1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Hell virus Help

Discussion in 'Malware and Virus Removal Archive' started by z4u, 2007/03/07.

Page 1 of 2
  1. 2007/03/07
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    File: 5AA45A25.exe
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 ae5e929cd1e9ecc4d5cb81c99e558eda
    AntiVir Found HEUR/Crypted
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing
    this virus keep coming n during start windows even i delete file after restart file again back how can i get rid from this
    this is startup log plz help very hard to remove this infected file plz help
    StartupList report, 3/7/2007, 11:01:55 PM
    StartupList version: 1.52
    Started from : C:\HijackThis.EXE
    Detected: Windows 2000 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINNT\System32\CafeAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wwSecure.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
    C:\WINNT\System32\taskmgr.exe
    C:\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\ZR31\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    CafeAgent = "C:\WINNT\System32\CafeAgent.exe" /normal
    avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    nwiz = "nwiz.exe" /install
    NvCplDaemon = "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
    TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    CafeAgent = "C:\WINNT\System32\CafeAgent.exe" /normal

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINNT\System32\mshta.exe "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINNT\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present
    C:\WINNT\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINNT
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
    (no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
    OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
    OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [BDSCANONLINE Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\CONFLICT.1\oscan8.ocx
    CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
    CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    [a-squared Scanner]
    InProcServer32 = C:\WINNT\DOWNLO~1\asquared.ocx
    CODEBASE = http://ax.emsisoft.com/asquared.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\Macromed\Flash\Flash9b.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINNT\System32\rnr20.dll
    NameSpace #2: C:\WINNT\System32\winrnr.dll
    Protocol #1: C:\WINNT\system32\msafd.dll
    Protocol #2: C:\WINNT\system32\msafd.dll
    Protocol #3: C:\WINNT\system32\msafd.dll
    Protocol #4: C:\WINNT\system32\rsvpsp.dll
    Protocol #5: C:\WINNT\system32\rsvpsp.dll
    Protocol #6: C:\WINNT\system32\msafd.dll
    Protocol #7: C:\WINNT\system32\msafd.dll
    Protocol #8: C:\WINNT\system32\msafd.dll
    Protocol #9: C:\WINNT\system32\msafd.dll
    Protocol #10: C:\WINNT\system32\msafd.dll
    Protocol #11: C:\WINNT\system32\msafd.dll
    Protocol #12: C:\WINNT\system32\msafd.dll
    Protocol #13: C:\WINNT\system32\msafd.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    7AD2F75E: C:\WINNT\System32\7AD2F75E.EXE -service (autostart)
    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Alerter: %SystemRoot%\System32\services.exe (manual start)
    AntiVir PersonalEdition Classic Scheduler: C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (autostart)
    AntiVir PersonalEdition Classic Guard: C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (autostart)
    Application Management: %SystemRoot%\system32\services.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    avgntdd: SYSTEM32\DRIVERS\avgntdd.sys (system)
    avgntmgr: SYSTEM32\drivers\avgntmgr.sys (system)
    Computer Browser: %SystemRoot%\System32\services.exe (autostart)
    CafeAgent of CafeSuite: C:\WINNT\System32\CafeAgent.exe /service (autostart)
    Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
    Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    DHCP Client: %SystemRoot%\System32\services.exe (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    D-Link DFE-538TX 10/100 Adapter NT Driver: System32\DRIVERS\DLKRTS.SYS (manual start)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
    Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\services.exe (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
    Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\services.exe (autostart)
    Workstation: %SystemRoot%\System32\services.exe (autostart)
    TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
    Messenger: %SystemRoot%\System32\services.exe (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start)
    Creative WebCam Vista: System32\DRIVERS\P1100bVd.sys (manual start)
    Creative PD1100B HAL Service: System32\DRIVERS\P1100bCd.sys (autostart)
    Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (system)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Protected Storage: %SystemRoot%\system32\services.exe (autostart)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (disabled)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
    RunAs Service: %SystemRoot%\system32\services.exe (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Service for AC'97 Sample Driver (WDM): system32\drivers\sis7012.sys (manual start)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    Spy Sweeper File System Filer Driver: 0509: SYSTEM32\Drivers\SSFS0509.SYS (system)
    Spy Sweeper Hookrack MiniDriver: SYSTEM32\Drivers\SSHRMD.SYS (system)
    Spy Sweeper Interdiction Driver: SYSTEM32\Drivers\SSIDRV.SYS (system)
    Webroot Spy Sweeper Keylogger Shield Keyboard Filter: System32\Drivers\sskbfd.sys (manual start)
    Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
    Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Windows Time: %SystemRoot%\System32\services.exe (manual start)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    Webroot Spy Sweeper Engine: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" (autostart)
    Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
    Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Washer Security Access: C:\WINNT\System32\wwSecure.exe (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 26,786 bytes
    Report generated in 0.234 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    hijackthis log
    Logfile of HijackThis v1.97.7
    Scan saved at 11:02:34 PM, on 3/7/2007
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINNT\System32\CafeAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wwSecure.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
    C:\WINNT\System32\taskmgr.exe
    C:\HijackThis.exe

    O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
    O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 (HKLM)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1

    help help
     
    z4u,
    #1
  2. 2007/03/07
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    TeMerc,
    #2


  3. to hide this advert.

  4. 2007/03/07
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    Hell virus

    when i start computer the virus keep detecting by antivir some example i notedown here c:\doucm&setting\..\nmoyu0255[1].exe
    c:\winnt\system32\kdjs1.exe
    c:\doucm&setting\..\wow0308[1].exe heur malware
    and my browser hijack with this http://www.new114.com.cn/
    here hijack log with latest version
    Logfile of HijackThis v1.99.1
    Scan saved at 8:20:02 AM, on 3/8/2007
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINNT\System32\CafeAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\5AA45A25.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wwSecure.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINNT\System32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
    C:\Documents and Settings\ZR31\Desktop\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new114.com.cn
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\System32\CafeAgent.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
     
    z4u,
    #3
  5. 2007/03/07
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    Hell virus

    and startup list
    StartupList report, 3/8/2007, 8:23:26 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\ZR31\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows 2000 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINNT\System32\CafeAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\5AA45A25.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wwSecure.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
    C:\Documents and Settings\ZR31\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\ZR31\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    CafeAgent = "C:\WINNT\System32\CafeAgent.exe" /normal
    avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    nwiz = "nwiz.exe" /install
    NvCplDaemon = "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    CafeAgent = "C:\WINNT\System32\CafeAgent.exe" /normal

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINNT\System32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINNT\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present
    C:\WINNT\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINNT
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
    (no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
    OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
    OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [BDSCANONLINE Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\CONFLICT.1\oscan8.ocx
    CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
    CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    [a-squared Scanner]
    InProcServer32 = C:\WINNT\DOWNLO~1\asquared.ocx
    CODEBASE = http://ax.emsisoft.com/asquared.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\Macromed\Flash\Flash9b.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINNT\System32\rnr20.dll
    NameSpace #2: C:\WINNT\System32\winrnr.dll
    Protocol #1: C:\WINNT\system32\msafd.dll
    Protocol #2: C:\WINNT\system32\msafd.dll
    Protocol #3: C:\WINNT\system32\msafd.dll
    Protocol #4: C:\WINNT\system32\rsvpsp.dll
    Protocol #5: C:\WINNT\system32\rsvpsp.dll
    Protocol #6: C:\WINNT\system32\msafd.dll
    Protocol #7: C:\WINNT\system32\msafd.dll
    Protocol #8: C:\WINNT\system32\msafd.dll
    Protocol #9: C:\WINNT\system32\msafd.dll
    Protocol #10: C:\WINNT\system32\msafd.dll
    Protocol #11: C:\WINNT\system32\msafd.dll
    Protocol #12: C:\WINNT\system32\msafd.dll
    Protocol #13: C:\WINNT\system32\msafd.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    7AD2F75E: C:\WINNT\System32\7AD2F75E.EXE -service (autostart)
    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Alerter: %SystemRoot%\System32\services.exe (manual start)
    AntiVir PersonalEdition Classic Scheduler: C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (autostart)
    AntiVir PersonalEdition Classic Guard: C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (autostart)
    Application Management: %SystemRoot%\system32\services.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    avgntdd: SYSTEM32\DRIVERS\avgntdd.sys (system)
    avgntmgr: SYSTEM32\drivers\avgntmgr.sys (system)
    Computer Browser: %SystemRoot%\System32\services.exe (autostart)
    CafeAgent of CafeSuite: C:\WINNT\System32\CafeAgent.exe /service (autostart)
    Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
    Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    DHCP Client: %SystemRoot%\System32\services.exe (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    D-Link DFE-538TX 10/100 Adapter NT Driver: System32\DRIVERS\DLKRTS.SYS (manual start)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
    Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\services.exe (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
    Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\services.exe (autostart)
    Workstation: %SystemRoot%\System32\services.exe (autostart)
    TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
    Messenger: %SystemRoot%\System32\services.exe (manual start)
    NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Microsoft USB Open Host Controller Driver: System32\DRIVERS\openhci.sys (manual start)
    Creative WebCam Vista: System32\DRIVERS\P1100bVd.sys (manual start)
    Creative PD1100B HAL Service: System32\DRIVERS\P1100bCd.sys (autostart)
    Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (system)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Protected Storage: %SystemRoot%\system32\services.exe (autostart)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry Service: %SystemRoot%\system32\regsvc.exe (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (disabled)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
    RunAs Service: %SystemRoot%\system32\services.exe (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Service for AC'97 Sample Driver (WDM): system32\drivers\sis7012.sys (manual start)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    Spy Sweeper File System Filer Driver: 0509: SYSTEM32\Drivers\SSFS0509.SYS (system)
    Spy Sweeper Hookrack MiniDriver: SYSTEM32\Drivers\SSHRMD.SYS (system)
    Spy Sweeper Interdiction Driver: SYSTEM32\Drivers\SSIDRV.SYS (system)
    Webroot Spy Sweeper Keylogger Shield Keyboard Filter: System32\Drivers\sskbfd.sys (manual start)
    Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
    Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Windows Time: %SystemRoot%\System32\services.exe (manual start)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    Webroot Spy Sweeper Engine: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" (autostart)
    Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
    Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Washer Security Access: C:\WINNT\System32\wwSecure.exe (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    66 = C:\SysDayN\svchost.exe
    50 = C:\SysAd5a\svchost.exe
    333 = C:\Syswm1a\svchost.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 27,616 bytes
    Report generated in 1.234 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
    z4u,
    #4
  6. 2007/03/08
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    hi temerc help me
     
    z4u,
    #5
  7. 2007/03/08
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    any body here :confused: :confused: :confused: :confused:
     
    z4u,
    #6
  8. 2007/03/08
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    TR/CryptXPack.Gen of Antivir found

    how fix this virus?..
    i m running windows 2000 any expert ?.
     
    Last edited: 2007/03/08
    z4u,
    #7
  9. 2007/03/08
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi z4u

    I will have someone coming here soon.
    Geri
     
    Geri,
    #8
  10. 2007/03/09
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi z4u & welcome :)

    Geri contacted me about your logs.
    Hope it's OK for me to pop in Geri :)

    z4u,

    Can I get some file samples from you? I don't know yet what we are dealing with and untill I can do some analysis it would be difficult to know what exactly is going on.
    AntiVir malware names don't tell me much.
    Since very little detection by other AV scanners I would like to also make sure they get copies so they can protect other users.

    I don't know if you can see these files or not but we are gonna try.

    I'd like to go to safe mode so better chance these things are not running and better chance to see them.
    You may wish to print out or copy instructions to notepad so you have em while in safe mode (no internt in safe)

    To boot to safe mode:

    [*]Restart your computer

    [*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

    [*]Instead of Windows loading as normal, the Advanced Options Menu should appear;

    [*]Select the first option, to run Windows in Safe Mode, then press Enter.

    [*]Choose your usual account.

    Configure your system to show hidden files:

    Reveal Hidden Files

    1. [*]Click Start.
      [*]Open My Computer.
      [*]SelectTools menu
      [*]Click Folder Options.
      [*]Select the View Tab.
      [*]Select Show hidden files and foldersin the Hidden files and folders section.
      [*]Uncheck Hide protected operating system files (recommended) option.
      [*]Uncheck the Hide file extensions for known file types option.
      [*]Click Yes.
      [*]Click OK.


    *note* Don't worry about the missing info in # 1 above. BBCode is a little different here I think and I have not totally figured it all out yet. :p
    All the info I intended to post is there.

    Create a folder on your desktop called "Blender "

    Copy the following files/folders to the blender folder:
    I'm not sure of the exact path of a few but I think you can see from your virus logs where exactly they are.

    Files:
    C:\WINNT\System32\5AA45A25.exe
    c:\winnt\system32\kdjs1.exe
    c:\doucm&setting\..\nmoyu0255[1].exe
    c:\doucm&setting\..\wow0308[1].exe

    Folders:
    C:\SysDayN
    C:\SysAd5a
    C:\Syswm1a

    Once you have these (what you can find) copied to Blender folder please zip it up and preferably password protect this zip file so you can get it past your antivirus.
    Use the word "infected" as the password.

    Once you get it zipped up you can delete the origional folder you created called "blender ".

    While you are in safe mode....
    Can you run Hijackthis to get a log please and save it?

    Boot back up to normal mode
    Post the safe mode hijackthis log

    Please upload the "blender.zip" file to this site:

    http://www.bleepingcomputer.com/submit-malware.php?channel=20

    Please include link to this thread so I know where these files are from.

    Since I am not sure what we are dealing with yet please avoid doing online sensitive activities like banking, credit card purchases and the like.
    I don't want to have the possibility your online actions/passwords etc are being logged and this info sent to the atttacker.

    If you do online banking and credit card activities you may want to contact these companies by phone to watch your accounts for suspicious activity.
    Better safe than sorry.

    Thanks!
     
    Blender,
    #9
  11. 2007/03/09
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    thanx geri n blender i followed what u mention in the post i just submit virus file 5AA45A25.exe inside the folder blender with password infected these
    folder last time i already deleted so no more C:\SysDayN
    C:\SysAd5a
    C:\Syswm1a
    and abt these virus files
    c:\winnt\system32\kdjs1.exe (this one keep increasing during windows start n keep chaing name to kdjs2.exe n kdjs3.exe etc)
    c:\doucm&setting\..\nmoyu0255[1].exe
    c:\doucm&setting\..\wow0308[1].ex
    these files i can't find it only infected in windows normal mode n antvir warning to take action of these virus so i just deted in safe mode i can't find any thing thanx. here my hijack log in safe mode one
    Logfile of HijackThis v1.99.1
    Scan saved at 6:31:19 PM, on 3/9/2007
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\ZR31\Desktop\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new114.com.cn
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\System32\CafeAgent.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
    thanx ..
     
    z4u,
    #10
  12. 2007/03/10
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    any body here
     
    z4u,
    #11
  13. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi

    Sorry for delay. I was working.

    let me go look at those files you sent and I'll be back shortly.

    Tammy
     
    Blender,
    #12
  14. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi

    Thanks for that file.
    It is indeed a baddie.

    AntiVir 7.3.1.41 03.09.2007 TR/Crypt.XPACK.Gen
    DrWeb 4.33 03.10.2007 BackDoor.Pigeon.199
    Ewido 4.0 03.10.2007 Backdoor.Agent.ahj
    Ikarus T3.1.1.3 03.10.2007 Trojan.Popwin.R

    And several others listed as suspicious.

    Please make sure your antivirus is fully up to date.

    Please print out or save these instructions to notepad. You will be working in safe mode for most of the fix and won't see this page.

    The attached registry file is for z4u's computer only! Others running it may do damage to their sytem!

    Attached is a file called fix1.zip
    Save this file and unzip it. Don't run it yet
    You should now have fix1.reg

    Download this file:

    ftp://ftp.microsoft.com/reskit/win2000/sc.zip

    Unzip it and copy sc.exe it to your system32 folder.
    It must be unzipped to system32 folder to work.

    Once that is done...
    click start> run> type cmd.exe and hit enter.
    Type the following command and hit enter. (please note where the spaces are)

    sc config 7AD2F75E start= disabled

    You should get a success messege.

    Restart to SAFE mode.

    Click start> run> type cmd.exe and hit enter.
    Type this command and hit enter:

    sc delete 7AD2F75E

    Exit the cmd window.

    Locate fix1.reg you saved earlier.
    Right click it and choose merge
    When asked if you want to add the contents of fix1.reg to the registry andswer yes
    You should get success messege.

    Delete the following if found:

    C:\WINNT\System32\7AD2F75E.EXE

    Run full scan with your AntiVir and let it fix/clean what it wants.

    When the scan is done and you have repaired/quarentined what it can, please click "report" at bottom of AntiVir window.
    Notepad opens.
    Click "file" then "save as... "
    Save the file to your desktop.

    Reboot back to normal mode.

    Please post:

    Antivir report.

    In addition to the above log please do the following:

    Download ComboScan to your Desktop.:

    http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

    Close all applications and windows.
    Double-click on comboscan.exe to run it, and follow the prompts.
    When the scan is complete, a text file will open - ComboScan.txt
    Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
    A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
    Open Supplementry.txt and post its contents here.

    **since you have 3 logs to post you will need to span it across a few posts or else they will get cut off.

    Let me know how machine is running.

    Thanks

    Tammy
     
    Blender,
    #13
  15. 2007/03/10
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    thanx blender for reply plz anwer me as soon as possible i wana start the procedure u mention in post but problem downloding ftp://ftp.microsoft.com/reskit/win2000/sc.zip
    that link not working so how can i download it u got any outside upload link where i can download it thanx..
     
    z4u,
    #14
  16. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Blender,
    #15
  17. 2007/03/10
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    very nice n quick response my system is on workstation n now it's in use give me 1 hour when it gets free i m going to do operation (hehe i mean the procedure u mention in the post :D atleast i m going to send virus hell yeah stunner with help of u ) n will post with latest info n virus report n logs .thanx..
     
    z4u,
    #16
  18. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Sounds good.

    I'll be around later today to check.

    Tammy :)
     
    Blender,
    #17
  19. 2007/03/10
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    thanx blender i think the virus is deleted after doing all steps so plz check my log n report n other thing i my antivir can't load when start windows so i m doing to uinstall n install it again so far antivir didn't detect any file when i restart computer in normal status thanx a lot bro n you are the man n thanx as well windows bbs support plz following are reports
    [SIZE= "4"]1.comboscan[/SIZE]
    ComboScan v20070306.20 run by ZR31 on 2007-03-10 at 22:33:12
    Computer is in Normal Mode.
    Performed disk cleanup.
    plz i can't log here txt is too big so i upload blender.txt file if u have time plz download it
    http://www.wikiupload.com/download_page.php?id=99985
    n then i m trying to log here it take times thanx
     
    z4u,
    #18
  20. 2007/03/10
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    log files

    -- HijackThis (run as ZR31.exe) --------------------------------------------Logfile of HijackThis v1.99.1
    Scan saved at 10:33:19 PM, on 3/10/2007
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINNT\System32\CafeAgent.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wwSecure.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
    C:\Documents and Settings\ZR31\Desktop\comboscan.exe
    C:\DOCUME~1\ZR31\Desktop\HIJACK~1\ZR31.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.new114.com.cn
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [cmdbcs] C:\WINNT\cmdbcs.exe
    O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\System32\CafeAgent.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
     
    z4u,
    #19
  21. 2007/03/10
    z4u

    z4u Inactive Thread Starter

    Joined:
    2003/07/08
    Messages:
    350
    Likes Received:
    0
    z4u,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...