WMD RTC32.DLL Cannot SAFE MODE

[wirosari]

Daer FZWG,

 

Here is Kapersky. Found Nothing ??

Not yet restart the PC. Mode is "Safe mode w/ network" as suggested.

 

Really sorry to wake you up. Try to print your instr first. then red (edited: read) it carefully

Thanks a bunch!!

 

 

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

K A S P E R S K Y O N L I N E S C A N N E R R E P O R T

 

F r i d a y , A p r i l 1 3 , 2 0 0 7 1 : 4 6 : 2 3 P M

 

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P P r o f e s s i o n a l , ( B u i l d 2 6 0 0 )

 

K a s p e r s k y O n l i n e S c a n n e r v e r s i o n : 5 . 0 . 8 3 . 0

 

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 1 3 / 0 4 / 2 0 0 7

 

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 2 7 9 6 5 1

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

 

 

S c a n S e t t i n g s :

 

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : s t a n d a r d

 

S c a n A r c h i v e s : t r u e

 

S c a n M a i l B a s e s : f a l s e

 

 

 

S c a n T a r g e t - M y C o m p u t e r :

 

A : \

 

C : \

 

D : \

 

E : \

 

 

 

S c a n S t a t i s t i c s :

 

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 4 4 6 9 0

 

N u m b e r o f v i r u s e s f o u n d : 0

 

N u m b e r o f i n f e c t e d o b j e c t s : 0 / 0

 

N u m b e r o f s u s p i c i o u s o b j e c t s : 0

 

D u r a t i o n o f t h e s c a n p r o c e s s : 0 0 : 3 5 : 2 7

 

 

 

I n f e c t e d O b j e c t N a m e / V i r u s N a m e / L a s t A c t i o n

 

C : \ A D A W A R E \ S D F i x N e w \ a p p s \ s w r e g . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ A D A W A R E \ s t i n g 2 6 0 . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ A D A W A R E \ V i r T o o l s \ C o m b o F i x _ J A N G A N P A K A I . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ A D A W A R E \ V i r T o o l s \ E r u n t - s e t u p _ B E K A P R E G I S T R I . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ A D A W A R E \ V i r T o o l s \ S m i t f r a u d F i x . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ M S H i s t 0 1 2 0 0 7 0 4 1 3 2 0 0 7 0 4 1 4 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d

 

C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ N T U S E R . D A T . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 2 8 0 2 8 $ \ m s a s n 1 . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 2 8 0 3 5 $ \ m s g s v c . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 2 8 0 3 5 $ \ w k s s v c . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 3 3 3 0 $ \ B l a s t c l n \ b l a s t c l n . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ b r o w s e r . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ c a l l c o n t . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ c m d e v t g p r o v . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ e v t g p r o v . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ g d i 3 2 . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ h 3 2 3 . t s p O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ h 3 2 3 m s p . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ h e l p c t r . e x e O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ i p n a t h l p . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ l s a s r v . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m f 3 2 1 6 . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m s a s n 1 . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m s g i n a . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m s t 1 2 0 . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ n e t a p i 3 2 . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ n m c o m . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ r t c d l l . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ s c h a n n e l . d l l O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ D e b u g \ N e t l o g o n . l o g O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ D e b u g \ P W D . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ A p p E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ d e f a u l t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ D E F A U L T . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S e c E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s o f t w a r e O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S O F T W A R E . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S y s E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S Y S T E M . L O G O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ I N D E X . B T R O b j e c t i s l o c k e d s k i p p e d

 

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ O B J E C T S . D A T A O b j e c t i s l o c k e d s k i p p e d

 

 

 

S c a n p r o c e s s c o m p l e t e d .

Edited April 13, 2007 by wirosari

[FZWG]

If you turn off the computer and turn it back on, go to Safe Mode (no networking). It appears that Sality does not like Safe Mode. Maybe that is why it disables the Safe Mode Registry keys. (I'm just guessing! )

 

====

Do the following for now. I do not think we are dealing with a Rootkit, so do not run that type of program as previously instructed.

 

I believe these entries:

C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe

are the ones that show under the following Registry key to bypass the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

 

Please open Notepad (Start > Run, type in: notepad)

Copy and paste all the information in blue below to it.

 

regedit /e aalst.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"

aalst.txt

 

Go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: use drop arrow to select Desktop

File Name: aalst.bat

Save as type: All Files

Exit Notepad

 

Go to the Desktop, and double click aalst.bat

It generates a text file called aalst.txt.

 

Copy the contents of aalst.txt to your reply.

 

====

Since the system.ini file still has the bogus entries, and a 'Disinfection failed' notice appears next to several of the online scanner entries, we can assume Sality prevails.

 

What we eventually need to do is:

 

1. Restart the computer in Safe Mode with Networking, and download Kasperski Anti-Virus 6.0 This is not the online scanner!!

http://www.kaspersky.com/trials?chapter=146481750

Make sure you update the program.

When done, reboot to just Safe Mode (No networking!! We do not want Sality to have a connection available!).

 

2. Edit the system.ini file to get rid of:

[MCIDRV_VER]

DEVICEN1=95215658363

__h=18

__dr=12

[iDslow]

IDVer32666=988281

IDMCI32=23846878ABA233

[iDslow32]

MDCDID32=991140

 

3. Backup the Registry:

Go to Start > Run, and type: Regedit

On the left side, click and highlight My Computer

Go to the File menu (at the top)

Select: Export

Save in: Desktop

File Name: BackUp

Save As Type: leave as Registration Files

Click: Save

Then go to File > Exit

(This saves a backup copy of the Registry.)

 

4. Remove the bogus values under the Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

The bogus values will show as the following, and there will be several of them:

C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe

The win*.exe files may have changed.

 

5. In addition, the bogus files, like the one below, need removal with Killbox, or, Avenger with a ‘Files to Delete’ script.

C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe

 

6. Disable your current AntiVirus program since it may not be compatible with

Kaspersky Anti-Virus 6.0.

 

7. In Safe Mode, let Kaspersky perform a full system scan and disinfect every infected exe file it finds!

 

 

====

I get the impression that you are very computer knowledgeable, so, if you think you can do the above, press on. Since we appear to have a significant time difference, based on the times when you post, you can be working while I am sleeping, since that is what I plan to do very shortly (2:00AM here).

 

If you do not want to proceed, sometime in the daylight morning hours I’ll prepare more detailed instructions for you with the information you provide from the aalst batch file.

 

 

One last word.

You are dealing with a bomb of a virus. I am doing this in good faith, but in a worse case scenario, trying to get rid of this infection may result in the loss of significant code in the system. I do not know if this will be the case, but there is risk involved, and it is up to you to decide what to do.

[wirosari]

Dear FZWG,

 

The AALST results looks like this :

(Running in SAFE MODE

restart it to SAFE MODE NETWORK to send this message)

 

 

ÿþW i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0

 

 

 

 

[ H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t ]

 

" % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e " = " % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9 "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n c x r h . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n c x r h . e x e : * : E n a b l e d : i p s e c "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n k c m o l . e x e " = " "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n f o p v c . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n f o p v c . e x e : * : E n a b l e d : i p s e c "

 

" C : \ \ W I N D O W S \ \ E x p l o r e r . E X E " = " C : \ \ W I N D O W S \ \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n j f a m v . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n j f a m v . e x e : * : E n a b l e d : i p s e c "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n s u j e e w . e x e " = " "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n k c b v y a . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n k c b v y a . e x e : * : E n a b l e d : i p s e c "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n w d d b . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n w d d b . e x e : * : E n a b l e d : i p s e c "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n p p m o g d . e x e " = " "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n b h b v m . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n b h b v m . e x e : * : E n a b l e d : i p s e c "

 

" C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n d m e l j u . e x e " = " "

[wirosari]

Dear FZWG,

 

This is the REGISTRY Entries that I deleted MANUALLY :

\LOCAL1~\TEMP\ WIN*.exe

 

Means VALUE 0 and VALUE4 still there.....

Is it right step?

 

 

ÿþK e y N a m e : H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t

 

C l N a m e : < N O C L >

 

L a s t W r i t e T i m e : 4 / 1 3 / 2 0 0 7 - 8 : 5 2 A M

 

V a l u e 0

 

N a m e : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e

 

T y p e : R E G _ S Z

 

D a t a : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9

 

 

 

V a l u e 1

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n c x r h . e x e

 

T y p e : R E G _ S Z

 

D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n c x r h . e x e : * : E n a b l e d : i p s e c

 

 

 

V a l u e 2

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n k c m o l . e x e

 

T y p e : R E G _ S Z

 

D a t a :

 

 

 

V a l u e 3

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n f o p v c . e x e

 

T y p e : R E G _ S Z

 

D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n f o p v c . e x e : * : E n a b l e d : i p s e c

 

 

 

V a l u e 4

 

N a m e : C : \ W I N D O W S \ E x p l o r e r . E X E

 

T y p e : R E G _ S Z

 

D a t a : C : \ W I N D O W S \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c

 

 

 

V a l u e 5

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n j f a m v . e x e

 

T y p e : R E G _ S Z

 

D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n j f a m v . e x e : * : E n a b l e d : i p s e c

 

 

 

V a l u e 6

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n s u j e e w . e x e

 

T y p e : R E G _ S Z

 

D a t a :

 

 

 

V a l u e 7

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n k c b v y a . e x e

 

T y p e : R E G _ S Z

 

D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n k c b v y a . e x e : * : E n a b l e d : i p s e c

 

 

 

V a l u e 8

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n w d d b . e x e

 

T y p e : R E G _ S Z

 

D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n w d d b . e x e : * : E n a b l e d : i p s e c

 

 

 

V a l u e 9

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n p p m o g d . e x e

 

T y p e : R E G _ S Z

 

D a t a :

 

 

 

V a l u e 1 0

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n b h b v m . e x e

 

T y p e : R E G _ S Z

 

D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n b h b v m . e x e : * : E n a b l e d : i p s e c

 

 

 

V a l u e 1 1

 

N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n d m e l j u . e x e

 

T y p e : R E G _ S Z

 

D a t a :

Edited April 13, 2007 by wirosari

[wirosari]

Dear FZWG,

Good Morning!

 

Really sorry to wake you up at midnite.

It is not a Rootkit ? But you said Sality prevails. It can control the PC?

 

 

What I did is as follow :

 

1. download KASPERSKY AV 6.0

 

2. Restart In SAFE MODE

 

2. Using START/ RUN/ SYSEDIT to edit the system.ini.

 

I put a REM in front every row of your 9 lines

Is this enough?

 

3. Backup REGISTRY to a file BEKAPREG.REG

 

4. Use REGEDIT then delete manually all WIN*.EXE

(Please see before this post, I save the list)

 

5. Afraid to do the KILLBOX.

Can I delete these file manually?

 

6. Mc Afee Pro has been disabled, when installing KASPERSKY

 

7. Not Yet. Time Limit

 

The worst is this is weekend. So see you in the Monday morning (=Sunday evening)

 

 

Many thanks for BIG help.

Have a nice weekend Fizzwig!

Edited April 13, 2007 by wirosari

[FZWG]

How are things in Jakarta?

 

Monday morning.

If the computer was on during the weekend, the malware may have returned. Even if it was off, do the following:

 

1. Before you start the computer, unplug the cable or telephone line from the back of the computer. You do not want it connected to anything that gives an avenue to the Internet. Sality downloads information from a set of preconfigured URLs, and that is how it plants and executes all those files in:

C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe

 

2. Start in Safe Mode, run the previously updated Kaspersky Anti-Virus 6.0, perform a full system scan, and disinfect every file it finds. If it produces a report, please provide it in your reply.

 

3. Now, restart the computer normally, but do not connect the cable or telephone line!!

 

4. Check system.ini once again to make sure nothing has changed. Provide its contents in you reply.

 

5. Go to the Desktop, and double click aalst.bat to make sure the values you removed from the following Registry key are still gone:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

To make sure, do a manual check also.

 

6. To remove any files (C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe0, you can use the batch file in Post #10 (clean.bat should still be on the Desktop), and then manually check they are gone, or just remove them manually.

 

7. Then, to see if a new Sality random.sys file was created (Earlier in the game it looked like: C:\WINDOWS\System32\drivers\rgoqmn.sys), please do the following:

Go to Start > Run, and copy/paste the following in the Open area:

C:\Windows\System32\drivers

 

Up in the Menu bar, click View > Details

Then in the right hand pane, double click Date Modified to arrange files by date from 2007 and down.

 

Please provide the names of the .sys files created since January 2007. There should only be a few.

 

8. The random.sys also installed a system service with the service name and display name of:

NdisFileServices32

 

Please go to Start > Run, copy/paste the following, one at a time, and click OK after each:

sc stop NdisFileServices32

sc delete NdisFileServices32

 

9. Run HijackThis and Scan.

 

10. Also provide a StartupList as instructed in Post # 12

 

 

Provide the following:

The Kasperski Anti-Virus 6.0 report

The contents of the system.ini file

The contents of the aalst.bat (Registry key)

The names of any .sys files created since January 2007

A new HijackThis log

A new StartupList

 

Do not plug the cable or telephone line back to the computer!!!!

 

Hopefully, you will have access to another computer.

Connect with it, and provide the information requested.

Edited April 15, 2007 by FZWG

[wirosari]

Good evening sir,

 

Hahah. Crowded monday morning here.

Sorry to make you wake again this evening.

Really sorry Sir to rumble your weekend once more.

 

1. Kaspersky IN PROGRESS under SAFE MODE.

 

No other-data can be provided now.

 

Sorry & Thanks

 

[its a flat world no place to hide]

Edited April 16, 2007 by wirosari

[FZWG]

Since you are using names of different regions of Indonesia (Menteng, Wirosari), are you the same person?

 

There is no need to hide. It serves no purpse...

 

 

As far as the information goes, take your time, and post the data as you are able to.

 

I have a Doctor's appointment tomorrow morning, so cannot stay up late this evening.

 

Also, probably will not be able to reply to whatever is posted until sometime in the afternoon.

 

FZ

Edited April 16, 2007 by FZWG

[wirosari]

Thank you Mr. Fizzwig,

 

I just realized, you know this region very well!

 

Because I rely on your expertise.

I really appreciating your help, stealing your precious time.

 

 

Here is the KASPERSKY-AV LOG (Truncated):

 

Scan My Computer

----------------

Scanned: 159167

Detected: 0

Untreated: 0

Start time: 4/16/2007 11:34:17 AM

Duration: 00:46:17

Finish time: 4/16/2007 12:20:34 PM

 

 

Detected

--------

Status Object

------ ------

 

 

Events

------

Time Name Status Reason

---- ---- ------ ------

4/16/2007 11:34:39 AM Running module: smss.exe\smss.exe ok scanned

4/16/2007 11:34:39 AM File: C:\WINDOWS\System32\smss.exe ok scanned

4/16/2007 11:34:39 AM Running module: smss.exe\ntdll.dll ok scanned

4/16/2007 11:34:39 AM File: C:\WINDOWS\System32\ntdll.dll ok scanned

4/16/2007 11:34:39 AM Running module: csrss.exe\csrss.exe ok scanned

4/16/2007 11:34:39 AM File: C:\WINDOWS\system32\csrss.exe ok scanned

4/16/2007 11:34:39 AM Running module: csrss.exe\ntdll.dll ok iChecker

4/16/2007 11:34:40 AM Running module: csrss.exe\CSRSRV.dll ok scanned

4/16/2007 11:34:40 AM File: C:\WINDOWS\system32\CSRSRV.dll ok scanned

4/16/2007 11:34:40 AM Running module: csrss.exe\basesrv.dll ok scanned

4/16/2007 11:34:40 AM File: C:\WINDOWS\system32\basesrv.dll ok scanned

4/16/2007 11:34:40 AM Running module: csrss.exe\winsrv.dll ok scanned

4/16/2007 11:34:40 AM File: C:\WINDOWS\system32\winsrv.dll ok scanned

4/16/2007 11:34:40 AM Running module: csrss.exe\USER32.dll ok scanned

4/16/2007 11:34:41 AM File: C:\WINDOWS\system32\USER32.dll ok scanned

4/16/2007 11:34:41 AM Running module: csrss.exe\KERNEL32.dll ok scanned

4/16/2007 11:34:41 AM File: C:\WINDOWS\system32\KERNEL32.dll ok scanned

4/16/2007 11:34:41 AM Running module: csrss.exe\GDI32.dll ok scanned

4/16/2007 11:34:41 AM File: C:\WINDOWS\system32\GDI32.dll ok scanned

4/16/2007 11:34:41 AM Running module: csrss.exe\ADVAPI32.dll ok scanned

4/16/2007 11:34:42 AM File: C:\WINDOWS\system32\ADVAPI32.dll ok scanned

4/16/2007 11:34:42 AM Running module: csrss.exe\RPCRT4.dll ok scanned

4/16/2007 11:34:42 AM File: C:\WINDOWS\system32\RPCRT4.dll ok scanned

4/16/2007 11:34:42 AM Running module: csrss.exe\sxs.dll ok scanned

4/16/2007 11:34:42 AM File: C:\WINDOWS\System32\sxs.dll ok scanned

4/16/2007 11:34:42 AM Running module: winlogon.exe\winlogon.exe ok scanned

4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\winlogon.exe ok scanned

4/16/2007 11:34:43 AM Running module: winlogon.exe\ntdll.dll ok iChecker

4/16/2007 11:34:43 AM Running module: winlogon.exe\kernel32.dll ok iChecker

4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\kernel32.dll ok iChecker

4/16/2007 11:34:43 AM Running module: winlogon.exe\ADVAPI32.dll ok iChecker

4/16/2007 11:34:43 AM Running module: winlogon.exe\RPCRT4.dll ok iChecker

4/16/2007 11:34:43 AM Running module: winlogon.exe\AUTHZ.dll ok scanned

4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\AUTHZ.dll ok scanned

4/16/2007 11:34:43 AM Running module: winlogon.exe\msvcrt.dll ok scanned

4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\msvcrt.dll ok scanned

4/16/2007 11:34:44 AM Running module: winlogon.exe\CRYPT32.dll ok scanned

4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\CRYPT32.dll ok scanned

4/16/2007 11:34:44 AM Running module: winlogon.exe\USER32.dll ok iChecker

4/16/2007 11:34:44 AM Running module: winlogon.exe\GDI32.dll ok iChecker

4/16/2007 11:34:44 AM Running module: winlogon.exe\MSASN1.dll ok scanned

4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\MSASN1.dll ok scanned

4/16/2007 11:34:44 AM Running module: winlogon.exe\NDdeApi.dll ok scanned

4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\NDdeApi.dll ok scanned

4/16/2007 11:34:44 AM Running module: winlogon.exe\PROFMAP.dll ok scanned

4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\PROFMAP.dll ok scanned

4/16/2007 11:34:45 AM Running module: winlogon.exe\NETAPI32.dll ok scanned

4/16/2007 11:34:45 AM File: C:\WINDOWS\system32\NETAPI32.dll ok scanned

4/16/2007 11:34:45 AM Running module: winlogon.exe\USERENV.dll ok scanned

4/16/2007 11:34:45 AM File: C:\WINDOWS\system32\USERENV.dll ok scanned

4/16/2007 11:34:46 AM Running module: winlogon.exe\PSAPI.DLL ok scanned

4/16/2007 11:34:46 AM File: C:\WINDOWS\system32\PSAPI.DLL ok scanned

4/16/2007 11:34:46 AM Running module: winlogon.exe\REGAPI.dll ok scanned

4/16/2007 11:34:46 AM File: C:\WINDOWS\system32\REGAPI.dll ok scanned

4/16/2007 11:34:46 AM Running module: winlogon.exe\Secur32.dll ok scanned

4/16/2007 11:34:46 AM File: C:\WINDOWS\system32\Secur32.dll ok scanned

4/16/2007 11:34:47 AM Running module: winlogon.exe\SETUPAPI.dll ok scanned

4/16/2007 11:34:48 AM File: C:\WINDOWS\system32\SETUPAPI.dll ok scanned

4/16/2007 11:34:48 AM Running module: winlogon.exe\sfc_os.dll ok scanned

4/16/2007 11:34:48 AM File: C:\WINDOWS\system32\sfc_os.dll ok scanned

4/16/2007 11:34:48 AM Running module: winlogon.exe\WINTRUST.dll ok scanned

4/16/2007 11:34:48 AM File: C:\WINDOWS\system32\WINTRUST.dll ok scanned

4/16/2007 11:34:48 AM Running module: winlogon.exe\ole32.dll ok scanned

4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\ole32.dll ok scanned

4/16/2007 11:34:49 AM Running module: winlogon.exe\IMAGEHLP.dll ok scanned

4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\IMAGEHLP.dll ok scanned

4/16/2007 11:34:49 AM Running module: winlogon.exe\VERSION.dll ok scanned

4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\VERSION.dll ok scanned

4/16/2007 11:34:49 AM Running module: winlogon.exe\WINSTA.dll ok scanned

4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\WINSTA.dll ok scanned

4/16/2007 11:34:49 AM Running module: winlogon.exe\WS2_32.dll ok scanned

4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\WS2_32.dll ok scanned

4/16/2007 11:34:49 AM Running module: winlogon.exe\WS2HELP.dll ok scanned

4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\WS2HELP.dll ok scanned

4/16/2007 11:34:49 AM Running module: winlogon.exe\MSGINA.dll ok scanned

4/16/2007 11:34:50 AM File: C:\WINDOWS\system32\MSGINA.dll ok scanned

4/16/2007 11:34:50 AM Running module: winlogon.exe\SHELL32.dll ok scanned

4/16/2007 11:34:58 AM File: C:\WINDOWS\system32\SHELL32.dll ok scanned

4/16/2007 11:34:58 AM Running module: winlogon.exe\SHLWAPI.dll ok scanned

4/16/2007 11:34:58 AM File: C:\WINDOWS\system32\SHLWAPI.dll ok scanned

4/16/2007 11:34:59 AM Running module: winlogon.exe\COMCTL32.dll ok scanned

4/16/2007 11:34:59 AM File: C:\WINDOWS\system32\COMCTL32.dll ok scanned

4/16/2007 11:34:59 AM Running module: winlogon.exe\ODBC32.dll ok scanned

4/16/2007 11:34:59 AM File: C:\WINDOWS\system32\ODBC32.dll ok iChecker

4/16/2007 11:34:59 AM Running module: winlogon.exe\comdlg32.dll ok scanned

4/16/2007 11:34:59 AM File: C:\WINDOWS\system32\comdlg32.dll ok scanned

4/16/2007 11:34:59 AM Running module: winlogon.exe\comctl32.dll ok scanned

4/16/2007 11:35:00 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll ok scanned

4/16/2007 11:35:00 AM Running module: winlogon.exe\odbcint.dll ok scanned

4/16/2007 11:35:00 AM File: C:\WINDOWS\system32\odbcint.dll ok iChecker

4/16/2007 11:35:00 AM Running module: winlogon.exe\SHSVCS.dll ok scanned

4/16/2007 11:35:00 AM File: C:\WINDOWS\system32\SHSVCS.dll ok scanned

4/16/2007 11:35:00 AM Running module: winlogon.exe\sfc.dll ok scanned

4/16/2007 11:35:00 AM File: C:\WINDOWS\system32\sfc.dll ok scanned

4/16/2007 11:35:00 AM Running module: winlogon.exe\WINMM.dll ok scanned

4/16/2007 11:35:01 AM File: C:\WINDOWS\system32\WINMM.dll ok scanned

4/16/2007 11:35:01 AM Running module: winlogon.exe\cscdll.dll ok scanned

4/16/2007 11:35:01 AM File: C:\WINDOWS\system32\cscdll.dll ok scanned

4/16/2007 11:35:01 AM Running module: winlogon.exe\klogon.dll ok scanned

4/16/2007 11:35:01 AM File: C:\WINDOWS\System32\klogon.dll ok scanned

4/16/2007 11:35:01 AM Running module: winlogon.exe\rsaenh.dll ok scanned

4/16/2007 11:35:01 AM File: C:\WINDOWS\System32\rsaenh.dll ok scanned

4/16/2007 11:35:01 AM Running module: winlogon.exe\WlNotify.dll ok scanned

4/16/2007 11:35:01 AM File: C:\WINDOWS\system32\WlNotify.dll ok scanned

4/16/2007 11:35:01 AM Running module: winlogon.exe\WinSCard.dll ok scanned

4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\WinSCard.dll ok scanned

4/16/2007 11:35:02 AM Running module: winlogon.exe\WTSAPI32.dll ok scanned

4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\WTSAPI32.dll ok scanned

4/16/2007 11:35:02 AM Running module: winlogon.exe\WINSPOOL.DRV ok scanned

4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\WINSPOOL.DRV ok scanned

4/16/2007 11:35:02 AM Running module: winlogon.exe\MPR.dll ok scanned

4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\MPR.dll ok scanned

4/16/2007 11:35:02 AM Running module: winlogon.exe\UxTheme.dll ok scanned

4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\UxTheme.dll ok scanned

4/16/2007 11:35:02 AM Running module: winlogon.exe\SAMLIB.dll ok scanned

4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\SAMLIB.dll ok scanned

4/16/2007 11:35:02 AM Running module: winlogon.exe\cscui.dll ok scanned

4/16/2007 11:35:03 AM File: C:\WINDOWS\system32\cscui.dll ok scanned

4/16/2007 11:35:03 AM Running module: winlogon.exe\NTMARTA.DLL ok scanned

4/16/2007 11:35:03 AM File: C:\WINDOWS\system32\NTMARTA.DLL ok scanned

4/16/2007 11:35:03 AM Running module: winlogon.exe\WLDAP32.dll ok scanned

4/16/2007 11:35:03 AM File: C:\WINDOWS\system32\WLDAP32.dll ok scanned

4/16/2007 11:35:03 AM Running module: winlogon.exe\COMRes.dll ok scanned

4/16/2007 11:35:04 AM File: C:\WINDOWS\system32\COMRes.dll ok scanned

4/16/2007 11:35:04 AM Running module: winlogon.exe\OLEAUT32.dll ok scanned

4/16/2007 11:35:04 AM File: C:\WINDOWS\system32\OLEAUT32.dll ok iChecker

4/16/2007 11:35:04 AM Running module: winlogon.exe\CLBCATQ.DLL ok scanned

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\CLBCATQ.DLL ok scanned

4/16/2007 11:35:05 AM Running module: services.exe\services.exe ok scanned

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\services.exe ok scanned

4/16/2007 11:35:05 AM Running module: services.exe\ntdll.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\kernel32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\msvcrt.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\ADVAPI32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\RPCRT4.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\USER32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\GDI32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\USERENV.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\SCESRV.dll ok scanned

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\SCESRV.dll ok scanned

4/16/2007 11:35:05 AM Running module: services.exe\AUTHZ.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\umpnpmgr.dll ok scanned

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\umpnpmgr.dll ok scanned

4/16/2007 11:35:05 AM Running module: services.exe\WINSTA.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\NCObjAPI.DLL ok scanned

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\NCObjAPI.DLL ok scanned

4/16/2007 11:35:05 AM Running module: services.exe\secur32.dll ok iChecker

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\secur32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\eventlog.dll ok scanned

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\eventlog.dll ok scanned

4/16/2007 11:35:05 AM Running module: services.exe\WS2_32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\WS2HELP.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\PSAPI.DLL ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\wtsapi32.dll ok iChecker

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\wtsapi32.dll ok iChecker

4/16/2007 11:35:05 AM Running module: services.exe\netapi32.dll ok iChecker

4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\netapi32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\lsass.exe ok scanned

4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\lsass.exe ok scanned

4/16/2007 11:35:06 AM Running module: lsass.exe\ntdll.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\kernel32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\ADVAPI32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\RPCRT4.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\LSASRV.dll ok scanned

4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\LSASRV.dll ok scanned

4/16/2007 11:35:06 AM Running module: lsass.exe\msvcrt.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\Secur32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\USER32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\GDI32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\SAMSRV.dll ok scanned

4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\SAMSRV.dll ok scanned

4/16/2007 11:35:06 AM Running module: lsass.exe\cryptdll.dll ok scanned

4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\cryptdll.dll ok scanned

4/16/2007 11:35:06 AM Running module: lsass.exe\DNSAPI.dll ok scanned

4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\DNSAPI.dll ok scanned

4/16/2007 11:35:06 AM Running module: lsass.exe\WS2_32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\WS2HELP.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\MSASN1.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\NETAPI32.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\SAMLIB.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\MPR.dll ok iChecker

4/16/2007 11:35:06 AM Running module: lsass.exe\NTDSAPI.dll ok scanned

4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\NTDSAPI.dll ok scanned

4/16/2007 11:35:07 AM Running module: lsass.exe\WLDAP32.dll ok iChecker

4/16/2007 11:35:07 AM Running module: lsass.exe\msprivs.dll ok scanned

4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\msprivs.dll ok scanned

4/16/2007 11:35:07 AM Running module: lsass.exe\kerberos.dll ok scanned

4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\kerberos.dll ok scanned

4/16/2007 11:35:07 AM Running module: lsass.exe\msv1_0.dll ok scanned

4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\msv1_0.dll ok scanned

4/16/2007 11:35:07 AM Running module: lsass.exe\netlogon.dll ok scanned

4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\netlogon.dll ok scanned

4/16/2007 11:35:08 AM Running module: lsass.exe\w32time.dll ok scanned

4/16/2007 11:35:08 AM File: C:\WINDOWS\system32\w32time.dll ok scanned

4/16/2007 11:35:08 AM Running module: lsass.exe\MSVCP60.dll ok scanned

4/16/2007 11:35:08 AM File: C:\WINDOWS\system32\MSVCP60.dll ok scanned

4/16/2007 11:35:08 AM Running module: lsass.exe\iphlpapi.dll ok scanned

4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\iphlpapi.dll ok scanned

4/16/2007 11:35:09 AM Running module: lsass.exe\netman.dll ok scanned

4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\netman.dll ok scanned

4/16/2007 11:35:09 AM Running module: lsass.exe\MPRAPI.dll ok scanned

4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\MPRAPI.dll ok scanned

4/16/2007 11:35:09 AM Running module: lsass.exe\ACTIVEDS.dll ok scanned

4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\ACTIVEDS.dll ok scanned

4/16/2007 11:35:09 AM Running module: lsass.exe\adsldpc.dll ok scanned

4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\adsldpc.dll ok scanned

4/16/2007 11:35:09 AM Running module: lsass.exe\ATL.DLL ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\ATL.DLL ok scanned

4/16/2007 11:35:10 AM Running module: lsass.exe\ole32.dll ok iChecker

4/16/2007 11:35:10 AM Running module: lsass.exe\OLEAUT32.dll ok iChecker

4/16/2007 11:35:10 AM Running module: lsass.exe\rtutils.dll ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\rtutils.dll ok scanned

4/16/2007 11:35:10 AM Running module: lsass.exe\SETUPAPI.dll ok iChecker

4/16/2007 11:35:10 AM Running module: lsass.exe\RASAPI32.dll ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\RASAPI32.dll ok scanned

4/16/2007 11:35:10 AM Running module: lsass.exe\rasman.dll ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\rasman.dll ok scanned

4/16/2007 11:35:10 AM Running module: lsass.exe\TAPI32.dll ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\TAPI32.dll ok scanned

4/16/2007 11:35:10 AM Running module: lsass.exe\SHLWAPI.dll ok iChecker

4/16/2007 11:35:10 AM Running module: lsass.exe\WINMM.dll ok iChecker

4/16/2007 11:35:10 AM Running module: lsass.exe\SHELL32.dll ok iChecker

4/16/2007 11:35:10 AM Running module: lsass.exe\WZCSvc.DLL ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\WZCSvc.DLL ok scanned

4/16/2007 11:35:10 AM Running module: lsass.exe\WMI.dll ok scanned

4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\WMI.dll ok scanned

4/16/2007 11:35:11 AM Running module: lsass.exe\DHCPCSVC.DLL ok scanned

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\DHCPCSVC.DLL ok scanned

4/16/2007 11:35:11 AM Running module: lsass.exe\CRYPT32.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\WTSAPI32.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\WINSTA.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\USERENV.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\comctl32.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\comctl32.dll ok iChecker

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\comctl32.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\schannel.dll ok scanned

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\schannel.dll ok scanned

4/16/2007 11:35:11 AM Running module: lsass.exe\wdigest.dll ok scanned

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\wdigest.dll ok scanned

4/16/2007 11:35:11 AM Running module: lsass.exe\rsaenh.dll ok iChecker

4/16/2007 11:35:11 AM Running module: lsass.exe\nwprovau.dll ok scanned

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\nwprovau.dll ok scanned

4/16/2007 11:35:11 AM Running module: lsass.exe\scecli.dll ok scanned

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\scecli.dll ok scanned

4/16/2007 11:35:11 AM Running module: svchost.exe\svchost.exe ok scanned

4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\svchost.exe ok scanned

4/16/2007 11:35:11 AM Running module: svchost.exe\ntdll.dll ok iChecker

4/16/2007 11:35:11 AM Running module: svchost.exe\kernel32.dll ok iChecker

4/16/2007 11:35:11 AM Running module: svchost.exe\ADVAPI32.dll ok iChecker

4/16/2007 11:35:11 AM Running module: svchost.exe\RPCRT4.dll ok iChecker

4/16/2007 11:35:11 AM Running module: svchost.exe\rpcss.dll ok scanned

4/16/2007 11:35:12 AM File: c:\windows\system32\rpcss.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\msvcrt.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WS2_32.dll ok iChecker

4/16/2007 11:35:12 AM File: c:\windows\system32\WS2_32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WS2HELP.dll ok iChecker

4/16/2007 11:35:12 AM File: c:\windows\system32\WS2HELP.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\USER32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\GDI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\Secur32.dll ok iChecker

4/16/2007 11:35:12 AM File: c:\windows\system32\Secur32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\userenv.dll ok iChecker

4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\userenv.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\mswsock.dll ok scanned

4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\mswsock.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\wshtcpip.dll ok scanned

4/16/2007 11:35:12 AM File: C:\WINDOWS\System32\wshtcpip.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\wshisn.dll ok scanned

4/16/2007 11:35:12 AM File: C:\WINDOWS\System32\wshisn.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\WSOCK32.dll ok scanned

4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\WSOCK32.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\DNSAPI.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\iphlpapi.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\netman.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\MPRAPI.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\ACTIVEDS.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\adsldpc.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\NETAPI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WLDAP32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\ATL.DLL ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\ole32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\OLEAUT32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\rtutils.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\SAMLIB.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\SETUPAPI.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\RASAPI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\rasman.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\TAPI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\SHLWAPI.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WINMM.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\SHELL32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WZCSvc.DLL ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WMI.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\DHCPCSVC.DLL ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\CRYPT32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\MSASN1.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WTSAPI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WINSTA.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\comctl32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\comctl32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\winrnr.dll ok scanned

4/16/2007 11:35:12 AM File: C:\WINDOWS\System32\winrnr.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\rasadhlp.dll ok scanned

4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\rasadhlp.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\CLBCATQ.DLL ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\COMRes.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\VERSION.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\svchost.exe ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\ntdll.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\kernel32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\ADVAPI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\RPCRT4.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\ole32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\GDI32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\USER32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\cryptsvc.dll ok scanned

4/16/2007 11:35:12 AM File: c:\windows\system32\cryptsvc.dll ok scanned

4/16/2007 11:35:12 AM Running module: svchost.exe\msvcrt.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\WINTRUST.dll ok iChecker

4/16/2007 11:35:12 AM File: c:\windows\system32\WINTRUST.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\CRYPT32.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\MSASN1.dll ok iChecker

4/16/2007 11:35:12 AM Running module: svchost.exe\IMAGEHLP.dll ok iChecker

4/16/2007 11:35:13 AM Running module: svchost.exe\certcli.dll ok scanned

4/16/2007 11:35:13 AM File: c:\windows\system32\certcli.dll ok scanned

4/16/2007 11:35:13 AM Running module: svchost.exe\ATL.DLL ok iChecker

4/16/2007 11:35:13 AM File: c:\windows\system32\ATL.DLL ok iChecker

4/16/2007 11:35:13 AM Running module: svchost.exe\WLDAP32.dll ok iChecker

4/16/2007 11:35:13 AM Running module: svchost.exe\OLEAUT32.dll ok iChecker

4/16/2007 11:35:13 AM Running module: svchost.exe\Secur32.dll ok iChecker

4/16/2007 11:35:13 AM Running module: svchost.exe\NETAPI32.dll ok iChecker

4/16/2007 11:35:13 AM File: c:\windows\system32\NETAPI32.dll ok iChecker

4/16/2007 11:35:13 AM Running module: svchost.exe\CRYPTUI.dll ok scanned

4/16/2007 11:35:13 AM File: c:\windows\system32\CRYPTUI.dll ok scanned

4/16/2007 11:35:14 AM Running module: svchost.exe\WININET.dll ok scanned

4/16/2007 11:35:14 AM File: C:\WINDOWS\system32\WININET.dll ok scanned

4/16/2007 11:35:14 AM Running module: svchost.exe\SHLWAPI.dll ok iChecker

4/16/2007 11:35:15 AM Running module: svchost.exe\ESENT.dll ok scanned

4/16/2007 11:35:15 AM File: c:\windows\system32\ESENT.dll ok scanned

4/16/2007 11:35:15 AM Running module: svchost.exe\comctl32.dll ok iChecker

4/16/2007 11:35:15 AM Running module: svchost.exe\wmisvc.dll ok scanned

4/16/2007 11:35:15 AM File: c:\windows\system32\wbem\wmisvc.dll ok scanned

4/16/2007 11:35:15 AM Running module: svchost.exe\wbemcomn.dll ok scanned

4/16/2007 11:35:16 AM File: c:\windows\system32\wbem\wbemcomn.dll ok scanned

4/16/2007 11:35:16 AM Running module: svchost.exe\VSSAPI.DLL ok scanned

4/16/2007 11:35:17 AM File: C:\WINDOWS\system32\VSSAPI.DLL ok scanned

4/16/2007 11:35:17 AM Running module: svchost.exe\srsvc.dll ok scanned

4/16/2007 11:35:17 AM File: c:\windows\system32\srsvc.dll ok scanned

4/16/2007 11:35:17 AM Running module: svchost.exe\SHELL32.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\comctl32.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\pchsvc.dll ok scanned

4/16/2007 11:35:17 AM File: c:\windows\pchealth\helpctr\binaries\pchsvc.dll ok scanned

4/16/2007 11:35:17 AM Running module: svchost.exe\WINSTA.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\NTMARTA.DLL ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\dmserver.dll ok scanned

4/16/2007 11:35:17 AM File: c:\windows\system32\dmserver.dll ok scanned

4/16/2007 11:35:17 AM Running module: svchost.exe\SETUPAPI.dll ok iChecker

4/16/2007 11:35:17 AM File: c:\windows\system32\SETUPAPI.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\CLBCATQ.DLL ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\COMRes.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\VERSION.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\es.dll ok scanned

4/16/2007 11:35:17 AM File: C:\WINDOWS\System32\es.dll ok scanned

4/16/2007 11:35:17 AM Running module: svchost.exe\WS2_32.dll ok iChecker

4/16/2007 11:35:17 AM File: C:\WINDOWS\System32\WS2_32.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\WS2HELP.dll ok iChecker

4/16/2007 11:35:17 AM File: C:\WINDOWS\System32\WS2HELP.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\wtsapi32.dll ok iChecker

4/16/2007 11:35:17 AM Running module: svchost.exe\wbemcore.dll ok scanned

4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\wbemcore.dll ok scanned

4/16/2007 11:35:18 AM Running module: svchost.exe\esscli.dll ok scanned

4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\esscli.dll ok scanned

4/16/2007 11:35:18 AM Running module: svchost.exe\FastProx.dll ok scanned

4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\FastProx.dll ok scanned

4/16/2007 11:35:18 AM Running module: svchost.exe\wmiutils.dll ok scanned

4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\wmiutils.dll ok scanned

4/16/2007 11:35:18 AM Running module: svchost.exe\repdrvfs.dll ok scanned

4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\repdrvfs.dll ok scanned

4/16/2007 11:35:19 AM Running module: svchost.exe\wmiprvsd.dll ok scanned

4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\wmiprvsd.dll ok scanned

4/16/2007 11:35:19 AM Running module: svchost.exe\NCObjAPI.DLL ok iChecker

4/16/2007 11:35:19 AM Running module: svchost.exe\wbemess.dll ok scanned

4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\wbemess.dll ok scanned

4/16/2007 11:35:19 AM Running module: svchost.exe\ncprov.dll ok scanned

4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\ncprov.dll ok scanned

4/16/2007 11:35:19 AM Running module: svchost.exe\wbemsvc.dll ok scanned

4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\wbemsvc.dll ok scanned

4/16/2007 11:35:19 AM Running module: explorer.exe\Explorer.EXE ok scanned

4/16/2007 11:35:20 AM File: C:\WINDOWS\Explorer.EXE ok scanned

4/16/2007 11:35:20 AM Running module: explorer.exe\ntdll.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\kernel32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\msvcrt.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\ADVAPI32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\RPCRT4.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\GDI32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\USER32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\SHLWAPI.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\SHELL32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\ole32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\OLEAUT32.dll ok iChecker

4/16/2007 11:35:20 AM Running module: explorer.exe\BROWSEUI.dll ok scanned

4/16/2007 11:35:20 AM File: C:\WINDOWS\System32\BROWSEUI.dll ok scanned

4/16/2007 11:35:20 AM Running module: explorer.exe\SHDOCVW.dll ok scanned

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\SHDOCVW.dll ok scanned

4/16/2007 11:35:21 AM Running module: explorer.exe\UxTheme.dll ok iChecker

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\UxTheme.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\comctl32.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\comctl32.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\appHelp.dll ok scanned

4/16/2007 11:35:21 AM File: C:\WINDOWS\system32\appHelp.dll ok scanned

4/16/2007 11:35:21 AM Running module: explorer.exe\CLBCATQ.DLL ok iChecker

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\CLBCATQ.DLL ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\COMRes.dll ok iChecker

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\COMRes.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\VERSION.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\cscui.dll ok iChecker

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\cscui.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\CSCDLL.dll ok iChecker

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\CSCDLL.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\themeui.dll ok scanned

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\themeui.dll ok scanned

4/16/2007 11:35:21 AM Running module: explorer.exe\Secur32.dll ok iChecker

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\Secur32.dll ok iChecker

4/16/2007 11:35:21 AM Running module: explorer.exe\MSIMG32.dll ok scanned

4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\MSIMG32.dll ok scanned

4/16/2007 11:35:21 AM Running module: explorer.exe\USERENV.dll ok iChecker

4/16/2007 11:35:22 AM Running module: explorer.exe\LINKINFO.dll ok scanned

4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\LINKINFO.dll ok scanned

4/16/2007 11:35:22 AM Running module: explorer.exe\ntshrui.dll ok scanned

4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\ntshrui.dll ok scanned

4/16/2007 11:35:22 AM Running module: explorer.exe\ATL.DLL ok iChecker

4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\ATL.DLL ok iChecker

4/16/2007 11:35:22 AM Running module: explorer.exe\NETAPI32.dll ok iChecker

4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\NETAPI32.dll ok iChecker

4/16/2007 11:35:22 AM Running module: explorer.exe\shimgvw.dll ok scanned

4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\shimgvw.dll ok scanned

4/16/2007 11:35:23 AM Running module: explorer.exe\gdiplus.dll ok scanned

4/16/2007 11:35:23 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\gdiplus.dll ok scanned

4/16/2007 11:35:23 AM Running module: explorer.exe\SETUPAPI.dll ok iChecker

4/16/2007 11:35:23 AM File: C:\WINDOWS\System32\SETUPAPI.dll ok iChecker

4/16/2007 11:35:24 AM Running module: explorer.exe\NETSHELL.dll ok scanned

4/16/2007 11:35:25 AM File: C:\WINDOWS\system32\NETSHELL.dll ok scanned

4/16/2007 11:35:25 AM Running module: explorer.exe\credui.dll ok scanned

4/16/2007 11:35:25 AM File: C:\WINDOWS\system32\credui.dll ok scanned

4/16/2007 11:35:25 AM Running module: explorer.exe\WS2_32.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WS2HELP.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\iphlpapi.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\netman.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\MPRAPI.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\ACTIVEDS.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\adsldpc.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WLDAP32.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\rtutils.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\SAMLIB.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\RASAPI32.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\rasman.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\TAPI32.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WINMM.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WZCSvc.DLL ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WMI.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\DHCPCSVC.DLL ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\DNSAPI.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\CRYPT32.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\MSASN1.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WTSAPI32.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\WINSTA.dll ok iChecker

4/16/2007 11:35:25 AM Running module: explorer.exe\msi.dll ok scanned

4/16/2007 11:35:26 AM File: C:\WINDOWS\System32\msi.dll ok scanned

4/16/2007 11:35:26 AM Running module: explorer.exe\nwprovau.dll ok iChecker

4/16/2007 11:35:26 AM File: C:\WINDOWS\System32\nwprovau.dll ok iChecker

4/16/2007 11:35:26 AM Running module: explorer.exe\MPR.dll ok iChecker

4/16/2007 11:35:26 AM Running module: explorer.exe\ShellEx.dll ok scanned

4/16/2007 11:35:26 AM File: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll ok scanned

4/16/2007 11:35:26 AM Running module: explorer.exe\MSVCR80.dll ok scanned

4/16/2007 11:35:26 AM File: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\MSVCR80.dll ok scanned

4/16/2007 11:35:26 AM Running module: explorer.exe\MSVCP80.dll ok scanned

4/16/2007 11:35:27 AM File: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\MSVCP80.dll ok scanned

4/16/2007 11:35:27 AM Running module: explorer.exe\wzshlext.dll ok scanned

4/16/2007 11:35:27 AM File: C:\PROGRA~1\WinZip\wzshlext.dll ok scanned

4/16/2007 11:35:27 AM Running module: explorer.exe\CRTDLL.dll ok scanned

4/16/2007 11:35:27 AM File: C:\WINDOWS\System32\CRTDLL.dll ok scanned

4/16/2007 11:35:27 AM Running module: explorer.exe\WZCAB2.DLL ok scanned

4/16/2007 11:35:27 AM File: C:\PROGRA~1\WINZIP\WZCAB2.DLL ok scanned

4/16/2007 11:35:27 AM Running module: explorer.exe\browselc.dll ok scanned

4/16/2007 11:35:27 AM File: C:\WINDOWS\System32\browselc.dll archive Embedded HTML

 

 

 

Statistics

----------

Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted

------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

 

 

Settings

--------

Parameter Value

--------- -----

Security Level Recommended

Action Prompt for action when the scan is complete

Run mode Manually

File types Scan all files

Scan only new and changed files No

Scan archives All

Scan embedded OLE objects All

Skip if object is larger than No

Skip if scan takes longer than No

Parse email formats No

Scan password-protected archives No

Enable iChecker technology Yes

Enable iSwift technology Yes

Show detected threats on "Detected" tab Yes

Edited April 16, 2007 by wirosari

[wirosari]

Good Morning,

Hope you wake up in a fresh condition

 

Here is the SYSTEM.INI:

; for 16-bit app support

[drivers]

wave=mmdrv.dll

timer=timer.drv

[mci]

[driver32]

[386enh]

woafont=dosapp.FON

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

FileSysChange=off

rem [MCIDRV_VER]

rem DEVICEN1=95215658363

rem __h=18

rem __dr=12

rem [iDslow]

rem IDVer32666=988281

rem IDMCI32=23846878ABA233

rem [iDslow32]

rem MDCDID32=991140

 

And this is the result of AALST.BAT :

(Curious bout this Abbreviation... )

 

ÿþW i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0

 

 

 

[ H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t ]

 

" % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e " = " % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9 "

 

" C : \ \ W I N D O W S \ \ E x p l o r e r . E X E " = " C : \ \ W I N D O W S \ \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c "

 

The REGEDIT check is like this :

 

ÿþK e y N a m e : H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t

 

C l N a m e : < N O C L >

L a s t W r i t e T i m e : 4 / 1 3 / 2 0 0 7 - 6 : 2 5 P M

 

V a l u e 0

 

N a m e : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e

T y p e : R E G _ S Z

D a t a : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9

 

V a l u e 1

 

N a m e : C : \ W I N D O W S \ E x p l o r e r . E X E

T y p e : R E G _ S Z

D a t a : C : \ W I N D O W S \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c

 

File Removal WIN*.EXE

With manual delete 16 Files is so easy, no resistance

What makes the Trigger / Controller of this virus disabled Sir?

Edited April 16, 2007 by wirosari

[wirosari]

Content of c:\WIN\SYS32\DRIVERS :

Upper is Newest, None Deleted

 

FIDBOX.dat 4/16/2007

FIDBOX.idx

FIDBOX2.idx

FIDBOX2.dat

KLIN.dat

KLICK.dat

SBAPIFS.sys

KLOP.dat

KL1.sys

KLIF.sys 1/27/2007

 

NDIS File Service DELETED

 

And, HIJACKTHIS 99 now like this :

 

Logfile of HijackThis v1.99.1

Scan saved at 5:57:58 PM, on 4/16/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\inetsrv\DavCData.exe

C:\ADAWARE\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - HKLM\..\Run: [AVP] "C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[wirosari]

The HJT STARTUPLIST Log is like this :

 

StartupList report, 4/16/2007, 6:23:56 PM

StartupList version: 1.52.2

Started from : C:\ADAWARE\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\inetsrv\DavCData.exe

C:\ADAWARE\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\TresnaTan\Start Menu\Programs\Startup]

OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SBRegRebootCleaner = C:\ADAWARE\CounterSpy\SBRC.exe

AVP = "C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

 

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *

StubPath = rundll32 iesetup.dll,IEAccessUserInst

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

*No jobs found*

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[CKAVWebScan Object]

InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[bDSCANONLINE Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx

CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

 

[ActiveScan Installer Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll

CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

 

[MsnMessengerSetupDownloadControl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx

CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

 

[instaFred]

InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx

CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[AcPreview Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX

CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

NameSpace #4: C:\WINDOWS\System32\nwprovau.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

Protocol #16: C:\WINDOWS\system32\mswsock.dll

Protocol #17: C:\WINDOWS\system32\mswsock.dll

Protocol #18: C:\WINDOWS\system32\mswsock.dll

Protocol #19: C:\WINDOWS\system32\mswsock.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)

Kaspersky Anti-Virus 6.0: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r (autostart)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

C-Dilla: \??\C:\WINDOWS\System32\drivers\CDANT.SYS (manual start)

C-DillaSrv: C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (autostart)

CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Disk Driver: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Logical Disk Manager Driver: System32\drivers\dmio.sys (system)

dmload: System32\drivers\dmload.sys (system)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)

MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)

Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)

Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)

Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)

Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)

IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)

IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (system)

IrDA Protocol: System32\DRIVERS\irda.sys (autostart)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start)

PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)

Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)

Kl1: System32\drivers\kl1.sys (system)

Klif: \??\C:\WINDOWS\System32\drivers\klif.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (disabled)

Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)

Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)

WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBT: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (autostart)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)

Client Service for NetWare: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)

NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)

NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)

NetWare Rdr: System32\DRIVERS\nwrdr.sys (manual start)

Parallel port driver: System32\DRIVERS\parport.sys (manual start)

PCI Bus Driver: System32\DRIVERS\pci.sys (system)

PCIIde: System32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Processor Driver: System32\DRIVERS\processr.sys (system)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: System32\DRIVERS\raspti.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Secdrv: System32\DRIVERS\secdrv.sys (manual start)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)

Serial port driver: System32\DRIVERS\serial.sys (system)

Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)

SIS AGP Bus Filter: System32\DRIVERS\sisagp.sys (system)

SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)

Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)

SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)

SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)

Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)

System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Srv: System32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)

Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966} (manual start)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Terminal Device Driver: System32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

TSP: \??\C:\WINDOWS\system32\drivers\klif.sys (manual start)

Microcode Update Driver: System32\DRIVERS\update.sys (manual start)

Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)

Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)

Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)

USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)

USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)

Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)

Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

End of report, 31,510 bytes

Report generated in 0.125 seconds

[FZWG]

The HijackThis log appears clean, and the other reports do not show indications of Sality.

 

Clean out the Restore Points, though. AdAware showed some malware in them also:

 

Go to Start > Run< in the Open area type in (or copy): control sysdm.cpl,,4

Press: Enter

Check the box: Turn off System Restore on all drives

Click: Apply > OK

 

Now, turn on System Restore by removing the check on: Turn off System Restore on all drives

Click: OK

 

====

You can connect the computer back to its cable or telephone line, however, you must do the following:

 

1. Install an AntiVirus program.

 

If McAfee was your previous AV program, you need to re-install it. Some of its files were affected, and it may not work properly. If you wish to use some other AV program, there are free ones:

 

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

 

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

 

AntiVir Personal Edition: http://www.free-av.com/

 

2. Install a software Firewall.

It provides the ability to restrict malevolent outgoing traffic from your computer.

 

Some good free choices are:

 

ZoneAlarm:

http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

 

Sunbelt Kerio:

http://www.sunbelt-software.com/Kerio.cfm

 

OutPost:

http://www.agnitum.com/products/outpostfree/download.php

 

====

3. Now, head for the Microsoft Windows Updates website:

http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us

 

Even using an Antivirus and a Firewall does not prevent malware from getting through.

Have your system scanned, and download/install all Critical Updates on offer.

 

====

Next, what you need to deal with is damage recovery. Panda disinfected all sorts of files, but after the exe's are disinfected, some programs may no longer work properly. You will need to reinstall them.

 

====

Good luck, wirosari!!

Edited April 16, 2007 by FZWG

[wirosari]

Dear FZWG,

Thanks a lot for everything!

I will obey you....

 

Hope everything going well too there...

 

Wanna know the SOURCE of Sality.

(Web said it from Email?)

I still worried about the NEW MEDIUM of spreading virus, the USB FLASH-DISK

Back to the era of Diskette....

 

Oops, is this virus spread thru network?

One of Windows98 displayed this message :

C:\WINDOWS\TEMP\WINEUJE.exe Appear to be corrupt. Pls reinstall and try again.

 

and the SYSTEM.INI also have the virus-trigger:

[MCIDRV_VER]

[iD-slow]

[iDslow32]

 

Pls advice and thanks

Edited April 17, 2007 by wirosari

[FZWG]

Sality spreads through Network shares, and infected files. So, if you have shared resources on a Network, beware.

 

I am not certain about the exact source of Sality, but it is associated with certain URLs, and contacts certain domains.

 

The fact that you run a system which is not kept updated leaves you out in the open like a magnet looking for metal shavings!!

[wirosari]

Dear FZWG,

Good Morning Sir!

I hear storm and tornado swap US.

and snow falling in April....

 

1. The Windows XP Restore Point has been done.

 

2. Should I remove the Kasperski AntiVirus, since the Kasper (unregistered) is on board.

Before I install the Grisoft/Avast/Free-AV and the Firewall

 

3. Is any problem with the function of Our Tools like this :

Virus:W32/Sality. Disinfected aware\HijackThis.exe

Virus:W32/Sality.Y Disinfected D:\Adaware\sting260.exe

Virus:W32/Sality.Y Disinfected D:\Adaware\Ad-Aware SE Personal\UNWISE.EXE

Virus:W32/Sality.Y Disinfected D:\Adaware\Ad-Aware SE Personal\Ad-Aware.exe

Virus:W32/Sality.Y Disinfected D:\Adaware\Ad-Aware SE Personal\unregaaw.exe

 

 

I dont know what makes some Windows98 very vulnerable.

The Trace of virus appear on the SYSTEM.INI (viewed with SYSEDIT)

and NETWATCH with many visitors ....

(Is there any equivalent watcher-tools in Windows XP?)

 

But the effect seems rather smaller in Win98.

Sality conquered by PANDA ONLINE, but I must plug these Infected Harddisks as Slave.

 

Any better idea Sir?

Edited April 17, 2007 by wirosari

[FZWG]

On Kasperski AntiVirus, you can remove the program. It is not a good idea to run two AntiVirus programs, anyway.

 

On AdAware, it is probably best to uninstall the program, and then re-install it. Sality damage to the program is hard to determine, and it may not do its job correctly.

 

HijackThis, you can remove.

 

The NetWatch program should also be available for XP.

Your best bet for Network questions and help is the Networking forum:

http://forums.pcpitstop.com/index.php?showforum=8

 

the effect seems rather smaller in Windows 98

That is probably the case. W98 does not have the services which show up as O23 in a HijackThis log. Malware also uses services to infect a computer.

 

For your printer problem, go to the following forum for help:

http://forums.pcpitstop.com/index.php?showforum=3

 

Also, I do not respond to PMs.

If you have a problem, post it in the appropriate forum instead.

[wirosari]

Dear FZWG,

 

the Sality virus cannot be performed in 'full attack' in Windows98.

Maybe it resulted in message "WINEUJE.EXE appear to be corrupt"

 

But still ALL THE EXE file infected! (based on Panda report)

And ALL the SHARED NETWORK is visited by Sality! (viewed on NetWatch)

Still struggling to fight on this...

 

Thank you for giving me the Right Forum for CanoScan TWAIN problem.

USER TO USER HELP that's all I need to get the help from Team.

 

I love this PITSTOP to refresh my F1

Edited April 18, 2007 by wirosari

[wirosari]

Dear FZWG,

 

This is my last report on Sality cs :

 

- Win XP and Win 2000 has the Biggest suffer from this virus.

- Win 98 only suffering on infected files (some EXE file, which can be cleaned by Panda Online)

- The Network-Searching ability makes the crowded traffic to Network, as other virus did.

 

Searching the source, the suspect is USB-FLASH DISK that infected from somewhere out there....

This Device is the most-threatening today

 

And last but not least...

 

Thanks Thanks Thanks

 

YOU ARE STILL THE BEST IN WEB

Edited April 20, 2007 by wirosari