WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Wasted 2 Days Already
Started by
MLL
, Jun 04 2006 08:11 PM
This topic is locked
123 replies to this topic
#76
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 07 June 2006 - 06:43 PM
Register to Remove
#77
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 07 June 2006 - 06:44 PM
OK 
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to 
for the help you received.
Proud graduate of TC/WTT Classroom
#78
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 07 June 2006 - 08:43 PM
Kaspersky stll scanning. Only 32% done and no virus found so far. Pop ups still appearing. Security alert window about getting redirected to another site. Also about internet settings about to be changed. I just closed them. Will post log after scan is done. We may have to continue tomorrow at the rate this is going. I will disconnect internet connection until then. Thanks.
#79
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 07 June 2006 - 08:44 PM
Ok
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#80
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 07 June 2006 - 09:41 PM
Doesn't make sense that it is on the H drive:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, June 07, 2006 10:15:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/06/2006
Kaspersky Anti-Virus database records: 187142
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\
Scan Statistics:
Total number of scanned objects: 78385
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 1
Duration of the scan process: 01:51:38
Infected Object Name / Virus Name / Last Action
H:\My Documents\Log\hijackthis2.log Suspicious: Exploit.HTML.Mht skipped
Scan process completed.
#81
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 08 June 2006 - 05:46 AM
Open H:\My Documents\Log\hijackthis2.log <--Delete if found.
Today I suggest you keep running SpySweeper until it doesn't find any bad ones.
I'll check back after work.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#82
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 08 June 2006 - 02:08 PM
Just a quick note until I get home. Ran Spysweeper in Safe Mode, deleted items found. Rebooted in Safe Mode, ran Spysweeper again..this time clean. Rebooted in Normal Mode....plugged connection back. Pop up reappeared. LDTate, I think I noticed even when the cable is disconnected, the windows were trying to pop up because I hear a clicking sound but nothing appears until the line is connected. Are we running out of ideas yet?
#83
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 08 June 2006 - 02:25 PM
Can you post the Spysweeper log from Normal mode?
Unless you know what this is, delete it:
C:\Program Files\Common Files\mehe.html
Lets give this a try[list]
Download Silentrunners.zip from HERE to a new folder on your desktop.
Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.
Let it run, When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.
Unless you know what this is, delete it:
C:\Program Files\Common Files\mehe.html
Lets give this a try[list]
Download Silentrunners.zip from HERE to a new folder on your desktop.
Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.
Let it run, When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.
Edited by LDTate, 08 June 2006 - 05:08 PM.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#84
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 08 June 2006 - 06:16 PM
Hello again LDTate. Had a long day today and I have a feeling the long day is not over yet. Just ran SpySweeper again in Normal mode. Pop ups appearing fast and furiously. Will run SIlentRunners now. Here are the results from SpySweeper:
********
6:11 PM: | Start of Session, Thursday, June 08, 2006 |
6:11 PM: Spy Sweeper started
6:11 PM: Sweep initiated using definitions version 694
6:12 PM: Starting Memory Sweep
6:12 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:12 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:12 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:12 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:13 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:13 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:13 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:13 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:14 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:15 PM: Memory Sweep Complete, Elapsed Time: 00:03:00
6:15 PM: Starting Registry Sweep
6:15 PM: Registry Sweep Complete, Elapsed Time:00:00:16
6:15 PM: Starting Cookie Sweep
6:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:15 PM: Starting File Sweep
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:16 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:17 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:19 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:19 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:19 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:19 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:21 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:22 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:25 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:25 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:25 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:25 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:27 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:27 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:27 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:27 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:29 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:29 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:29 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:29 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:31 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:33 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:35 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:38 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:39 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:39 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:39 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:39 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:41 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:41 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:41 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:41 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:42 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:43 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:43 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:43 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:43 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:44 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:45 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:45 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:45 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:45 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:46 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:46 PM: File Sweep Complete, Elapsed Time: 00:31:08
6:46 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:46 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:46 PM: The Spy Communication shield has blocked access to: count.exitexchange.com
6:46 PM: Full Sweep has completed. Elapsed time 00:34:27
6:46 PM: Traces Found: 0
6:48 PM: Your spyware definitions have been updated.
********
Edited by MLL, 08 June 2006 - 06:48 PM.
#85
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 08 June 2006 - 06:21 PM
Shoot! Now I am hearing an ad playing in the background and I cannot find the window to close it!
Register to Remove
#86
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 08 June 2006 - 06:23 PM
Here is the SilentRunner file:
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"nwiz" = "nwiz.exe /installquiet /keeploaded" ["NVIDIA Corporation"]
"kdx" = "C:\WINDOWS\kdx\KHost.exe" ["Kontiki Inc."]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe"" [null data]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"nwiz" = "nwiz.exe /installquiet /keeploaded" ["NVIDIA Corporation"]
"kdx" = "C:\WINDOWS\kdx\KHost.exe" ["Kontiki Inc."]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe"" [null data]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
#87
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 08 June 2006 - 06:40 PM
Nothing form silent runners.
How did the SpySweeper scan go?
Lets give this one a run.
Narrator/Qoologic trojan. It is tricky because all of the files are hidden when you use Windows Explorer or the Task Manager. To get a better look at it we will need you to do this.
How did the SpySweeper scan go?
Lets give this one a run.
Narrator/Qoologic trojan. It is tricky because all of the files are hidden when you use Windows Explorer or the Task Manager. To get a better look at it we will need you to do this.
- Download FindIt NT-2K-XP.
- Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
- Navigate to the FindIt NT-2K-XP directory.
- Double-click on FindNarrator.bat and wait for it to run.
- It should open a Notepad window with the FindVX2 log.
- Post the contents of FindNarrator.txt into your next post.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#88
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 08 June 2006 - 06:59 PM
Anything from here?
---------------- FindNarrator NT-2K-XP ----------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
***** Operating System *****
Microsoft Windows XP Professional 5.1 Service Pack 1 (Build 2600)
********* Date/Time ********
Thursday, June 08, 2006 (6/8/2006)
7:28 PM, Central Daylight Time
*********** Path ***********
FindNarrator.bat is running from: C:\Documents and Settings\Owner\Desktop\FindIt NT\FindIt NT-2K-XP
---------------- Strings.exe Qoologic Results ----------------
---------------- Strings.exe Aspack Results ----------------
C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: (Aspack %s)
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
---------------- Active Setup Installed Components ----------------
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0291E591-EA41-4c82-8106-3DC6CE7F7664}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0fde1f56-0d59-4fd7-9624-e3df6b419d0f}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2da39503-9e40-4985-9fd4-720f2a555d79}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{347B0667-C7ED-429B-BDE3-CC8D3BACAA31}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3e7bb08a-a7a3-4692-8eac-ac5e7895755b}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{78705f0d-e8db-4b2d-8193-982bdda15ecd}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}
---------------- Context Menu Handlers ----------------
REGEDIT4
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"
---------------- Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"nwiz"="nwiz.exe /installquiet /keeploaded"
"kdx"="C:\\WINDOWS\\kdx\\KHost.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"S3TRAY2"="S3tray2.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
---------------- FindNarrator NT-2K-XP ----------------
#89
MLL
-
- Authentic Member
-
- 70 posts
Authentic Member
Posted 08 June 2006 - 07:01 PM
Also see Spysweeper scan from post #84. Thanks.
#90
LDTate
-
- Root Admin
-
- 57,211 posts
Grand Poobah
Posted 08 June 2006 - 07:17 PM
Make sure we've done this:
select Start -> Control Panel -> Performance and Maintenance -> Administrative Tools -> Services -> scroll down and highlight 'Messenger' -> right-click the highlighted line and choose Properties -> click Stop button -> select Disable in the Startup Type scroll bar -> finally click OK.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
