Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Virus problem


  • This topic is locked This topic is locked
63 replies to this topic

#46 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 09 November 2005 - 09:21 PM

Ewido just picked up this again...

csrssa.exe
C:\WINDOWS\system32
Infection: Backdoor.Codbot.at
Cleaned the file.

    Advertisements

Register to Remove


#47 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 November 2005 - 09:25 PM

click Start>Run and type regedit tap enter key.


Regedit will open. Make sure My Computer is highlighted. At the top of the window click edit> Find> then copy and paste the following into the window.

csrssa.exe

Then click find now.
When you find the entry right click on it and select delete, answer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#48 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 09 November 2005 - 09:35 PM

Deleted 3 items. I also deleted 2 files from Ewido quarantine.

#49 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 November 2005 - 09:36 PM

We'll keep after it until we kill it :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#50 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 09 November 2005 - 10:21 PM

I'm going to download an updated version of PC-cillin later tonight. Will this help?

#51 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 10 November 2005 - 06:39 AM

Yes, I would think so. Also make sure windows has all the latest patches.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#52 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 11 November 2005 - 12:49 AM

I will have to wait a day or two to upgrade anti-virus due to CC. Windows update gives me this error message: The site cannot continue because one or more of these Windows services is not running: Automatic Updates (allows the site to find, download and install high-priority updates for your computer) Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted) Event Log (keeps a record of updating activities to help with troubleshooting, if needed) My computer was running fine earlier today, although Ewido picked up this when I ran a scan: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 5:29:38 PM, 11/11/2005 + Report-Checksum: 2F020FE1 + Scan result: C:\WINDOWS\system32\TFTP3880 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup :mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mdxvw08d.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup ::Report End SpyBot removed the following: Settings HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa Settings HKEY_USERS\S-1-5-21-3500330718-382615216-485408677-1003\SYSTEM\CurrentControlSet\Control\Lsa Settings HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa Settings HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx I also came back to my computer to find an error message saying "Csrssa.exe has encountered a problem and needs to close".

#53 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2005 - 06:59 AM

I'm at work so I don't have much time right now. Have we tried this one?

Narrator/Qoologic trojan. It is tricky because all of the files are hidden when you use Windows Explorer or the Task Manager. To get a better look at it we will need you to do this.
  • Download FindIt NT-2K-XP.
  • Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
  • Navigate to the FindIt NT-2K-XP directory.
  • Double-click on FindNarrator.bat and wait for it to run.
  • It should open a Notepad window with the FindVX2 log.
  • Post the contents of FindNarrator.txt into your next post.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#54 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 12 November 2005 - 05:53 PM

---------------- FindNarrator NT-2K-XP ---------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ***** Operating System ***** Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600) ********* Date/Time ******** Sunday, November 13, 2005 (11/13/2005) 12:43 PM, New Zealand Standard Time *********** Path *********** FindNarrator.bat is running from: C:\Documents and Settings\Owner\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP ---------------- Strings.exe Qoologic Results ---------------- ---------------- Strings.exe Aspack Results ---------------- C:\WINDOWS\system32\MRT.exe: (ASPack) C:\WINDOWS\system32\MRT.exe: (AsPack2k) C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b) C:\WINDOWS\system32\MRT.exe: (ASPack 2.1) C:\WINDOWS\system32\MRT.exe: (ASPack 2.12) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11) C:\WINDOWS\system32\MRT.exe: (ASPack 2.000) C:\WINDOWS\system32\MRT.exe: (ASPack 2.001) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x) C:\WINDOWS\system32\MRT.exe: ASPack2000 C:\WINDOWS\system32\MRT.exe: ASPack 1.61 C:\WINDOWS\system32\MRT.exe: ASPack 1.084 C:\WINDOWS\system32\MRT.exe: ASPack 1.083 C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b C:\WINDOWS\system32\MRT.exe: ASPack 1.07b C:\WINDOWS\system32\MRT.exe: ASPack 1.05b C:\WINDOWS\system32\MRT.exe: ASPack 1.02 C:\WINDOWS\system32\MRT.exe: ASPACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK ---------------- Active Setup Installed Components ---------------- ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02f78298-8af6-495c-9ecb-b6ae68678186} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{839117ee-2132-4bae-a56a-42b50204c9b9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} ---------------- Context Menu Handlers ---------------- REGEDIT4 [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido] @="{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files] @="{750fdf0e-2a26-11d1-a3ea-080036587f03}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With] @="{09799AFB-AD67-11d1-ABCD-00C04FC30936}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu] @="{A470F8CF-A1E8-4f65-8335-227475AA5C46}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR] @="{B41DB860-8EE4-11D2-9906-E49FADC173CA}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}] @="Start Menu Pin" ---------------- Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Hcontrol"="C:\\WINDOWS\\ATK0100\\Hcontrol.exe" "AGRSMMSG"="AGRSMMSG.exe" "SoundMan"="SOUNDMAN.EXE" "ASUS Live Update"="C:\\Program Files\\ASUS\\ASUS Live Update\\ALU.exe" "Power_Gear"="C:\\Progra~1\\ASUS\\Power4 Gear\\BatteryLife.exe 1" "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "SiS Tray"="C:\\WINDOWS\\System32\\sistray.EXE" "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe" "pccguide.exe"="\"c:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\"" "PCCClient.exe"="\"c:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\"" "Pop3trap.exe"="\"c:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\"" "EPSON Stylus C45 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /O6 \"USB001\" /M \"Stylus C45\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ---------------- FindNarrator NT-2K-XP ---------------- 

#55 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 November 2005 - 06:07 PM

Nothing there. Are still getting warnings?

Go here and run this tool.
http://www.microsoft...ve/default.mspx

Edited by LDTate, 12 November 2005 - 06:10 PM.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#56 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 12 November 2005 - 07:11 PM

PC-cillin is no longer detecting the viruses and Ewido is fine too. I ran the microsoft malware program and it didn't find anything either. Although I did get another message saying "Csrssa.exe has encountered a problem and needs to close". Apart from that my laptop appears to be running normally again. I don't have problems disconnecting from the internet, media player is working, and I can shutdown without it refusing to or taking an hour.

#57 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 12 November 2005 - 07:15 PM

Have a look in the registry again.

click Start>Run and type regedit tap enter key.


Regedit will open. Make sure My Computer is highlighted. At the top of the window click edit> Find> then copy and paste the following into the window.

csrssa.exe

Then click find now.
When you find the entry right click on it and select delete, answer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#58 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 13 November 2005 - 08:54 PM

It doesn't find anything in the registry. I installed PC-cillin Internet Security 2006 yesterday and it picked up 2 trojans during instalation: TROJ_SMALL-1 --> deleted TROJ_LOWZONES.DW, Found in C:\goaway.exe --> quarantined PC-Cillin log: "Virus Scan","2005/11/13","LIZ" "Time","Event","Source Type","Virus Name","File Name","First Action","Second Action" "19:15","Manual Scan","File","TROJ_LOWZONES.DW","C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\012J05EB\goaway[1].exe","Quarantine Success","" "19:18","Manual Scan","File","WORM_SPYBOT.AJC","C:\WINDOWS\system32\csrssa.exe","Quarantine Success","" "19:28","Manual Scan","File","TROJ_LOWZONES.DW","C:\System Volume Information\_restore{FC301464-7AA8-49C8-BE33-DDCE92464080}\RP203\A0036882.exe","Quarantine Success","" "19:28","Manual Scan","File","WORM_SPYBOT.AJC","C:\System Volume Information\_restore{FC301464-7AA8-49C8-BE33-DDCE92464080}\RP204\A0036897.exe","Quarantine Success","" "19:29","Manual Scan","File","WORM_SPYBOT.AJC","C:\System Volume Information\_restore{FC301464-7AA8-49C8-BE33-DDCE92464080}\RP199\A0035434.exe","Quarantine Success","" I deleted them all from quarantine. Finally managed to get Windows Update to work as well.

#59 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 November 2005 - 08:58 PM

Post a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#60 Prolatariat_

Prolatariat_

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 13 November 2005 - 09:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:00:57 PM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRAM FILES\EWIDO\SECURITY SUITE\EWIDOGUARD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\SYSTEM32\MSACONFIG.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com.tw/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [Microsft Configure 32] msaconfig.exe
O4 - HKCU\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B07785A4-6781-4DCB-80F7-446FE11A7B90}: NameServer = 203.96.152.4 203.96.152.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users