,6f,00,6d,00,6d,\
00,65,00,6e,00,74,00,73,00,00,00,4c,00,16,00,01,00,43,00,6f,00,6d,00,70,00,\
61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,4d,00,69,00,63,00,72,\
00,6f,00,73,00,6f,00,66,00,74,00,20,00,43,00,6f,00,72,00,70,00,6f,00,72,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,68,00,20,00,01,00,46,00,69,00,6c,00,65,\
00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,\
00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,45,00,78,\
00,63,00,68,00,61,00,6e,00,67,00,65,00,20,00,53,00,65,00,72,00,76,00,65,00,\
72,00,20,00,53,00,65,00,74,00,75,00,70,00,00,00,36,00,0b,00,01,00,46,00,69,\
00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,35,00,\
2e,00,35,00,2e,00,31,00,39,00,36,00,30,00,2e,00,37,00,00,00,00,00,2c,00,06,\
00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,\
65,00,00,00,53,00,65,00,74,00,75,00,70,00,00,00,9a,00,3b,00,01,00,4c,00,65,\
00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,\
00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,02,00,00,\
00,00,00,00,00,01,00,00,00,4c,00,00,00,3c,fd,06,00,05,00,00,00,00,00,00,00,\
65,05,00,00,02,00,00,00,00,00,00,00,00,00,00,00,53,00,65,00,72,00,76,00,69,\
00,63,00,65,00,20,00,50,00,61,00,63,00,6b,00,20,00,33,00,00,00,24,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,04,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,1c,00,08,00,00,00,00,00,00,\
00,08,00,00,00,00,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,64,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,40,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,44,00,12,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,43,00,6f,00,72,00,65,00,6c,00,20,00,43,00,6f,00,72,00,70,00,6f,00,72,\
00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,13,00,01,00,46,00,69,00,6c,00,\
65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,\
00,00,00,43,00,6f,00,72,00,65,00,6c,00,20,00,53,00,65,00,74,00,75,00,70,00,\
20,00,57,00,69,00,7a,00,61,00,72,00,64,00,00,00,00,00,2c,00,06,00,01,00,46,\
00,69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,\
38,00,2e,00,30,00,32,00,38,00,00,00,46,00,13,00,01,00,49,00,6e,00,74,00,65,\
00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,43,00,6f,00,72,00,\
65,00,6c,00,20,00,53,00,65,00,74,00,75,00,70,00,20,00,57,00,69,00,7a,00,61,\
00,72,00,64,00,00,00,00,00,6c,00,24,00,01,00,4c,00,65,00,67,00,61,00,6c,00,\
43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,\
00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,a9,00,20,00,31,00,39,00,39,00,\
37,00,2c,00,20,00,43,00,6f,00,72,00,65,00,6c,00,20,00,43,00,6f,00,72,00,70,\
00,6f,00,72,00,08,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,38,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,0a,00,01,00,0a,00,02,\
00,0a,00,01,00,0a,00,00,00,00,00,00,00,00,00,04,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,98,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,74,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,15,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,63,00,20,00,43,00,6f,00,72,\
00,70,00,6f,00,72,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,60,00,1c,00,\
01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,\
00,69,00,6f,00,6e,00,00,00,00,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,\
63,00,20,00,53,00,79,00,6d,00,65,00,76,00,65,00,6e,00,74,00,20,00,49,00,6e,\
00,73,00,74,00,61,00,6c,00,6c,00,65,00,72,00,00,00,34,00,0a,00,01,00,46,00,\
69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,\
00,30,00,2e,00,32,00,2e,00,31,00,30,00,2e,00,31,00,00,00,30,00,08,00,01,00,\
49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,\
00,53,00,45,00,56,00,49,00,4e,00,53,00,54,00,00,00,7e,00,2d,00,01,00,4c,00,\
65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,\
00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,20,00,28,00,\
43,00,29,00,20,00,53,00,79,00,6d,00,61,00,6e,00,74,00,65,00,63,00,20,00,43,\
00,6f,00,72,00,01,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE]
"DisableHeapLookAside"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,7c,03,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,01,00,09,00,26,00,00,\
00,01,00,09,00,26,00,3f,00,00,00,00,00,00,00,04,00,00,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,dc,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,b8,02,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,62,00,30,00,00,00,66,00,27,00,01,\
00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,42,00,75,00,73,00,\
69,00,6e,00,65,00,73,00,73,00,20,00,49,00,6e,00,74,00,65,00,6c,00,6c,00,69,\
00,67,00,65,00,6e,00,63,00,65,00,20,00,6f,00,6e,00,20,00,45,00,76,00,65,00,\
72,00,79,00,20,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00,00,00,48,\
00,14,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,\
65,00,00,00,00,00,43,00,6f,00,67,00,6e,00,6f,00,73,00,20,00,49,00,6e,00,63,\
00,6f,00,72,00,70,00,6f,00,72,00,61,00,74,00,65,00,64,00,00,00,60,00,1c,00,\
01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,\
00,69,00,6f,00,6e,00,00,00,00,00,43,00,6f,00,67,00,6e,00,6f,00,73,00,20,00,\
47,00,65,00,6e,00,65,00,72,00,69,00,63,00,20,00,49,00,6e,00,73,00,74,00,61,\
00,6c,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,38,00,0c,00,01,00,46,00,\
69,00,6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,\
00,2c,00,20,00,30,00,2c,00,20,00,33,00,38,00,2c,00,20,00,39,00,00,00,30,00,\
08,00,01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,\
00,65,00,00,00,01,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path]
"Debugger"="ntsd -d"
"GlobalFlag"="0x000010F0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE]
"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,a4,02,34,00,00,00,56,\
00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\
46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,01,00,01,00,00,00,00,\
00,01,00,01,00,00,00,3f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,04,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\
00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,e0,01,00,00,\
01,00,30,00,34,00,30,00,39,00,30,00,34,00,45,00,34,00,00,00,20,00,00,00,01,\
00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,\
00,00,58,00,18,00,01,00,46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,\
00,69,00,70,00,74,00,69,00,6f,00,6e,00,00,00,00,00,49,00,4e,00,53,00,54,00,\
41,00,4c,00,4c,00,20,00,4d,00,46,00,43,00,20,00,41,00,70,00,70,00,6c,00,69,\
00,63,00,61,00,74,00,69,00,6f,00,6e,00,00,00,30,00,08,00,01,00,46,00,69,00,\
6c,00,65,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,31,00,2e,\
00,30,00,2e,00,30,00,30,00,31,00,00,00,30,00,08,00,01,00,49,00,6e,00,74,00,\
65,00,72,00,6e,00,61,00,6c,00,4e,00,61,00,6d,00,65,00,00,00,49,00,4e,00,53,\
00,54,00,41,00,4c,00,4c,00,00,00,24,00,00,00,01,00,4c,00,65,00,67,00,61,00,\
6c,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,68,00,74,00,00,00,28,00,00,\
00,01,00,4c,00,65,00,67,00,61,00,6c,00,54,00,72,00,61,00,64,00,65,00,6d,00,\
61,00,72,00,6b,00,73,00,00,00,00,00,40,00,0c,00,01,00,4f,00,72,00,69,00,67,\
00,69,00,6e,00,61,00,6c,00,46,00,69,00,6c,00,65,00,6e,00,61,00,6d,00,65,00,\
00,00,49,00,4e,00,53,00,54,00,41,00,4c,00,4c,00,2e,00,45,00,58,00,45,00,00,\
00,30,00,08,00,08,00,00,00,00,00,00,00
Post by: guestolo on May 25, 2005, 12:32:26 AM
I may not see it till I get off work tomorrow, but I'll look for your post when I do
Post by: hotrod4x5 on May 25, 2005, 01:39:07 PM
HIJACK THIS log from Safe Mode:
Logfile of HijackThis v1.99.1
Scan saved at 11:25:27 AM, on 5/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cwwtRkj9X] loaoice.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095064957359\")
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx (http://\"http://www.mpix.com/Customer/ImageUploader2.ocx\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Post by: Guest on May 26, 2005, 09:01:08 AM
I'm at work now, we'll fix this thing when I get back home
Thanks for your patience
Post by: guestolo on May 27, 2005, 12:21:41 AM
I think you cut off the bottom of the Mwav scan results, so I hope we can nail most of the infections
Try this
Can you do the following please
==Download and then Install
Ewido Trojan Scanner (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder
Print the rest of this out or save these instructions too a text file
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- sdktemp
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK
[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\WINDOWS\System32\msconfig32.exe
C:\WINDOWS\SYSTEM32\RDRIV.SYS
C:\WINDOWS\sdktemp.exe
C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
C:\WINDOWS\cxtpls_loader.exe
C:\WINDOWS\gr.exe
C:\WINDOWS\INETSVC.EXE
C:\WINDOWS\kans.reg
C:\WINDOWS\kansup.reg
C:\WINDOWS\trufkz.html
C:\WINDOWS\System32\eraseme_12855.exe
C:\Documents and Settings\Rodney Ninow\MSDIRECTX.SYS
C:\a708.exe
C:\asd3.exe
C:\kans.reg
C:\kansup.reg
C:\kddsfj.exe
C:\kdsfj.exe
C:\m.exe
C:\mix.exe
C:\ns2.exe
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
When Restarting, please Restart your computer to SAFE MODE
You can do that by tapping the F8 key as the computer is restarting just before Windows is ready to load
In safe mode
Open Hijackthis>>Open Misc Tools section>>Open "Delete an NT Service"
Copy and paste or type the bold line directly below into the open box and hit OK
sdktemp
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done
==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report
Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists
R3 - Default URLSearchHook is missing
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [cwwtRkj9X] loaoice.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART back to Normal mode
Download and save too Desktop
FixAprop.exe (http://\"http://securityresponse.symantec.com/avcenter/FixAprop.exe\")
by Symantec's
Run the tool and let it scan your drive and fix what it finds
Restart your computer
Back in Windows
Run another scan with Hijackthis and post a fresh log
Also post the Report from Ewidos
Could you also do the following
Download: Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
msdirectx
Wait for the results and post them back here
Post by: hotrod4x5 on May 27, 2005, 09:29:14 AM
Post by: guestolo on May 27, 2005, 06:37:25 PM
That link you supplied looks ok
But try here first if you haven't downloaded it already
http://www.downloads.subratam.org/KillBox.zip (http://\"http://www.downloads.subratam.org/KillBox.zip\")
Post by: hotrod4x5 on May 27, 2005, 07:05:14 PM
======================================
Logfile of HijackThis v1.99.1
Scan saved at 5:01:02 PM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095064957359\")
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx (http://\"http://www.mpix.com/Customer/ImageUploader2.ocx\")
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
===========================================
EWIDO Log:
=========================
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:25:42 AM, 5/27/2005
+ Report-Checksum: 3D26A6AC
+ Date of database: 5/27/2005
+ Version of scan engine: v3.0
+ Duration: 118 min
+ Scanned Files: 165486
+ Speed: 23.29 Files/Second
+ Infected files: 27
+ Removed files: 27
+ Files put in quarantine: 27
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
E:\
L:\
+ Scan result:
C:\b.exe/kans.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\b.exe/kansup.reg -> Trojan.WinREG.LowZones.f -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1349A753-5F6B-4405-BD68-9CAA06\7913CAD9-6E13-40DD-99D9-35515D -> Spyware.Ucmore.a -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\27D2C971-C79E-43AF-B739-C487BB\A98706DF-2A10-4838-832A-C4712E -> Spyware.BargainBuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\57E042DF-9B69-4B54-9E99-03A82B\8F4170A6-E552-4006-A496-D9E950 -> Spyware.WinAD.ac -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93F503E0-B44D-4007-91C4-0C65DF\48FA30EF-82A2-4FF1-9E12-0EF216 -> Spyware.180Solutions.e -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\93F503E0-B44D-4007-91C4-0C65DF\597E045B-3F33-4408-AB34-909F4C -> Spyware.180Solutions.g -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\BF4E0181-9724-48D9-B164-E5F080\402CF700-2B49-4690-AC5A-87448D -> Spyware.BargainBuddy -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\BF4E0181-9724-48D9-B164-E5F080\C577D4F6-7B06-4ED5-AD28-5B927C -> Spyware.BargainBuddy -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003155 -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003160 -> Spyware.POP.dl -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003174 -> Spyware.Apropos -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003536.EXE -> Spyware.Apropos -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003672.EXE -> Spyware.Apropos -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003675.EXE -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003691 -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\RECYCLER\NPROTECT\00003692 -> Spyware.POP.dl -> Cleaned with backup
C:\RECYCLER\NPROTECT\00225336.EXE -> Backdoor.SdBot.xd -> Cleaned with backup
C:\sds.exe -> TrojanDownloader.Small.aqt -> Cleaned with backup
C:\slinstaller.exe -> TrojanDownloader.Agent.ex -> Cleaned with backup
C:\taskmanagr.exe -> Spyware.WinAD.z -> Cleaned with backup
C:\tt.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\up.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\upd.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\WINDOWS\system32\loaoice.exe -> Trojan.AproposAd -> Cleaned with backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\WINDOWS\wkssvc.exe -> Backdoor.SdBot.xd -> Cleaned with backup
::Report End
=======================================
Post by: hotrod4x5 on May 27, 2005, 07:08:42 PM
I did notice that the appearance of windows has changed. It looks more like WIN 95 now, no more rounded windows.
Of course, the main goal after cleaning is to prevent this in the future!
I am guessing that you will have further instructions on how to prevent further infestations...
Thanks for all your help so far!
I have another system in my house which I know is majorly infected. Hopefully we can clean it out too!
Post by: hotrod4x5 on May 27, 2005, 07:25:22 PM
Virus found:
c;/windows/system32/TFTP2824
Unable to repair (I click OK)
Access to file denied (I click OK and the window closes)
All I had open was a Mozilla window reading an onlin forum for recreational vehicles.
Another thing I realized doing all this cleaning, my Norton real time protection had been disable without my knowing about it! I used to get these popups all the time, most saying acces to file denied, cannot repair.
Now that things are more cleaned up, I was able to run Norton and it found this.
Programs are now taking longer to open and the whole system slowed down somewhat again.
Thanks again for all your help!
Post by: guestolo on May 29, 2005, 02:34:01 PM
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msdirectx]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000 Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart into safe mode
Delete that file
c:/windows/system32/TFTP2824
Don't delete tftp.exe
Double click on fix.reg and allow to add or Merge to the registry
Return to Normal mode
Run an Online Virus scan at Panda's
Save the report and post it back here along with a fresh Hijackthis log
http://www.pandasoftware.com/products/acti...n_principal.htm (http://\"http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm\")
Could you also download that registry search tool I asked for before and scan for msdirectx and post the results
Post by: hotrod4x5 on May 29, 2005, 03:24:04 PM
I have a question about TFTP.exe
Since it seemed to be the culprit of a lot of trojans/viruses that Norton kept finding, I deleted it along with all TFTP**** **** being a string of 4 numbers.
Since i deleted it, I no longer got any norton popups with trojans in that directory with the string TFTP****
Then I read you say not to delete TFTP.exe so I restored it from recycle bin.
Within 5 minutes of restoring it, Norton popped another virus warning, this time called TFTP2716
At that time my computer basically froze. I couldn't close OE, I couldn't switch between active windows, although I was able to brwose the web on the browser window that was active. Basically my computer became partially handicapped when I restored TFTP.exe
I think I read somewher else that if you are not hosting a TFTP site, you don't need it?
But you said not to delete it, so what is it and why do I keep getting viruses when it is not deleted?
Post by: hotrod4x5 on May 29, 2005, 03:48:03 PM
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "msdirectx" 5/29/2005 1:46:16 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDIRECTX]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]
=====================================================
Running the online virus scanner now, will post when finished
Post by: guestolo on May 29, 2005, 04:03:30 PM
# On the Windows taskbar, click Start > Search.
# Click All files and folders.
# In the "All or part of the file name" box, type, or copy and paste, the following file name:
tftp*.*
# Make sure that "Look in" is set to "Local Hard Drives" or to (C:).
# Click More advanced options.
# Check Search system folders.
# Check Search subfolders.
# Click Search.
Let me know what you find
Any 0 byte files found?
Also, the scan at Panda's would be a great help
Post by: hotrod4x5 on May 29, 2005, 04:16:28 PM
In the middle of this, I just got hit with another Norton pop up finding another trojan with the file name TFTP****
There seems to be no 0 byte files at the moment.
All that is found is tftp.exe in system32 folder, tftp.exe in system32/dllcache folder and TFTP.EXE-2FB50BCA.pf in windows/prefetch folder.
Post by: guestolo on May 29, 2005, 04:21:27 PM
We'll take it from there
Post by: guestolo on May 30, 2005, 08:38:15 PM
Download: Registrar Lite
http://www.resplendence.com/reglite (http://\"http://www.resplendence.com/reglite\")
Free link at the bottom of the page
Stay connected to the Internet at this time
Access your Add/Remove programs and remove if found
Preview AdService
UCmore - The Search Accelerator
If either of the above is found, follow the uninstall prompts carefully
Copy and paste these instructions too a Notepad file and then Close down all other windows
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Keep the Notepad file open and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\WINDOWS\ucmoreiex.exe
C:\Documents and Settings\Rodney Ninow\Favorites\Fun & Games
C:\Documents and Settings\Rodney Ninow\Favorites\Going Places
C:\Documents and Settings\Rodney Ninow\Favorites\Shop
C:\Documents and Settings\Rodney Ninow\Favorites\Technology
C:\WINDOWS\System32\msdirectx.sys
C:\up\update.html
C:\Program Files\Preview AdService\PrevAdComm.dll
C:\UCmore - The Search Accelerator\How To Uninstall.lnk
C:\UCmore - The Search Accelerator\UCmore Tour.lnk
C:\WINDOWS\update.html
C:\trufkz.html
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
When Restarting, please Restart your computer to SAFE MODE
You can do that by tapping the F8 key as the computer is restarting just before Windows is ready to load
In Safe mode
Find and delete these folders
C:\UCmore - The Search Accelerator
C:\Program Files\Preview AdService
C:\up <-before deleting this folder, check out the contents, is it empty? If yes
go ahead and delete it, if there are other files in it and your unsure, don't remove it yet
But let me know what else you see in it
Run Windows CleanUp! again, don't log off or restart the computer yet
Can you access Internet Options via Control Panel
Under the Security tab
Can you check your settings under the 4 zones and reset to Defaults if unsure
of Custom level settings
Can you do the following please
Open Registrar Lite
Copy and paste the following line in bold into the top address bar of Registrar Lite and then hit GO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX
Highlight LEGACY_MSDIRECTX on the left which shoud be a purple folder on the left
Right click on it and Delete it
If it won't delete
Right click on it and choose Properties
>>Permissions, >>Advanced button
Check the following
"Inherit from parent the permission entries that apply to child objects."
OK it and OK again
Then try and delete the key
Do the same for these entries of Legacy_Msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSDIRECTX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX
Exit Registrar lite
Restart back to Normal mode
Run another scan with Hijackthis and post a fresh log
Could you also run msdirectx through the Registry search tool again
Let me know if you find any instances, is so post them
Post by: hotrod4x5 on May 31, 2005, 12:56:57 PM
Second, no instances of msdirectx were found
Third, the latest hijack this log:
========================================
Logfile of HijackThis v1.99.1
Scan saved at 10:53:02 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095064957359\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx (http://\"http://www.mpix.com/Customer/ImageUploader2.ocx\")
O17 - HKLM\System\CS2\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
============================================
Post by: hotrod4x5 on May 31, 2005, 07:37:35 PM
Norton just popped up a window:
Virus found:
c:/windows/system32/eraseme_45781.exe
Virus name: W32.Spybot.Worm
Unable to repair file
I click ok
Access to file denied
I click ok and the window closes.
I then tried to run a HiJack this log and the program froze right when it normally creates the log.
How do these darn things keep getting on my system??? Will I ever be safe from this crap?
Post by: guestolo on May 31, 2005, 08:24:31 PM
Save these instructions to a notepad file on the desktop
Reboot into Safe mode
In safe mode do the following
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Workstation Service Library
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Afterwards, make sure that this file is gone, if not delete it
C:\WINDOWS\wkssvc.exe <-file
Delete this one too
c:/windows/system32/eraseme_45781.exe
If it won't delete will get later
Also, send the C:\up folder to the recyle bin
Open Hijackthis>>Open Misc tools section>>Open "Delete an NT Service"
In the new window in the open box, copy and paste, or type in the below in bold and then hit OK
Microsoft Locator Service
Afterwards
If eraseme_45781.exe wouldn't delete
Stay in safe mode and run Killbox.exe
In the full path of file to delete, copy and paste the below in bold and choose the radio button to Delete on Reboot
c:/windows/system32/eraseme_45781.exe
Then click the Red circle with the white X
Click Yes to Delete on Reboot and Yes to restart the computer
Back in Windows
I want to run another scan with Mwav, but let's clear out some files in the System Restore folder to make the log a little smaller
Normally I leave this till last, but I want to ensure we see the whole log
Can you do the following
If things seem better
Disable System Restore>>>Restart your computer>>Renable system restore
Take a look at this link ahead of time if your unsure how to do this
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
After system Restore is reenabled
Can you do the following
Please Redownload Mwav, in case it's been updated, and run another scan and post the log from it
Also post a fresh Hijackthis log
Here the link and instructions again for eScan's mwav
====================================
==Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
===========================================
One more request
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find4.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
Copy and paste back the contents of C:\find4.txt
Post by: hotrod4x5 on June 01, 2005, 09:39:16 AM
Norton always says unable to repair, then you click OK, then it says access to file denied.
Doing a file search this morning for anything with TFTP didn't reveal the above mentioned file, but it did fiind TFTP3408, which is 0 bytes. Of course it also found 2 instances of the TFTP.exe file, located in system32 and system32/dllcache.
Here is the new MWAV scan, scanned after the above mentioned incident:
=========================================================================
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PrevAdX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKCR\DXImageTransform.WebExtenderClient" refers to invalid object "{3CDFE52B-AFAF-4C37-1420-807EA3484639}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy18.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy52.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\0F1AE793-3838-411A-AAC0-51FE49\4222A183-459F-4938-9D64-CD1EA5 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\0F1AE793-3838-411A-AAC0-51FE49\4FF15830-3DB5-41AC-AFDE-8C00A7 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\27E69CBF-CAFC-476A-B573-3645CC\8B69F6EC-6554-43CB-BE55-491122 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\27E69CBF-CAFC-476A-B573-3645CC\9E95CF82-01BD-442B-98FC-2BF38D infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\93F503E0-B44D-4007-91C4-0C65DF\C033A5F8-1F01-48C0-883B-73A06A tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\WINDOWS\system32\i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken.
File L:\Backup 10-18-04\Photo Shoots\Weddings\New Folder\DivX player\DivX502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
=====================================================
latests HIJACK this scan:
====================================================
Logfile of HijackThis v1.99.1
Scan saved at 7:32:45 AM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095064957359\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx (http://\"http://www.mpix.com/Customer/ImageUploader2.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
====================================================
Contents of find4.txt:
=====================================================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000004e8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"Windows Processe Manager"="mspn32.exe"
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:61,5d,6c,9e,8c,bd,68,2d,42,0e,9e,5f,a0,72,21,1a,62,33,35,33,33,\
39,32,63,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,38,59,c0,d5
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:c8,ab,84,fa,db,24,4a,4b,14
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:30,82,25,8f,98,4a
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:85,11,13,0a,7e,c2,9d,64,a3,d2,3c,e1,05,a5,ee,4b
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:76,3c,5c,fe,6f,99,c4,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,60,bd,99,53,4f,c2,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,60,bd,99,53,4f,c2,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,60,bd,99,53,4f,c2,01
"Type"=dword:00000031
======================================================
Post by: hotrod4x5 on June 01, 2005, 09:42:07 AM
I will not download SP2, as I do have the disk for it, but it caused network problems when we tried it on one of our computers at here at home, and I have some friends who also had problems with it.
Post by: guestolo on June 01, 2005, 08:10:27 PM
Yes please, visit Windows updates and for now install all Latest Critical updates
Can you look for these files please and remove if found, let me know if you deleted them
C:\WINDOWS\system32\i
C:\WINDOWS\system32\mspn32.exe
Could you also
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PrevAdX.dll]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"Double click on fix.reg and allow to merge to the registry
Restart your computer
Can you use the Registry search tool and enter this next entry to it and wait for the log and post it
mspn32.exe
Run this entry through also
msconfig32.exe
Post by: hotrod4x5 on June 01, 2005, 08:18:44 PM
I just tried to run a windows update and got the same problem I had last time:
======================================
[Error number: 0x8DDD0018]
Windows Update cannot continue because a required service application is disabled. Windows Update requires the following services:
Automatic Updates enables detection, downloading, and installation of critical updates for your computer.
Background Intelligent Transfer Service (BITS) enables faster, restartable downloading of updates.
Event Log logs Windows Update events for troubleshooting. To ensure that these services are enabled:
1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, right-click the service name, and then click Properties.
4. In the Startup type list, select Automatic.
5. Verify that the service status is started.
==========================================
A few weeks ago, I followed all the instructions they told me, but it still never started working.
Post by: guestolo on June 01, 2005, 09:27:15 PM
Found some more details at Symantec's
I just want to see the last output's from the Registry search tool after you have done the above
Post by: hotrod4x5 on June 02, 2005, 10:14:06 AM
I found the file "i" and deleted it. I did not find the other file you said to look for.
I did the fix reg instructions.
REG SEARCH results for mspn32.exe
============================================
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "mspn32.exe" 6/2/2005 8:08:29 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Windows Processe Manager"="mspn32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Processe Manager]
"command"="mspn32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\Software\Microsoft\OLE]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Processe Manager"="mspn32.exe"
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"="mspn32.exe"
======================================================
REG SEARCH results for msconfig32.exe
=======================================================
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "msconfig32.exe" 6/2/2005 8:12:39 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"="msconfig32.exe"
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"="msconfig32.exe"
=======================================================
Guess that is all you for now, thanks!
Post by: guestolo on June 03, 2005, 12:17:30 AM
Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as repair.reg
Save this file on the desktop
Code: [Select]
Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-
[HKEY_USERS\S-1-5-21-220523388-73586283-839522115-1004\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Compaq32 Service Drivers"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-
[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Compaq32 Service Drivers"=-
"Windows Processe Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-
[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Processe Manager"=-
"Compaq32 Service Drivers"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Processe Manager]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Installed Time"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Record"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000We'll need this reg file later
But first can I ask you to run one more scan please
Can you create a folder on your desktop
(Right click an empty spot on your desktop
Select NEW>>Folder)
Name it something you will remember
Next: Download and save to that folder
SysClean Package from Trend Micros (http://\"http://www.trendmicro.com/ftp/products/tsc/sysclean.com\")
After you have that downloaded and saved to that folder
You must do the following
Get the Latest Pattern files for SysClean
Download this ZIP file from the link below and save it too the same folder as SysClean Package
UNZIP(Extract) the contents of the zipped file to the same folder
Here's the link
http://www.trendmicro.com/download/pattern.asp (http://\"http://www.trendmicro.com/download/pattern.asp\")
Once you have it unzipped can you please restart into safe mode
In safe mode
Double click on repair.reg and allow to add or merge to the registry
Open the folder you saved SysClean Package
and Double click on SysClean.com and let it run and finish a scan
Restart back to Normal mode
Post the log from Sysclean
Could you also post a fresh Hijackthis log
Post by: guestolo on June 05, 2005, 07:09:50 AM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> I just ran it myself and it took about 45 minutes
I wouldn't want you running it again unless you first revisited Trend Micro's and redownloaded the latest patern files and unzipping them to that folder you created on the desktop
As it's been updated
It appears it finished scanning your C: drive
At least I hope it did
You may of cho0se to unplug your external drive before scanning
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Also ensure that Norton's is disabled...
Could I have you
post a startup list from Hijackthis
Open Hijackthis>>Open Misc tools section
Put a check in "List all minor sections (full)"
and "List empty sections (Complete)
Click the Generate startup list and post the whole list here, thanks
Post by: guestolo on June 05, 2005, 10:24:42 AM
C:\Windows\ItunesMusic.exe
If you can, delete it
Also ensure this one is gone
C:\WINDOWS\system32\rdriv.sys
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- cel90xbe
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Run Windows cleanup!
Log off and back on after running it
Go to START>>RUN>>Type in services.msc
Hit OK
Navigate to
Automatic Updates
Set to Automatic and then Start the service
Visit Windows updates and install all latest Critical updates if you can
Are you using Norton's Firewall?
If not can you enable XP' firewall?
Post by: hotrod4x5 on June 05, 2005, 10:59:36 PM
Did not have the service, cel90xbe.
Ran a clean up, cleaned up 70+ megs.
Turned on automatic updates under services.
I was able now to access windows update, but the only update it suggested was service pack 2. Which I have on a disk, but haven't installed yet, as explained earlier.
You didn't ask for this, but here is the latest HiJACK THIS:
=================================================
Logfile of HijackThis v1.99.1
Scan saved at 8:58:51 PM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095064957359\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx (http://\"http://www.mpix.com/Customer/ImageUploader2.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
==================================================
Post by: hotrod4x5 on June 05, 2005, 11:12:59 PM
But I think I tried using it once and it interfered with my network, but I will try it.
Post by: guestolo on June 08, 2005, 12:24:03 AM
Not that I want you to run Nortons firewall and XP's at the same time
But can you let me know if you can enable XP's Firewall please
Post by: hotrod4x5 on June 08, 2005, 11:30:20 AM
Not that I want you to run Nortons firewall and XP's at the same time
But can you let me know if you can enable XP's Firewall please
[post=\"44375\"]<{POST_SNAPBACK}>[/post]
[/quote]As far as I can tell, everything seems to be working correctly. I do not have Norton's firewall installed, nor do I own the program.
I did enable the windows xp firewall, the "internet connection firewall" is the one I enable, I am assuming that is the correct one?
Previously I was unable to share my internet connection, which I could share before all the spyware, and now that sharing has been restored.
I guess everything is working good, but I have doubts about my ability to keep it all from coming back.
I saw a news special a few nights ago where they ran Ad Aware and it found no spyware. Then they visitied a half dozen kid's sites, not sure which ones, and after, Ad Aware found a whole bunch of spyware. Of course the companies denied having anything to do with it.
But that news story bothers me.
Will the internect connection firewall protect my computer?
Also, I have two other computers on my network. A win98se machine and another XP Home SP1 machine. The other XP machine is the kids computer and I know it is majorly infected.
Will that computer somehow infect my computer that is now apparently clean?
I'm going to start a new thread with a hijack this from my kid's computer so we can start cleaning it.
Thanks again for all your help, it is amazing to me that you do this for free! I would like to help pay for some of the needs that arise from running a site like this, what are the methods that I can do this?
Post by: guestolo on June 08, 2005, 11:41:18 AM
Make sure you do some final cleanup
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
I know your against SP2, you may of had problems because of the junk on your computer
Please read this
http://www.microsoft.com/windowsxp/sp2/default.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/default.mspx\")
Having XP's firewall enabled is better than nothing
Personally, I would download a third party firewall such as Sygates
Once installed and enabled go ahead and disable XP's firewall
You don't need more than one firewall running
Here's a link if your interested
http://www.tucows.com/preview/213160.html (http://\"http://www.tucows.com/preview/213160.html\")
and here's there homepage
http://smb.sygate.com/products/spf_standard.htm (http://\"http://smb.sygate.com/products/spf_standard.htm\")
You can download the free version from either location
EDIT>>Your version of Java is out of date also
I never find the updater that reliable
Personally, I would access your Control Panel and open the Java Icon, under the Cache tab, Clear all cache
Next: I would access the Add/Remove programs and remove the version of Java you have installed now and then download and install the latest version from this link
I like to go with the Windows offline installation
http://www.java.com/en/download/manual.jsp (http://\"http://www.java.com/en/download/manual.jsp\")
Post by: hotrod4x5 on June 08, 2005, 11:51:50 AM
http://www.thetechguide.com/forum/index.php?showtopic=18121 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=18121\")
Post by: hotrod4x5 on June 27, 2005, 10:12:09 PM
Hopefully I can add to this post and you can help me out some more.
I let automatic updates install SP2. All seems fine, although it hung up on initial reboot on the "please wait" screen, but I restarted manually from there and it seems ok.
Now I am getting a security popup telling me windows firewall is off and I should turn it on.
But when I try to turn it on, I cannot, the options are grayed out and it says: " For your secuirty some settings are controlled by group policy."
Here is a hijack this log from today:
======================================================
Logfile of HijackThis v1.99.1
Scan saved at 8:10:45 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095064957359 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095064957359\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx (http://\"http://www.mpix.com/Customer/ImageUploader2.ocx\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{04F2589F-6693-477E-AEBB-57D985018366}: NameServer = 66.59.235.1 64.30.215.129
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
==========================================================
Anything in here that doesn't belong?
Thanks again!
Post by: guestolo on June 27, 2005, 11:02:32 PM
I guess we may as well add to this one
Can I have you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002 Double click on fix.reg and allow to add or Merge to the registry
Restart your computer afterwards
Let me know if Windows firewall is now enabled
Post by: guestolo on July 01, 2005, 09:57:44 PM
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread
Take care Hotrod