• Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About NetCog

  • Rank
  1. Per Derek's request at c:\windows\temp is empty Contents of win.ini ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1 MAPIXVER= OLEMessaging=1 [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo asx=MPEGVideo au=MPEGVideo m1v=MPEGVideo m3u=MPEGVideo mp2=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wmx=MPEGVideo wpl=MPEGVideo wvx=MPEGVideo [sqlWindows] CenturyDefaultMode=1 [AMTECH] DefualtPrintOrView=P MetaFile=C:\WINDOWS\TEMP\~bdr362A.wmf I see the reference to the ~bdr362A.wmf Looks like I get a round of making sure my clients are uptodate.
  2. CJ - I know you're busy and if I could bring you a cake, cookies or maybe some BBQ ribs I would. Thanks for the help and time you've been spending on this new nasty. I'm updating and uploaded some additional files. Some I'm not sure about infection, others (like the images) might come in handy for whatever cleaning tool (?). The attached zip contains the files which look to have been created or modified at the time of infection. I have also included some xml files which were created at the same time the next day. All this occured between 7:19am and a little after 7:30 on the 7th and 8th. I have broken the files down into subfolders in an attempt to keep their original location referenced. subfolder "pchealth-helpctr-datacoll" was c:\windows\pchealth\helpctr\datacoll subfolder "prefetch" was c:\windows\prefetch subfolder "pss" was c:\windows\pss subfolder "sys32" was c:\windows\system32 subfolder "win" was c:\windows Note: a .exe rpnqrdnm.exe looks suspicious (contained in the sys32 folder) Note: All images in the win folder for the time of 6/7/06 7:26am match the images on the redirected www. antispywarebox .com and the about:blank page. Note: Symptoms appear to be gone on my computer, I just want to make sure nothing is lurking.
  3. Heh, it's even described/titled "Trojan Factory" I'll do that search and upload all the files I've got to At this point, and just as an observation, it looks like adobepnl.dll is the primary file. The last stint of cwshredder, spybot, and HJ (maybe something else...anyways) removed a bunch of stuff including an infected.gif. Since rebooting, and my computer appearing to be okay the only thing that shows up is the qjrkvy.exe and the users32.exe. Both have now been deleted from in safe mode. I rebooted back to normal mode and the files have stayed gone. I did that search on date range of 6/7/06 to 6/8/06. The 7th was the morning of infection. I have a bunch of stuff but what I'm finding interesting is a series of files timed for 7:19am and 7:26am exactly for both the 7th and the 8th. Many of them are referenced to windows\prefetch and many others are referenced to windows\pchealth. Among the latter are a series of XML files labeled "CollectedData_94##.xml". Those particular files are are in windows\pchealth\helpctr\datacoll. I can copy the files over to USB and upload them (at least the suspicious ones) if you'd like. But I'd also want to include the location where they are currently. Is there anyway to print the view of windows explorer of file name, folder location, size, and/or date modified? -- Or does it even matter and the important stuff is in the files themselves? I'm definately curious about the pchealth folder.
  4. SMITFRAUDFIX SmitFraudFix v2.55 Scan done at 16:10:15.92, Thu 06/08/2006 Run from E:\tools\programs\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\bg.gif Deleted C:\WINDOWS\close-bar.gif Deleted C:\WINDOWS\infected.gif Deleted C:\WINDOWS\star.gif Deleted C:\WINDOWS\warning-bar-ico.gif Deleted »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End WINPFIND WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... Checking %WinDir% folder... Checking %System% folder... PEC2 8/4/2004 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL PECompact2 5/3/2006 11:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe aspack 5/3/2006 11:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe aspack 8/4/2004 5:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll UPX! 6/7/2006 7:28:32 AM 13312 C:\WINDOWS\SYSTEM32\qjrkvy.exe Umonitor 8/4/2004 5:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll UPX! 6/7/2006 7:26:12 AM 8704 C:\WINDOWS\SYSTEM32\rpnqrdnm.exe winsync 8/4/2004 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu UPX! 6/7/2006 7:28:32 AM 13312 C:\WINDOWS\SYSTEM32\winflash.dll Checking %System%\Drivers folder and sub-folders... Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 6/8/2006 4:19:48 PM S 2048 C:\WINDOWS\bootstat.dat 6/8/2006 3:58:34 PM S 268 C:\WINDOWS\CSC\00000001 6/8/2006 3:58:34 PM S 86496 C:\WINDOWS\CSC\00000002 6/8/2006 12:53:40 PM S 168 C:\WINDOWS\CSC\00000003 6/7/2006 4:32:32 PM S 84896 C:\WINDOWS\CSC\csc1.tmp 6/8/2006 9:43:40 AM S 1984 C:\WINDOWS\CSC\d1\00000028 6/8/2006 1:49:26 PM S 448 C:\WINDOWS\CSC\d1\00000038 6/8/2006 3:58:34 PM S 240448 C:\WINDOWS\CSC\d1\000000A8 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009B0 6/8/2006 1:49:26 PM S 4800 C:\WINDOWS\CSC\d1\000009B8 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009C0 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009C8 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009D0 6/8/2006 3:58:34 PM S 448 C:\WINDOWS\CSC\d2\00000011 6/8/2006 9:43:40 AM S 6080 C:\WINDOWS\CSC\d2\00000029 4/17/2006 4:28:12 PM S 64 C:\WINDOWS\CSC\d2\00000929 6/8/2006 3:58:34 PM S 192 C:\WINDOWS\CSC\d2\00000939 5/17/2006 7:41:26 AM S 192 C:\WINDOWS\CSC\d2\000009B1 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009B9 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009C1 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009C9 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009D1 6/8/2006 1:10:22 PM S 320 C:\WINDOWS\CSC\d2\00000A99 6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d3\00000012 6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d3\0000001A 4/11/2006 4:59:18 PM S 320 C:\WINDOWS\CSC\d3\00000032 4/17/2006 6:04:56 PM S 576 C:\WINDOWS\CSC\d3\00000992 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d3\000009BA 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d3\000009C2 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d3\000009CA 6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d3\000009F2 6/8/2006 9:43:40 AM S 2368 C:\WINDOWS\CSC\d3\00000A02 6/8/2006 1:49:26 PM S 3520 C:\WINDOWS\CSC\d4\00000013 6/8/2006 3:58:34 PM S 8256 C:\WINDOWS\CSC\d4\00000913 6/2/2006 7:46:08 AM S 576 C:\WINDOWS\CSC\d4\0000092B 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d4\000009BB 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d4\000009C3 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d4\000009CB 6/8/2006 12:49:06 PM S 1216 C:\WINDOWS\CSC\d4\000009F3 4/17/2006 7:40:48 PM S 960 C:\WINDOWS\CSC\d4\00000A13 6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d5\0000002C 6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d5\0000003C 6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d5\0000095C 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d5\000009BC 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d5\000009C4 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d5\000009CC 6/8/2006 9:43:40 AM S 1344 C:\WINDOWS\CSC\d5\00000A0C 6/8/2006 1:10:22 PM S 6592 C:\WINDOWS\CSC\d5\00000A6C 6/8/2006 1:01:44 PM S 64 C:\WINDOWS\CSC\d5\00000A94 6/8/2006 1:01:48 PM S 64 C:\WINDOWS\CSC\d5\00000A9C 6/8/2006 1:49:26 PM S 1344 C:\WINDOWS\CSC\d6\00000015 4/11/2006 4:46:54 PM S 832 C:\WINDOWS\CSC\d6\00000035 6/8/2006 1:47:44 PM S 320 C:\WINDOWS\CSC\d6\0000003D 6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d6\0000095D 4/17/2006 6:04:56 PM S 576 C:\WINDOWS\CSC\d6\00000985 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d6\000009BD 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d6\000009C5 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d6\000009CD 6/8/2006 1:01:44 PM S 64 C:\WINDOWS\CSC\d6\00000A95 6/8/2006 1:01:48 PM S 64 C:\WINDOWS\CSC\d6\00000A9D 6/8/2006 1:49:26 PM S 960 C:\WINDOWS\CSC\d7\0000002E 4/17/2006 6:04:50 PM S 64 C:\WINDOWS\CSC\d7\0000095E 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009AE 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009BE 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009C6 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009CE 6/8/2006 9:43:40 AM S 704 C:\WINDOWS\CSC\d7\000009FE 6/8/2006 1:46:08 PM S 448 C:\WINDOWS\CSC\d7\00000A96 6/8/2006 3:58:34 PM S 1344 C:\WINDOWS\CSC\d8\00000017 4/11/2006 4:46:54 PM S 5440 C:\WINDOWS\CSC\d8\0000002F 6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d8\00000037 6/8/2006 1:49:26 PM S 4416 C:\WINDOWS\CSC\d8\00000927 4/17/2006 6:04:56 PM S 320 C:\WINDOWS\CSC\d8\0000098F 6/8/2006 3:58:34 PM S 4288 C:\WINDOWS\CSC\d8\000009AF 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d8\000009BF 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d8\000009C7 4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d8\000009CF 6/8/2006 4:19:42 PM H 8192 C:\WINDOWS\system32\config\default.LOG 6/8/2006 4:20:16 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG 6/8/2006 4:19:50 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG 6/8/2006 4:20:28 PM H 86016 C:\WINDOWS\system32\config\software.LOG 6/8/2006 4:19:54 PM H 1003520 C:\WINDOWS\system32\config\system.LOG 6/8/2006 9:06:26 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG 4/17/2006 10:51:32 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2ad220af-60d4-4989-a6fa-75b5351cd2de 4/17/2006 10:51:32 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred 6/8/2006 3:58:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT Checking for CPL files... Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl 12/15/2003 12:09:34 PM 24576 C:\WINDOWS\SYSTEM32\BACSCPL.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Intel Corporation 9/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl Sun Microsystems, Inc. 11/10/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl SigmaTel Inc. 7/20/2004 3:14:06 PM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl Intel Corporation 8/20/2004 8:53:06 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl Intel Corporation 9/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\igfxcpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 8/11/2004 5:15:06 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini 3/10/2006 11:30:48 AM 1908 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... 8/11/2004 5:07:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini 5/12/2006 2:35:16 PM 15911 C:\Documents and Settings\All Users\Application Data\hpzinstall.log 11/29/2005 12:15:18 PM 1763 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache Checking files in %USERPROFILE%\Startup folder... 8/11/2004 5:15:06 PM HS 84 C:\Documents and Settings\tech\Start Menu\Programs\Startup\desktop.ini Checking files in %USERPROFILE%\Application Data folder... 8/11/2004 5:07:12 PM HS 62 C:\Documents and Settings\tech\Application Data\desktop.ini »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r Synchronization Manager %SystemRoot%\system32\mobsync.exe /logon ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" vptray C:\PROGRA~1\SYMANT~1\VPTray.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup ctfmon.exe C:\WINDOWS\system32\ctfmon.exe [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services iPodService 3 ewido security suite guard 2 ewido security suite control 2 WinDefend 2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IntelWireless key SOFTWARE\Microsoft\Windows\CurrentVersion\Run item ifrmewrk hkey HKLM command C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless inimapping 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 0 bootini 0 services 2 startup 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer NoWelcomeScreen 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui = igfxdev.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless = C:\Program Files\Intel\Wireless\Bin\LgNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon = C:\WINDOWS\system32\NavLogon.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 6/8/2006 4:27:13 PM
  5. I guess I will run that winpfind... I was going to post this on a new thread for reference and clarification but since it still applies to an active problem... Referencing the beginning discussion here: User.exe is referenced as a bad thing via And I am still seeing Users32.exe in my System32 directory. \System32 contains: User32.dll User.exe Userenv.dll Userinit.exe Users32.exe The adobepnl.dll has NOT returned. My system currently sees NO visible problems. I will edit to include winpfind results. Maybe it's an invalid question till I see the log but if the system isn't having noticable problems, are those user???.??? files really malware or are they valid system files?
  6. RE AV: yea I had uninstalled it. The system is setup so everything is run from the server, all options are disabled on the client, so "allowing scripts" or letting the scanners do a complete job by disabling the AV alerts didn't appear to be an option either. RE System: Well so far so good. IE opens up as it should. I used HJ to delete the adobepnl file and manually deleted users32.exe. I have since reinstalled AV, scanned, and no problems The machine does not appear to have any further problems. RE smitfraudfix: That was one of the first things I did, don't remember the results. RE winpfind: Do you still want me to do this?
  7. I will follow those instructions shortly. To note: I found c:\Windows\system32\users32.exe Though not on the list I also found, might be legit files or might be infected they caught my eye due to similarities to the listed files on the above link: system32\inetcfg.dll (also other similarly named) system32\w32tm.exe (also other non-.exe files similarly named) system32\win32k.sys system32\win32spl.dll system32\win32em.dll system32\winmsd.exe Silent Runner log "Silent Runners.vbs", revision 45, Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"] "Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon" [MS] "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS] "MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B}\(Default) = "*b" (unwritable string) -> {HKLM...CLSID} = "adobepnl.ADOBE_PANEL" \InProcServer32\(Default) = "C:\WINDOWS\system32\adobepnl.dll" ["Laguna Media"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt" -> {HKLM...CLSID} = "RecordNow! SendToExt" \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\MNIEZ2\Office\soa800.dll" [MS] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"] INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"] INFECTION WARNING! IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {HKLM...CLSID} = "Ctest Object" \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {HKLM...CLSID} = "Ctest Object" \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\TonyS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Startup items in "tonys" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\TonyS\Start Menu\Programs\Startup "HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS] RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"] Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "] Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"] LIDIL Language Monitor\Driver = "hpzll3xu.dll" ["Hewlett-Packard Company"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] Microsoft Office Live Meeting Document Writer Monitor\Driver = "lmdimon.dll" [MS] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 43 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 8 seconds. ---------- (total run time: 67 seconds) Thanks CJ
  8. Yesterday one of my users' laptops started getting the signs described in - the professional looking popups and semi-transparent alerts, accompanied by about:blank redirection to www. antispywarebox .com. Google searching "antispywarebox" would redirect the browser to that website. Attempting to use trendmicro's online spyware scan would act normally (click on links, etc) until I click on the actual link to the spyware scan page which would then redirect to "antispywarebox .com". I've followed the instructions on the three or four threads posted so far on the smit or lpo where applicable. I've done some manual removals of assorted keys and files/folders but have not yet run through the suggestions posted by the user "dom" found here: After running through the instructions on first page of the above referenced thread, I restarted and found that first explore.exe started w/ a cpu pegged and memory leak, I then ran spybot again maybe something else (it was late last night) then restarted to find iexplorer.exe having the same mem usage leak problem. Ultimately after a couple restarts and removal of some startup items it stopped being a problem. What was removed was "normal" - ipodservice, itunesservice, among similar plugins. I did remove 3 ig?x?????.exe processes from startup, one of which was igfxpers.exe, don't remember the others. I am still having redirection despite being offline and trying to get a different starting page for IE. Recent scans done today prior to posting: Adaware - uptodate and clean Windows Defender - uptodate and clean (p.s. had to connect to internet...the verification requiring net access is a sucky thing on an infected computer) Spybot - uptodate and one result: CoolWWWSearch.SmartSearch > C:\windows\system32\users32.exe I have already removed this entry multiple times by Spybot, and by hand (directory and registry). I don't want to just create a limited permission placeholder as it won't solve the problem and I haven't been able to identify any other 'tag' for the infection. I was using Symantec AV (enterprise ed) but have since uninstalled in case the process blocker was stopping my scanning tools, it had been throwing up alerts and "process blocked" messages. Will download AVG if necessary or might connect to network (network AV, router/firewalled) when I'm more convinced the main malware is gone. NOTE: PC has not been on the internet or network since AV was removed. I am also running as many of these tools as possible from USB key. Adaware, Ewido, Spybot S&D, etc have been installed to infected computer. I guess the first step is to now post HJ goes... Logfile of HijackThis v1.99.1 Scan saved at 10:07:27 AM, on 6/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe E:\tools\hj\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AMPACKCORP.local O17 - HKLM\Software\..\Telephony: DomainName = AMPACKCORP.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AMPACKCORP.local O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ O23 - Service: BQT - Sysinternals - - C:\DOCUME~1\tech\LOCALS~1\Temp\BQT.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe Upon review I do see O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll Which is something referenced by user "dom", but I'm leaving it for now incase it's needed as a flag or reference point for a fix. I am willing to go through the steps again, but the steps for BFU and Ediwo in SafeMode were completed yesterday. At no time did IE come up clean. A few times Spybot returned Clean. NOTE: I don't know whether it's a result of no net connection or whether I've removed some bit of software but during most of this process there were no alerts or popups to get my computer scanned. Again, any popups or alerts were the very professional, nearly Microsoft-ian format including use of the Windows Security shield icon and Windows Security Center title. [edit] I scanned early on w/ cwshredder. First it didn't find anything Later it found 1 which was removed (around noon yesterday) - cws.yexe I just scanned after re-reading my post and thinking "duh" - found cws.smartsearch and cws.msconfig My next step would be to let CWShredder and Spybot do their jobs and clean the infection, but since I've posted here I'll wait to see if there's something else I should do first, especially as I've "cleaned" earlier and stuff is still surfacing and it's not acting like the other examples I've seen.