wirosari Report post Posted April 13, 2007 (edited) Daer FZWG, Here is Kapersky. Found Nothing ?? Not yet restart the PC. Mode is "Safe mode w/ network" as suggested. Really sorry to wake you up. Try to print your instr first. then red (edited: read) it carefully Thanks a bunch!! ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - K A S P E R S K Y O N L I N E S C A N N E R R E P O R T F r i d a y , A p r i l 1 3 , 2 0 0 7 1 : 4 6 : 2 3 P M O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P P r o f e s s i o n a l , ( B u i l d 2 6 0 0 ) K a s p e r s k y O n l i n e S c a n n e r v e r s i o n : 5 . 0 . 8 3 . 0 K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 1 3 / 0 4 / 2 0 0 7 K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 2 7 9 6 5 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - S c a n S e t t i n g s : S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : s t a n d a r d S c a n A r c h i v e s : t r u e S c a n M a i l B a s e s : f a l s e S c a n T a r g e t - M y C o m p u t e r : A : \ C : \ D : \ E : \ S c a n S t a t i s t i c s : T o t a l n u m b e r o f s c a n n e d o b j e c t s : 4 4 6 9 0 N u m b e r o f v i r u s e s f o u n d : 0 N u m b e r o f i n f e c t e d o b j e c t s : 0 / 0 N u m b e r o f s u s p i c i o u s o b j e c t s : 0 D u r a t i o n o f t h e s c a n p r o c e s s : 0 0 : 3 5 : 2 7 I n f e c t e d O b j e c t N a m e / V i r u s N a m e / L a s t A c t i o n C : \ A D A W A R E \ S D F i x N e w \ a p p s \ s w r e g . e x e O b j e c t i s l o c k e d s k i p p e d C : \ A D A W A R E \ s t i n g 2 6 0 . e x e O b j e c t i s l o c k e d s k i p p e d C : \ A D A W A R E \ V i r T o o l s \ C o m b o F i x _ J A N G A N P A K A I . e x e O b j e c t i s l o c k e d s k i p p e d C : \ A D A W A R E \ V i r T o o l s \ E r u n t - s e t u p _ B E K A P R E G I S T R I . e x e O b j e c t i s l o c k e d s k i p p e d C : \ A D A W A R E \ V i r T o o l s \ S m i t f r a u d F i x . e x e O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l . d a t . L O G O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ M S H i s t 0 1 2 0 0 7 0 4 1 3 2 0 0 7 0 4 1 4 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d C : \ D o c u m e n t s a n d S e t t i n g s \ T r e s n a T a n \ N T U S E R . D A T . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 2 8 0 2 8 $ \ m s a s n 1 . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 2 8 0 3 5 $ \ m s g s v c . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 2 8 0 3 5 $ \ w k s s v c . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 3 3 3 0 $ \ B l a s t c l n \ b l a s t c l n . e x e O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ b r o w s e r . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ c a l l c o n t . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ c m d e v t g p r o v . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ e v t g p r o v . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ g d i 3 2 . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ h 3 2 3 . t s p O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ h 3 2 3 m s p . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ h e l p c t r . e x e O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ i p n a t h l p . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ l s a s r v . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m f 3 2 1 6 . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m s a s n 1 . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m s g i n a . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ m s t 1 2 0 . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ n e t a p i 3 2 . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ n m c o m . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ r t c d l l . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ $ N t U n i n s t a l l K B 8 3 5 7 3 2 $ \ s c h a n n e l . d l l O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ D e b u g \ N e t l o g o n . l o g O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ D e b u g \ P W D . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ A p p E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ d e f a u l t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ D E F A U L T . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S e c E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s o f t w a r e O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S O F T W A R E . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S y s E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S Y S T E M . L O G O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ I N D E X . B T R O b j e c t i s l o c k e d s k i p p e d C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ O B J E C T S . D A T A O b j e c t i s l o c k e d s k i p p e d S c a n p r o c e s s c o m p l e t e d . Edited April 13, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 13, 2007 If you turn off the computer and turn it back on, go to Safe Mode (no networking). It appears that Sality does not like Safe Mode. Maybe that is why it disables the Safe Mode Registry keys. (I'm just guessing! ) ==== Do the following for now. I do not think we are dealing with a Rootkit, so do not run that type of program as previously instructed. I believe these entries: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe are the ones that show under the following Registry key to bypass the Windows Firewall: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Please open Notepad (Start > Run, type in: notepad) Copy and paste all the information in blue below to it. regedit /e aalst.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" aalst.txt Go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: use drop arrow to select Desktop File Name: aalst.bat Save as type: All Files Exit Notepad Go to the Desktop, and double click aalst.bat It generates a text file called aalst.txt. Copy the contents of aalst.txt to your reply. ==== Since the system.ini file still has the bogus entries, and a 'Disinfection failed' notice appears next to several of the online scanner entries, we can assume Sality prevails. What we eventually need to do is: 1. Restart the computer in Safe Mode with Networking, and download Kasperski Anti-Virus 6.0 This is not the online scanner!! http://www.kaspersky.com/trials?chapter=146481750 Make sure you update the program. When done, reboot to just Safe Mode (No networking!! We do not want Sality to have a connection available!). 2. Edit the system.ini file to get rid of: [MCIDRV_VER] DEVICEN1=95215658363 __h=18 __dr=12 [iDslow] IDVer32666=988281 IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 3. Backup the Registry: Go to Start > Run, and type: Regedit On the left side, click and highlight My Computer Go to the File menu (at the top) Select: Export Save in: Desktop File Name: BackUp Save As Type: leave as Registration Files Click: Save Then go to File > Exit (This saves a backup copy of the Registry.) 4. Remove the bogus values under the Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List The bogus values will show as the following, and there will be several of them: C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe The win*.exe files may have changed. 5. In addition, the bogus files, like the one below, need removal with Killbox, or, Avenger with a ‘Files to Delete’ script. C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe 6. Disable your current AntiVirus program since it may not be compatible with Kaspersky Anti-Virus 6.0. 7. In Safe Mode, let Kaspersky perform a full system scan and disinfect every infected exe file it finds! ==== I get the impression that you are very computer knowledgeable, so, if you think you can do the above, press on. Since we appear to have a significant time difference, based on the times when you post, you can be working while I am sleeping, since that is what I plan to do very shortly (2:00AM here). If you do not want to proceed, sometime in the daylight morning hours I’ll prepare more detailed instructions for you with the information you provide from the aalst batch file. One last word. You are dealing with a bomb of a virus. I am doing this in good faith, but in a worse case scenario, trying to get rid of this infection may result in the loss of significant code in the system. I do not know if this will be the case, but there is risk involved, and it is up to you to decide what to do. Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 Dear FZWG, The AALST results looks like this : (Running in SAFE MODE restart it to SAFE MODE NETWORK to send this message) ÿþW i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0 [ H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t ] " % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e " = " % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9 " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n c x r h . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n c x r h . e x e : * : E n a b l e d : i p s e c " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n k c m o l . e x e " = " " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n f o p v c . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n f o p v c . e x e : * : E n a b l e d : i p s e c " " C : \ \ W I N D O W S \ \ E x p l o r e r . E X E " = " C : \ \ W I N D O W S \ \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n j f a m v . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n j f a m v . e x e : * : E n a b l e d : i p s e c " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n s u j e e w . e x e " = " " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n k c b v y a . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n k c b v y a . e x e : * : E n a b l e d : i p s e c " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n w d d b . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n w d d b . e x e : * : E n a b l e d : i p s e c " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n p p m o g d . e x e " = " " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n b h b v m . e x e " = " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n b h b v m . e x e : * : E n a b l e d : i p s e c " " C : \ \ D O C U M E ~ 1 \ \ T R E S N A ~ 1 \ \ L O C A L S ~ 1 \ \ T e m p \ \ w i n d m e l j u . e x e " = " " Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 (edited) Dear FZWG, This is the REGISTRY Entries that I deleted MANUALLY : \LOCAL1~\TEMP\ WIN*.exe Means VALUE 0 and VALUE4 still there..... Is it right step? ÿþK e y N a m e : H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t C l N a m e : < N O C L > L a s t W r i t e T i m e : 4 / 1 3 / 2 0 0 7 - 8 : 5 2 A M V a l u e 0 N a m e : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e T y p e : R E G _ S Z D a t a : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9 V a l u e 1 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n c x r h . e x e T y p e : R E G _ S Z D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n c x r h . e x e : * : E n a b l e d : i p s e c V a l u e 2 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n k c m o l . e x e T y p e : R E G _ S Z D a t a : V a l u e 3 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n f o p v c . e x e T y p e : R E G _ S Z D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n f o p v c . e x e : * : E n a b l e d : i p s e c V a l u e 4 N a m e : C : \ W I N D O W S \ E x p l o r e r . E X E T y p e : R E G _ S Z D a t a : C : \ W I N D O W S \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c V a l u e 5 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n j f a m v . e x e T y p e : R E G _ S Z D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n j f a m v . e x e : * : E n a b l e d : i p s e c V a l u e 6 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n s u j e e w . e x e T y p e : R E G _ S Z D a t a : V a l u e 7 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n k c b v y a . e x e T y p e : R E G _ S Z D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n k c b v y a . e x e : * : E n a b l e d : i p s e c V a l u e 8 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n w d d b . e x e T y p e : R E G _ S Z D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n w d d b . e x e : * : E n a b l e d : i p s e c V a l u e 9 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n p p m o g d . e x e T y p e : R E G _ S Z D a t a : V a l u e 1 0 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n b h b v m . e x e T y p e : R E G _ S Z D a t a : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n b h b v m . e x e : * : E n a b l e d : i p s e c V a l u e 1 1 N a m e : C : \ D O C U M E ~ 1 \ T R E S N A ~ 1 \ L O C A L S ~ 1 \ T e m p \ w i n d m e l j u . e x e T y p e : R E G _ S Z D a t a : Edited April 13, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 (edited) Dear FZWG, Good Morning! Really sorry to wake you up at midnite. It is not a Rootkit ? But you said Sality prevails. It can control the PC? What I did is as follow : 1. download KASPERSKY AV 6.0 2. Restart In SAFE MODE 2. Using START/ RUN/ SYSEDIT to edit the system.ini. I put a REM in front every row of your 9 lines Is this enough? 3. Backup REGISTRY to a file BEKAPREG.REG 4. Use REGEDIT then delete manually all WIN*.EXE (Please see before this post, I save the list) 5. Afraid to do the KILLBOX. Can I delete these file manually? 6. Mc Afee Pro has been disabled, when installing KASPERSKY 7. Not Yet. Time Limit The worst is this is weekend. So see you in the Monday morning (=Sunday evening) Many thanks for BIG help. Have a nice weekend Fizzwig! Edited April 13, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 13, 2007 (edited) How are things in Jakarta? Monday morning. If the computer was on during the weekend, the malware may have returned. Even if it was off, do the following: 1. Before you start the computer, unplug the cable or telephone line from the back of the computer. You do not want it connected to anything that gives an avenue to the Internet. Sality downloads information from a set of preconfigured URLs, and that is how it plants and executes all those files in: C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe 2. Start in Safe Mode, run the previously updated Kaspersky Anti-Virus 6.0, perform a full system scan, and disinfect every file it finds. If it produces a report, please provide it in your reply. 3. Now, restart the computer normally, but do not connect the cable or telephone line!! 4. Check system.ini once again to make sure nothing has changed. Provide its contents in you reply. 5. Go to the Desktop, and double click aalst.bat to make sure the values you removed from the following Registry key are still gone: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List To make sure, do a manual check also. 6. To remove any files (C:\Documents and Settings\TresnaTan\Local Settings\Temp\win*.exe0, you can use the batch file in Post #10 (clean.bat should still be on the Desktop), and then manually check they are gone, or just remove them manually. 7. Then, to see if a new Sality random.sys file was created (Earlier in the game it looked like: C:\WINDOWS\System32\drivers\rgoqmn.sys), please do the following: Go to Start > Run, and copy/paste the following in the Open area: C:\Windows\System32\drivers Up in the Menu bar, click View > Details Then in the right hand pane, double click Date Modified to arrange files by date from 2007 and down. Please provide the names of the .sys files created since January 2007. There should only be a few. 8. The random.sys also installed a system service with the service name and display name of: NdisFileServices32 Please go to Start > Run, copy/paste the following, one at a time, and click OK after each: sc stop NdisFileServices32 sc delete NdisFileServices32 9. Run HijackThis and Scan. 10. Also provide a StartupList as instructed in Post # 12 Provide the following: The Kasperski Anti-Virus 6.0 report The contents of the system.ini file The contents of the aalst.bat (Registry key) The names of any .sys files created since January 2007 A new HijackThis log A new StartupList Do not plug the cable or telephone line back to the computer!!!! Hopefully, you will have access to another computer. Connect with it, and provide the information requested. Edited April 15, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 16, 2007 (edited) Good evening sir, Hahah. Crowded monday morning here. Sorry to make you wake again this evening. Really sorry Sir to rumble your weekend once more. 1. Kaspersky IN PROGRESS under SAFE MODE. No other-data can be provided now. Sorry & Thanks [its a flat world no place to hide] Edited April 16, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 16, 2007 (edited) Since you are using names of different regions of Indonesia (Menteng, Wirosari), are you the same person? There is no need to hide. It serves no purpse... As far as the information goes, take your time, and post the data as you are able to. I have a Doctor's appointment tomorrow morning, so cannot stay up late this evening. Also, probably will not be able to reply to whatever is posted until sometime in the afternoon. FZ Edited April 16, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 16, 2007 (edited) Thank you Mr. Fizzwig, I just realized, you know this region very well! Because I rely on your expertise. I really appreciating your help, stealing your precious time. Here is the KASPERSKY-AV LOG (Truncated): Scan My Computer ---------------- Scanned: 159167 Detected: 0 Untreated: 0 Start time: 4/16/2007 11:34:17 AM Duration: 00:46:17 Finish time: 4/16/2007 12:20:34 PM Detected -------- Status Object ------ ------ Events ------ Time Name Status Reason ---- ---- ------ ------ 4/16/2007 11:34:39 AM Running module: smss.exe\smss.exe ok scanned 4/16/2007 11:34:39 AM File: C:\WINDOWS\System32\smss.exe ok scanned 4/16/2007 11:34:39 AM Running module: smss.exe\ntdll.dll ok scanned 4/16/2007 11:34:39 AM File: C:\WINDOWS\System32\ntdll.dll ok scanned 4/16/2007 11:34:39 AM Running module: csrss.exe\csrss.exe ok scanned 4/16/2007 11:34:39 AM File: C:\WINDOWS\system32\csrss.exe ok scanned 4/16/2007 11:34:39 AM Running module: csrss.exe\ntdll.dll ok iChecker 4/16/2007 11:34:40 AM Running module: csrss.exe\CSRSRV.dll ok scanned 4/16/2007 11:34:40 AM File: C:\WINDOWS\system32\CSRSRV.dll ok scanned 4/16/2007 11:34:40 AM Running module: csrss.exe\basesrv.dll ok scanned 4/16/2007 11:34:40 AM File: C:\WINDOWS\system32\basesrv.dll ok scanned 4/16/2007 11:34:40 AM Running module: csrss.exe\winsrv.dll ok scanned 4/16/2007 11:34:40 AM File: C:\WINDOWS\system32\winsrv.dll ok scanned 4/16/2007 11:34:40 AM Running module: csrss.exe\USER32.dll ok scanned 4/16/2007 11:34:41 AM File: C:\WINDOWS\system32\USER32.dll ok scanned 4/16/2007 11:34:41 AM Running module: csrss.exe\KERNEL32.dll ok scanned 4/16/2007 11:34:41 AM File: C:\WINDOWS\system32\KERNEL32.dll ok scanned 4/16/2007 11:34:41 AM Running module: csrss.exe\GDI32.dll ok scanned 4/16/2007 11:34:41 AM File: C:\WINDOWS\system32\GDI32.dll ok scanned 4/16/2007 11:34:41 AM Running module: csrss.exe\ADVAPI32.dll ok scanned 4/16/2007 11:34:42 AM File: C:\WINDOWS\system32\ADVAPI32.dll ok scanned 4/16/2007 11:34:42 AM Running module: csrss.exe\RPCRT4.dll ok scanned 4/16/2007 11:34:42 AM File: C:\WINDOWS\system32\RPCRT4.dll ok scanned 4/16/2007 11:34:42 AM Running module: csrss.exe\sxs.dll ok scanned 4/16/2007 11:34:42 AM File: C:\WINDOWS\System32\sxs.dll ok scanned 4/16/2007 11:34:42 AM Running module: winlogon.exe\winlogon.exe ok scanned 4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\winlogon.exe ok scanned 4/16/2007 11:34:43 AM Running module: winlogon.exe\ntdll.dll ok iChecker 4/16/2007 11:34:43 AM Running module: winlogon.exe\kernel32.dll ok iChecker 4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\kernel32.dll ok iChecker 4/16/2007 11:34:43 AM Running module: winlogon.exe\ADVAPI32.dll ok iChecker 4/16/2007 11:34:43 AM Running module: winlogon.exe\RPCRT4.dll ok iChecker 4/16/2007 11:34:43 AM Running module: winlogon.exe\AUTHZ.dll ok scanned 4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\AUTHZ.dll ok scanned 4/16/2007 11:34:43 AM Running module: winlogon.exe\msvcrt.dll ok scanned 4/16/2007 11:34:43 AM File: C:\WINDOWS\system32\msvcrt.dll ok scanned 4/16/2007 11:34:44 AM Running module: winlogon.exe\CRYPT32.dll ok scanned 4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\CRYPT32.dll ok scanned 4/16/2007 11:34:44 AM Running module: winlogon.exe\USER32.dll ok iChecker 4/16/2007 11:34:44 AM Running module: winlogon.exe\GDI32.dll ok iChecker 4/16/2007 11:34:44 AM Running module: winlogon.exe\MSASN1.dll ok scanned 4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\MSASN1.dll ok scanned 4/16/2007 11:34:44 AM Running module: winlogon.exe\NDdeApi.dll ok scanned 4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\NDdeApi.dll ok scanned 4/16/2007 11:34:44 AM Running module: winlogon.exe\PROFMAP.dll ok scanned 4/16/2007 11:34:44 AM File: C:\WINDOWS\system32\PROFMAP.dll ok scanned 4/16/2007 11:34:45 AM Running module: winlogon.exe\NETAPI32.dll ok scanned 4/16/2007 11:34:45 AM File: C:\WINDOWS\system32\NETAPI32.dll ok scanned 4/16/2007 11:34:45 AM Running module: winlogon.exe\USERENV.dll ok scanned 4/16/2007 11:34:45 AM File: C:\WINDOWS\system32\USERENV.dll ok scanned 4/16/2007 11:34:46 AM Running module: winlogon.exe\PSAPI.DLL ok scanned 4/16/2007 11:34:46 AM File: C:\WINDOWS\system32\PSAPI.DLL ok scanned 4/16/2007 11:34:46 AM Running module: winlogon.exe\REGAPI.dll ok scanned 4/16/2007 11:34:46 AM File: C:\WINDOWS\system32\REGAPI.dll ok scanned 4/16/2007 11:34:46 AM Running module: winlogon.exe\Secur32.dll ok scanned 4/16/2007 11:34:46 AM File: C:\WINDOWS\system32\Secur32.dll ok scanned 4/16/2007 11:34:47 AM Running module: winlogon.exe\SETUPAPI.dll ok scanned 4/16/2007 11:34:48 AM File: C:\WINDOWS\system32\SETUPAPI.dll ok scanned 4/16/2007 11:34:48 AM Running module: winlogon.exe\sfc_os.dll ok scanned 4/16/2007 11:34:48 AM File: C:\WINDOWS\system32\sfc_os.dll ok scanned 4/16/2007 11:34:48 AM Running module: winlogon.exe\WINTRUST.dll ok scanned 4/16/2007 11:34:48 AM File: C:\WINDOWS\system32\WINTRUST.dll ok scanned 4/16/2007 11:34:48 AM Running module: winlogon.exe\ole32.dll ok scanned 4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\ole32.dll ok scanned 4/16/2007 11:34:49 AM Running module: winlogon.exe\IMAGEHLP.dll ok scanned 4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\IMAGEHLP.dll ok scanned 4/16/2007 11:34:49 AM Running module: winlogon.exe\VERSION.dll ok scanned 4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\VERSION.dll ok scanned 4/16/2007 11:34:49 AM Running module: winlogon.exe\WINSTA.dll ok scanned 4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\WINSTA.dll ok scanned 4/16/2007 11:34:49 AM Running module: winlogon.exe\WS2_32.dll ok scanned 4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\WS2_32.dll ok scanned 4/16/2007 11:34:49 AM Running module: winlogon.exe\WS2HELP.dll ok scanned 4/16/2007 11:34:49 AM File: C:\WINDOWS\system32\WS2HELP.dll ok scanned 4/16/2007 11:34:49 AM Running module: winlogon.exe\MSGINA.dll ok scanned 4/16/2007 11:34:50 AM File: C:\WINDOWS\system32\MSGINA.dll ok scanned 4/16/2007 11:34:50 AM Running module: winlogon.exe\SHELL32.dll ok scanned 4/16/2007 11:34:58 AM File: C:\WINDOWS\system32\SHELL32.dll ok scanned 4/16/2007 11:34:58 AM Running module: winlogon.exe\SHLWAPI.dll ok scanned 4/16/2007 11:34:58 AM File: C:\WINDOWS\system32\SHLWAPI.dll ok scanned 4/16/2007 11:34:59 AM Running module: winlogon.exe\COMCTL32.dll ok scanned 4/16/2007 11:34:59 AM File: C:\WINDOWS\system32\COMCTL32.dll ok scanned 4/16/2007 11:34:59 AM Running module: winlogon.exe\ODBC32.dll ok scanned 4/16/2007 11:34:59 AM File: C:\WINDOWS\system32\ODBC32.dll ok iChecker 4/16/2007 11:34:59 AM Running module: winlogon.exe\comdlg32.dll ok scanned 4/16/2007 11:34:59 AM File: C:\WINDOWS\system32\comdlg32.dll ok scanned 4/16/2007 11:34:59 AM Running module: winlogon.exe\comctl32.dll ok scanned 4/16/2007 11:35:00 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll ok scanned 4/16/2007 11:35:00 AM Running module: winlogon.exe\odbcint.dll ok scanned 4/16/2007 11:35:00 AM File: C:\WINDOWS\system32\odbcint.dll ok iChecker 4/16/2007 11:35:00 AM Running module: winlogon.exe\SHSVCS.dll ok scanned 4/16/2007 11:35:00 AM File: C:\WINDOWS\system32\SHSVCS.dll ok scanned 4/16/2007 11:35:00 AM Running module: winlogon.exe\sfc.dll ok scanned 4/16/2007 11:35:00 AM File: C:\WINDOWS\system32\sfc.dll ok scanned 4/16/2007 11:35:00 AM Running module: winlogon.exe\WINMM.dll ok scanned 4/16/2007 11:35:01 AM File: C:\WINDOWS\system32\WINMM.dll ok scanned 4/16/2007 11:35:01 AM Running module: winlogon.exe\cscdll.dll ok scanned 4/16/2007 11:35:01 AM File: C:\WINDOWS\system32\cscdll.dll ok scanned 4/16/2007 11:35:01 AM Running module: winlogon.exe\klogon.dll ok scanned 4/16/2007 11:35:01 AM File: C:\WINDOWS\System32\klogon.dll ok scanned 4/16/2007 11:35:01 AM Running module: winlogon.exe\rsaenh.dll ok scanned 4/16/2007 11:35:01 AM File: C:\WINDOWS\System32\rsaenh.dll ok scanned 4/16/2007 11:35:01 AM Running module: winlogon.exe\WlNotify.dll ok scanned 4/16/2007 11:35:01 AM File: C:\WINDOWS\system32\WlNotify.dll ok scanned 4/16/2007 11:35:01 AM Running module: winlogon.exe\WinSCard.dll ok scanned 4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\WinSCard.dll ok scanned 4/16/2007 11:35:02 AM Running module: winlogon.exe\WTSAPI32.dll ok scanned 4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\WTSAPI32.dll ok scanned 4/16/2007 11:35:02 AM Running module: winlogon.exe\WINSPOOL.DRV ok scanned 4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\WINSPOOL.DRV ok scanned 4/16/2007 11:35:02 AM Running module: winlogon.exe\MPR.dll ok scanned 4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\MPR.dll ok scanned 4/16/2007 11:35:02 AM Running module: winlogon.exe\UxTheme.dll ok scanned 4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\UxTheme.dll ok scanned 4/16/2007 11:35:02 AM Running module: winlogon.exe\SAMLIB.dll ok scanned 4/16/2007 11:35:02 AM File: C:\WINDOWS\system32\SAMLIB.dll ok scanned 4/16/2007 11:35:02 AM Running module: winlogon.exe\cscui.dll ok scanned 4/16/2007 11:35:03 AM File: C:\WINDOWS\system32\cscui.dll ok scanned 4/16/2007 11:35:03 AM Running module: winlogon.exe\NTMARTA.DLL ok scanned 4/16/2007 11:35:03 AM File: C:\WINDOWS\system32\NTMARTA.DLL ok scanned 4/16/2007 11:35:03 AM Running module: winlogon.exe\WLDAP32.dll ok scanned 4/16/2007 11:35:03 AM File: C:\WINDOWS\system32\WLDAP32.dll ok scanned 4/16/2007 11:35:03 AM Running module: winlogon.exe\COMRes.dll ok scanned 4/16/2007 11:35:04 AM File: C:\WINDOWS\system32\COMRes.dll ok scanned 4/16/2007 11:35:04 AM Running module: winlogon.exe\OLEAUT32.dll ok scanned 4/16/2007 11:35:04 AM File: C:\WINDOWS\system32\OLEAUT32.dll ok iChecker 4/16/2007 11:35:04 AM Running module: winlogon.exe\CLBCATQ.DLL ok scanned 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\CLBCATQ.DLL ok scanned 4/16/2007 11:35:05 AM Running module: services.exe\services.exe ok scanned 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\services.exe ok scanned 4/16/2007 11:35:05 AM Running module: services.exe\ntdll.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\kernel32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\msvcrt.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\ADVAPI32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\RPCRT4.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\USER32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\GDI32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\USERENV.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\SCESRV.dll ok scanned 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\SCESRV.dll ok scanned 4/16/2007 11:35:05 AM Running module: services.exe\AUTHZ.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\umpnpmgr.dll ok scanned 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\umpnpmgr.dll ok scanned 4/16/2007 11:35:05 AM Running module: services.exe\WINSTA.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\NCObjAPI.DLL ok scanned 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\NCObjAPI.DLL ok scanned 4/16/2007 11:35:05 AM Running module: services.exe\secur32.dll ok iChecker 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\secur32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\eventlog.dll ok scanned 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\eventlog.dll ok scanned 4/16/2007 11:35:05 AM Running module: services.exe\WS2_32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\WS2HELP.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\PSAPI.DLL ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\wtsapi32.dll ok iChecker 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\wtsapi32.dll ok iChecker 4/16/2007 11:35:05 AM Running module: services.exe\netapi32.dll ok iChecker 4/16/2007 11:35:05 AM File: C:\WINDOWS\system32\netapi32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\lsass.exe ok scanned 4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\lsass.exe ok scanned 4/16/2007 11:35:06 AM Running module: lsass.exe\ntdll.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\kernel32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\ADVAPI32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\RPCRT4.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\LSASRV.dll ok scanned 4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\LSASRV.dll ok scanned 4/16/2007 11:35:06 AM Running module: lsass.exe\msvcrt.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\Secur32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\USER32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\GDI32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\SAMSRV.dll ok scanned 4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\SAMSRV.dll ok scanned 4/16/2007 11:35:06 AM Running module: lsass.exe\cryptdll.dll ok scanned 4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\cryptdll.dll ok scanned 4/16/2007 11:35:06 AM Running module: lsass.exe\DNSAPI.dll ok scanned 4/16/2007 11:35:06 AM File: C:\WINDOWS\system32\DNSAPI.dll ok scanned 4/16/2007 11:35:06 AM Running module: lsass.exe\WS2_32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\WS2HELP.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\MSASN1.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\NETAPI32.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\SAMLIB.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\MPR.dll ok iChecker 4/16/2007 11:35:06 AM Running module: lsass.exe\NTDSAPI.dll ok scanned 4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\NTDSAPI.dll ok scanned 4/16/2007 11:35:07 AM Running module: lsass.exe\WLDAP32.dll ok iChecker 4/16/2007 11:35:07 AM Running module: lsass.exe\msprivs.dll ok scanned 4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\msprivs.dll ok scanned 4/16/2007 11:35:07 AM Running module: lsass.exe\kerberos.dll ok scanned 4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\kerberos.dll ok scanned 4/16/2007 11:35:07 AM Running module: lsass.exe\msv1_0.dll ok scanned 4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\msv1_0.dll ok scanned 4/16/2007 11:35:07 AM Running module: lsass.exe\netlogon.dll ok scanned 4/16/2007 11:35:07 AM File: C:\WINDOWS\system32\netlogon.dll ok scanned 4/16/2007 11:35:08 AM Running module: lsass.exe\w32time.dll ok scanned 4/16/2007 11:35:08 AM File: C:\WINDOWS\system32\w32time.dll ok scanned 4/16/2007 11:35:08 AM Running module: lsass.exe\MSVCP60.dll ok scanned 4/16/2007 11:35:08 AM File: C:\WINDOWS\system32\MSVCP60.dll ok scanned 4/16/2007 11:35:08 AM Running module: lsass.exe\iphlpapi.dll ok scanned 4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\iphlpapi.dll ok scanned 4/16/2007 11:35:09 AM Running module: lsass.exe\netman.dll ok scanned 4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\netman.dll ok scanned 4/16/2007 11:35:09 AM Running module: lsass.exe\MPRAPI.dll ok scanned 4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\MPRAPI.dll ok scanned 4/16/2007 11:35:09 AM Running module: lsass.exe\ACTIVEDS.dll ok scanned 4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\ACTIVEDS.dll ok scanned 4/16/2007 11:35:09 AM Running module: lsass.exe\adsldpc.dll ok scanned 4/16/2007 11:35:09 AM File: C:\WINDOWS\system32\adsldpc.dll ok scanned 4/16/2007 11:35:09 AM Running module: lsass.exe\ATL.DLL ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\ATL.DLL ok scanned 4/16/2007 11:35:10 AM Running module: lsass.exe\ole32.dll ok iChecker 4/16/2007 11:35:10 AM Running module: lsass.exe\OLEAUT32.dll ok iChecker 4/16/2007 11:35:10 AM Running module: lsass.exe\rtutils.dll ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\rtutils.dll ok scanned 4/16/2007 11:35:10 AM Running module: lsass.exe\SETUPAPI.dll ok iChecker 4/16/2007 11:35:10 AM Running module: lsass.exe\RASAPI32.dll ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\RASAPI32.dll ok scanned 4/16/2007 11:35:10 AM Running module: lsass.exe\rasman.dll ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\rasman.dll ok scanned 4/16/2007 11:35:10 AM Running module: lsass.exe\TAPI32.dll ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\TAPI32.dll ok scanned 4/16/2007 11:35:10 AM Running module: lsass.exe\SHLWAPI.dll ok iChecker 4/16/2007 11:35:10 AM Running module: lsass.exe\WINMM.dll ok iChecker 4/16/2007 11:35:10 AM Running module: lsass.exe\SHELL32.dll ok iChecker 4/16/2007 11:35:10 AM Running module: lsass.exe\WZCSvc.DLL ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\WZCSvc.DLL ok scanned 4/16/2007 11:35:10 AM Running module: lsass.exe\WMI.dll ok scanned 4/16/2007 11:35:10 AM File: C:\WINDOWS\system32\WMI.dll ok scanned 4/16/2007 11:35:11 AM Running module: lsass.exe\DHCPCSVC.DLL ok scanned 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\DHCPCSVC.DLL ok scanned 4/16/2007 11:35:11 AM Running module: lsass.exe\CRYPT32.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\WTSAPI32.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\WINSTA.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\USERENV.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\comctl32.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\comctl32.dll ok iChecker 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\comctl32.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\schannel.dll ok scanned 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\schannel.dll ok scanned 4/16/2007 11:35:11 AM Running module: lsass.exe\wdigest.dll ok scanned 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\wdigest.dll ok scanned 4/16/2007 11:35:11 AM Running module: lsass.exe\rsaenh.dll ok iChecker 4/16/2007 11:35:11 AM Running module: lsass.exe\nwprovau.dll ok scanned 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\nwprovau.dll ok scanned 4/16/2007 11:35:11 AM Running module: lsass.exe\scecli.dll ok scanned 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\scecli.dll ok scanned 4/16/2007 11:35:11 AM Running module: svchost.exe\svchost.exe ok scanned 4/16/2007 11:35:11 AM File: C:\WINDOWS\system32\svchost.exe ok scanned 4/16/2007 11:35:11 AM Running module: svchost.exe\ntdll.dll ok iChecker 4/16/2007 11:35:11 AM Running module: svchost.exe\kernel32.dll ok iChecker 4/16/2007 11:35:11 AM Running module: svchost.exe\ADVAPI32.dll ok iChecker 4/16/2007 11:35:11 AM Running module: svchost.exe\RPCRT4.dll ok iChecker 4/16/2007 11:35:11 AM Running module: svchost.exe\rpcss.dll ok scanned 4/16/2007 11:35:12 AM File: c:\windows\system32\rpcss.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\msvcrt.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WS2_32.dll ok iChecker 4/16/2007 11:35:12 AM File: c:\windows\system32\WS2_32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WS2HELP.dll ok iChecker 4/16/2007 11:35:12 AM File: c:\windows\system32\WS2HELP.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\USER32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\GDI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\Secur32.dll ok iChecker 4/16/2007 11:35:12 AM File: c:\windows\system32\Secur32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\userenv.dll ok iChecker 4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\userenv.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\mswsock.dll ok scanned 4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\mswsock.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\wshtcpip.dll ok scanned 4/16/2007 11:35:12 AM File: C:\WINDOWS\System32\wshtcpip.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\wshisn.dll ok scanned 4/16/2007 11:35:12 AM File: C:\WINDOWS\System32\wshisn.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\WSOCK32.dll ok scanned 4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\WSOCK32.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\DNSAPI.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\iphlpapi.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\netman.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\MPRAPI.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\ACTIVEDS.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\adsldpc.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\NETAPI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WLDAP32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\ATL.DLL ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\ole32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\OLEAUT32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\rtutils.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\SAMLIB.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\SETUPAPI.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\RASAPI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\rasman.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\TAPI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\SHLWAPI.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WINMM.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\SHELL32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WZCSvc.DLL ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WMI.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\DHCPCSVC.DLL ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\CRYPT32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\MSASN1.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WTSAPI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WINSTA.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\comctl32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\comctl32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\winrnr.dll ok scanned 4/16/2007 11:35:12 AM File: C:\WINDOWS\System32\winrnr.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\rasadhlp.dll ok scanned 4/16/2007 11:35:12 AM File: C:\WINDOWS\system32\rasadhlp.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\CLBCATQ.DLL ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\COMRes.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\VERSION.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\svchost.exe ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\ntdll.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\kernel32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\ADVAPI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\RPCRT4.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\ole32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\GDI32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\USER32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\cryptsvc.dll ok scanned 4/16/2007 11:35:12 AM File: c:\windows\system32\cryptsvc.dll ok scanned 4/16/2007 11:35:12 AM Running module: svchost.exe\msvcrt.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\WINTRUST.dll ok iChecker 4/16/2007 11:35:12 AM File: c:\windows\system32\WINTRUST.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\CRYPT32.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\MSASN1.dll ok iChecker 4/16/2007 11:35:12 AM Running module: svchost.exe\IMAGEHLP.dll ok iChecker 4/16/2007 11:35:13 AM Running module: svchost.exe\certcli.dll ok scanned 4/16/2007 11:35:13 AM File: c:\windows\system32\certcli.dll ok scanned 4/16/2007 11:35:13 AM Running module: svchost.exe\ATL.DLL ok iChecker 4/16/2007 11:35:13 AM File: c:\windows\system32\ATL.DLL ok iChecker 4/16/2007 11:35:13 AM Running module: svchost.exe\WLDAP32.dll ok iChecker 4/16/2007 11:35:13 AM Running module: svchost.exe\OLEAUT32.dll ok iChecker 4/16/2007 11:35:13 AM Running module: svchost.exe\Secur32.dll ok iChecker 4/16/2007 11:35:13 AM Running module: svchost.exe\NETAPI32.dll ok iChecker 4/16/2007 11:35:13 AM File: c:\windows\system32\NETAPI32.dll ok iChecker 4/16/2007 11:35:13 AM Running module: svchost.exe\CRYPTUI.dll ok scanned 4/16/2007 11:35:13 AM File: c:\windows\system32\CRYPTUI.dll ok scanned 4/16/2007 11:35:14 AM Running module: svchost.exe\WININET.dll ok scanned 4/16/2007 11:35:14 AM File: C:\WINDOWS\system32\WININET.dll ok scanned 4/16/2007 11:35:14 AM Running module: svchost.exe\SHLWAPI.dll ok iChecker 4/16/2007 11:35:15 AM Running module: svchost.exe\ESENT.dll ok scanned 4/16/2007 11:35:15 AM File: c:\windows\system32\ESENT.dll ok scanned 4/16/2007 11:35:15 AM Running module: svchost.exe\comctl32.dll ok iChecker 4/16/2007 11:35:15 AM Running module: svchost.exe\wmisvc.dll ok scanned 4/16/2007 11:35:15 AM File: c:\windows\system32\wbem\wmisvc.dll ok scanned 4/16/2007 11:35:15 AM Running module: svchost.exe\wbemcomn.dll ok scanned 4/16/2007 11:35:16 AM File: c:\windows\system32\wbem\wbemcomn.dll ok scanned 4/16/2007 11:35:16 AM Running module: svchost.exe\VSSAPI.DLL ok scanned 4/16/2007 11:35:17 AM File: C:\WINDOWS\system32\VSSAPI.DLL ok scanned 4/16/2007 11:35:17 AM Running module: svchost.exe\srsvc.dll ok scanned 4/16/2007 11:35:17 AM File: c:\windows\system32\srsvc.dll ok scanned 4/16/2007 11:35:17 AM Running module: svchost.exe\SHELL32.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\comctl32.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\pchsvc.dll ok scanned 4/16/2007 11:35:17 AM File: c:\windows\pchealth\helpctr\binaries\pchsvc.dll ok scanned 4/16/2007 11:35:17 AM Running module: svchost.exe\WINSTA.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\NTMARTA.DLL ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\dmserver.dll ok scanned 4/16/2007 11:35:17 AM File: c:\windows\system32\dmserver.dll ok scanned 4/16/2007 11:35:17 AM Running module: svchost.exe\SETUPAPI.dll ok iChecker 4/16/2007 11:35:17 AM File: c:\windows\system32\SETUPAPI.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\CLBCATQ.DLL ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\COMRes.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\VERSION.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\es.dll ok scanned 4/16/2007 11:35:17 AM File: C:\WINDOWS\System32\es.dll ok scanned 4/16/2007 11:35:17 AM Running module: svchost.exe\WS2_32.dll ok iChecker 4/16/2007 11:35:17 AM File: C:\WINDOWS\System32\WS2_32.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\WS2HELP.dll ok iChecker 4/16/2007 11:35:17 AM File: C:\WINDOWS\System32\WS2HELP.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\wtsapi32.dll ok iChecker 4/16/2007 11:35:17 AM Running module: svchost.exe\wbemcore.dll ok scanned 4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\wbemcore.dll ok scanned 4/16/2007 11:35:18 AM Running module: svchost.exe\esscli.dll ok scanned 4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\esscli.dll ok scanned 4/16/2007 11:35:18 AM Running module: svchost.exe\FastProx.dll ok scanned 4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\FastProx.dll ok scanned 4/16/2007 11:35:18 AM Running module: svchost.exe\wmiutils.dll ok scanned 4/16/2007 11:35:18 AM File: C:\WINDOWS\System32\wbem\wmiutils.dll ok scanned 4/16/2007 11:35:18 AM Running module: svchost.exe\repdrvfs.dll ok scanned 4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\repdrvfs.dll ok scanned 4/16/2007 11:35:19 AM Running module: svchost.exe\wmiprvsd.dll ok scanned 4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\wmiprvsd.dll ok scanned 4/16/2007 11:35:19 AM Running module: svchost.exe\NCObjAPI.DLL ok iChecker 4/16/2007 11:35:19 AM Running module: svchost.exe\wbemess.dll ok scanned 4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\wbemess.dll ok scanned 4/16/2007 11:35:19 AM Running module: svchost.exe\ncprov.dll ok scanned 4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\ncprov.dll ok scanned 4/16/2007 11:35:19 AM Running module: svchost.exe\wbemsvc.dll ok scanned 4/16/2007 11:35:19 AM File: C:\WINDOWS\System32\wbem\wbemsvc.dll ok scanned 4/16/2007 11:35:19 AM Running module: explorer.exe\Explorer.EXE ok scanned 4/16/2007 11:35:20 AM File: C:\WINDOWS\Explorer.EXE ok scanned 4/16/2007 11:35:20 AM Running module: explorer.exe\ntdll.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\kernel32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\msvcrt.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\ADVAPI32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\RPCRT4.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\GDI32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\USER32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\SHLWAPI.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\SHELL32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\ole32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\OLEAUT32.dll ok iChecker 4/16/2007 11:35:20 AM Running module: explorer.exe\BROWSEUI.dll ok scanned 4/16/2007 11:35:20 AM File: C:\WINDOWS\System32\BROWSEUI.dll ok scanned 4/16/2007 11:35:20 AM Running module: explorer.exe\SHDOCVW.dll ok scanned 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\SHDOCVW.dll ok scanned 4/16/2007 11:35:21 AM Running module: explorer.exe\UxTheme.dll ok iChecker 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\UxTheme.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\comctl32.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\comctl32.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\appHelp.dll ok scanned 4/16/2007 11:35:21 AM File: C:\WINDOWS\system32\appHelp.dll ok scanned 4/16/2007 11:35:21 AM Running module: explorer.exe\CLBCATQ.DLL ok iChecker 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\CLBCATQ.DLL ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\COMRes.dll ok iChecker 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\COMRes.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\VERSION.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\cscui.dll ok iChecker 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\cscui.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\CSCDLL.dll ok iChecker 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\CSCDLL.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\themeui.dll ok scanned 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\themeui.dll ok scanned 4/16/2007 11:35:21 AM Running module: explorer.exe\Secur32.dll ok iChecker 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\Secur32.dll ok iChecker 4/16/2007 11:35:21 AM Running module: explorer.exe\MSIMG32.dll ok scanned 4/16/2007 11:35:21 AM File: C:\WINDOWS\System32\MSIMG32.dll ok scanned 4/16/2007 11:35:21 AM Running module: explorer.exe\USERENV.dll ok iChecker 4/16/2007 11:35:22 AM Running module: explorer.exe\LINKINFO.dll ok scanned 4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\LINKINFO.dll ok scanned 4/16/2007 11:35:22 AM Running module: explorer.exe\ntshrui.dll ok scanned 4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\ntshrui.dll ok scanned 4/16/2007 11:35:22 AM Running module: explorer.exe\ATL.DLL ok iChecker 4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\ATL.DLL ok iChecker 4/16/2007 11:35:22 AM Running module: explorer.exe\NETAPI32.dll ok iChecker 4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\NETAPI32.dll ok iChecker 4/16/2007 11:35:22 AM Running module: explorer.exe\shimgvw.dll ok scanned 4/16/2007 11:35:22 AM File: C:\WINDOWS\System32\shimgvw.dll ok scanned 4/16/2007 11:35:23 AM Running module: explorer.exe\gdiplus.dll ok scanned 4/16/2007 11:35:23 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\gdiplus.dll ok scanned 4/16/2007 11:35:23 AM Running module: explorer.exe\SETUPAPI.dll ok iChecker 4/16/2007 11:35:23 AM File: C:\WINDOWS\System32\SETUPAPI.dll ok iChecker 4/16/2007 11:35:24 AM Running module: explorer.exe\NETSHELL.dll ok scanned 4/16/2007 11:35:25 AM File: C:\WINDOWS\system32\NETSHELL.dll ok scanned 4/16/2007 11:35:25 AM Running module: explorer.exe\credui.dll ok scanned 4/16/2007 11:35:25 AM File: C:\WINDOWS\system32\credui.dll ok scanned 4/16/2007 11:35:25 AM Running module: explorer.exe\WS2_32.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WS2HELP.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\iphlpapi.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\netman.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\MPRAPI.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\ACTIVEDS.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\adsldpc.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WLDAP32.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\rtutils.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\SAMLIB.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\RASAPI32.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\rasman.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\TAPI32.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WINMM.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WZCSvc.DLL ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WMI.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\DHCPCSVC.DLL ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\DNSAPI.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\CRYPT32.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\MSASN1.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WTSAPI32.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\WINSTA.dll ok iChecker 4/16/2007 11:35:25 AM Running module: explorer.exe\msi.dll ok scanned 4/16/2007 11:35:26 AM File: C:\WINDOWS\System32\msi.dll ok scanned 4/16/2007 11:35:26 AM Running module: explorer.exe\nwprovau.dll ok iChecker 4/16/2007 11:35:26 AM File: C:\WINDOWS\System32\nwprovau.dll ok iChecker 4/16/2007 11:35:26 AM Running module: explorer.exe\MPR.dll ok iChecker 4/16/2007 11:35:26 AM Running module: explorer.exe\ShellEx.dll ok scanned 4/16/2007 11:35:26 AM File: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll ok scanned 4/16/2007 11:35:26 AM Running module: explorer.exe\MSVCR80.dll ok scanned 4/16/2007 11:35:26 AM File: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\MSVCR80.dll ok scanned 4/16/2007 11:35:26 AM Running module: explorer.exe\MSVCP80.dll ok scanned 4/16/2007 11:35:27 AM File: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\MSVCP80.dll ok scanned 4/16/2007 11:35:27 AM Running module: explorer.exe\wzshlext.dll ok scanned 4/16/2007 11:35:27 AM File: C:\PROGRA~1\WinZip\wzshlext.dll ok scanned 4/16/2007 11:35:27 AM Running module: explorer.exe\CRTDLL.dll ok scanned 4/16/2007 11:35:27 AM File: C:\WINDOWS\System32\CRTDLL.dll ok scanned 4/16/2007 11:35:27 AM Running module: explorer.exe\WZCAB2.DLL ok scanned 4/16/2007 11:35:27 AM File: C:\PROGRA~1\WINZIP\WZCAB2.DLL ok scanned 4/16/2007 11:35:27 AM Running module: explorer.exe\browselc.dll ok scanned 4/16/2007 11:35:27 AM File: C:\WINDOWS\System32\browselc.dll archive Embedded HTML Statistics ---------- Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted ------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ --------- Settings -------- Parameter Value --------- ----- Security Level Recommended Action Prompt for action when the scan is complete Run mode Manually File types Scan all files Scan only new and changed files No Scan archives All Scan embedded OLE objects All Skip if object is larger than No Skip if scan takes longer than No Parse email formats No Scan password-protected archives No Enable iChecker technology Yes Enable iSwift technology Yes Show detected threats on "Detected" tab Yes Edited April 16, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 16, 2007 (edited) Good Morning, Hope you wake up in a fresh condition Here is the SYSTEM.INI: ; for 16-bit app support [drivers] wave=mmdrv.dll timer=timer.drv [mci] [driver32] [386enh] woafont=dosapp.FON EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON FileSysChange=off rem [MCIDRV_VER] rem DEVICEN1=95215658363 rem __h=18 rem __dr=12 rem [iDslow] rem IDVer32666=988281 rem IDMCI32=23846878ABA233 rem [iDslow32] rem MDCDID32=991140 And this is the result of AALST.BAT : (Curious bout this Abbreviation... ) ÿþW i n d o w s R e g i s t r y E d i t o r V e r s i o n 5 . 0 0 [ H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t ] " % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e " = " % w i n d i r % \ \ s y s t e m 3 2 \ \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9 " " C : \ \ W I N D O W S \ \ E x p l o r e r . E X E " = " C : \ \ W I N D O W S \ \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c " The REGEDIT check is like this : ÿþK e y N a m e : H K E Y _ L O C A L _ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ S h a r e d A c c e s s \ P a r a m e t e r s \ F i r e w a l l P o l i c y \ S t a n d a r d P r o f i l e \ A u t h o r i z e d A p p l i c a t i o n s \ L i s t C l N a m e : < N O C L > L a s t W r i t e T i m e : 4 / 1 3 / 2 0 0 7 - 6 : 2 5 P M V a l u e 0 N a m e : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e T y p e : R E G _ S Z D a t a : % w i n d i r % \ s y s t e m 3 2 \ s e s s m g r . e x e : * : e n a b l e d : @ x p s p 2 r e s . d l l , - 2 2 0 1 9 V a l u e 1 N a m e : C : \ W I N D O W S \ E x p l o r e r . E X E T y p e : R E G _ S Z D a t a : C : \ W I N D O W S \ E x p l o r e r . E X E : * : E n a b l e d : i p s e c File Removal WIN*.EXE With manual delete 16 Files is so easy, no resistance What makes the Trigger / Controller of this virus disabled Sir? Edited April 16, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 16, 2007 Content of c:\WIN\SYS32\DRIVERS : Upper is Newest, None Deleted FIDBOX.dat 4/16/2007 FIDBOX.idx FIDBOX2.idx FIDBOX2.dat KLIN.dat KLICK.dat SBAPIFS.sys KLOP.dat KL1.sys KLIF.sys 1/27/2007 NDIS File Service DELETED And, HIJACKTHIS 99 now like this : Logfile of HijackThis v1.99.1 Scan saved at 5:57:58 PM, on 4/16/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\System32\inetsrv\DavCData.exe C:\ADAWARE\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe O4 - HKLM\..\Run: [AVP] "C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12 O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Share this post Link to post Share on other sites
wirosari Report post Posted April 16, 2007 The HJT STARTUPLIST Log is like this : StartupList report, 4/16/2007, 6:23:56 PM StartupList version: 1.52.2 Started from : C:\ADAWARE\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\System32\inetsrv\DavCData.exe C:\ADAWARE\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\TresnaTan\Start Menu\Programs\Startup] OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SBRegRebootCleaner = C:\ADAWARE\CounterSpy\SBRC.exe AVP = "C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command (Default) = C:\WINDOWS\NOTEPAD.EXE "%1" -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\system32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] * StubPath = rundll32 iesetup.dll,IEAccessUserInst -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [CKAVWebScan Object] InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll CODEBASE = http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab [shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab [bDSCANONLINE Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab [ActiveScan Installer Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab [MsnMessengerSetupDownloadControl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab [instaFred] InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx [shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab [AcPreview Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\System32\mswsock.dll NameSpace #2: C:\WINDOWS\System32\winrnr.dll NameSpace #3: C:\WINDOWS\System32\mswsock.dll NameSpace #4: C:\WINDOWS\System32\nwprovau.dll Protocol #1: C:\WINDOWS\system32\mswsock.dll Protocol #2: C:\WINDOWS\system32\mswsock.dll Protocol #3: C:\WINDOWS\system32\mswsock.dll Protocol #4: C:\WINDOWS\system32\rsvpsp.dll Protocol #5: C:\WINDOWS\system32\rsvpsp.dll Protocol #6: C:\WINDOWS\system32\mswsock.dll Protocol #7: C:\WINDOWS\system32\mswsock.dll Protocol #8: C:\WINDOWS\system32\mswsock.dll Protocol #9: C:\WINDOWS\system32\mswsock.dll Protocol #10: C:\WINDOWS\system32\mswsock.dll Protocol #11: C:\WINDOWS\system32\mswsock.dll Protocol #12: C:\WINDOWS\system32\mswsock.dll Protocol #13: C:\WINDOWS\system32\mswsock.dll Protocol #14: C:\WINDOWS\system32\mswsock.dll Protocol #15: C:\WINDOWS\system32\mswsock.dll Protocol #16: C:\WINDOWS\system32\mswsock.dll Protocol #17: C:\WINDOWS\system32\mswsock.dll Protocol #18: C:\WINDOWS\system32\mswsock.dll Protocol #19: C:\WINDOWS\system32\mswsock.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system) Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start) AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) Kaspersky Anti-Virus 6.0: C:\ADAWARE\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r (autostart) Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) C-Dilla: \??\C:\WINDOWS\System32\drivers\CDANT.SYS (manual start) C-DillaSrv: C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (autostart) CD-ROM Driver: System32\DRIVERS\cdrom.sys (system) Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start) ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start) COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Logical Disk Manager Driver: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start) Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start) Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start) Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart) IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (system) IrDA Protocol: System32\DRIVERS\irda.sys (autostart) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Kl1: System32\drivers\kl1.sys (system) Klif: \??\C:\WINDOWS\System32\drivers\klif.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (disabled) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBT: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (autostart) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) nv: System32\DRIVERS\nv4_mini.sys (manual start) NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Client Service for NetWare: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart) NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart) NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart) NetWare Rdr: System32\DRIVERS\nwrdr.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (manual start) PCI Bus Driver: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Processor Driver: System32\DRIVERS\processr.sys (system) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start) Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start) Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (manual start) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart) SIS AGP Bus Filter: System32\DRIVERS\sisagp.sys (system) SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start) Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart) SNMP Service: %SystemRoot%\System32\snmp.exe (autostart) SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start) Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start) Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Srv: System32\DRIVERS\srv.sys (manual start) SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966} (manual start) Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) Terminal Device Driver: System32\DRIVERS\termdd.sys (system) Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) TSP: \??\C:\WINDOWS\system32\drivers\klif.sys (manual start) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start) Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start) Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start) USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start) USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled) Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: *Registry value not found* -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll UPnPMonitor: C:\WINDOWS\System32\upnpui.dll -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- End of report, 31,510 bytes Report generated in 0.125 seconds Share this post Link to post Share on other sites
FZWG Report post Posted April 16, 2007 (edited) The HijackThis log appears clean, and the other reports do not show indications of Sality. Clean out the Restore Points, though. AdAware showed some malware in them also: Go to Start > Run< in the Open area type in (or copy): control sysdm.cpl,,4 Press: Enter Check the box: Turn off System Restore on all drives Click: Apply > OK Now, turn on System Restore by removing the check on: Turn off System Restore on all drives Click: OK ==== You can connect the computer back to its cable or telephone line, however, you must do the following: 1. Install an AntiVirus program. If McAfee was your previous AV program, you need to re-install it. Some of its files were affected, and it may not work properly. If you wish to use some other AV program, there are free ones: Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php avast! 4 Home: http://www.avast.com/eng/avast_4_home.html AntiVir Personal Edition: http://www.free-av.com/ 2. Install a software Firewall. It provides the ability to restrict malevolent outgoing traffic from your computer. Some good free choices are: ZoneAlarm: http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za Sunbelt Kerio: http://www.sunbelt-software.com/Kerio.cfm OutPost: http://www.agnitum.com/products/outpostfree/download.php ==== 3. Now, head for the Microsoft Windows Updates website: http://update.microsoft.com/windowsupdate/...t.aspx?ln=en-us Even using an Antivirus and a Firewall does not prevent malware from getting through. Have your system scanned, and download/install all Critical Updates on offer. ==== Next, what you need to deal with is damage recovery. Panda disinfected all sorts of files, but after the exe's are disinfected, some programs may no longer work properly. You will need to reinstall them. ==== Good luck, wirosari!! Edited April 16, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 17, 2007 (edited) Dear FZWG, Thanks a lot for everything! I will obey you.... Hope everything going well too there... Wanna know the SOURCE of Sality. (Web said it from Email?) I still worried about the NEW MEDIUM of spreading virus, the USB FLASH-DISK Back to the era of Diskette.... Oops, is this virus spread thru network? One of Windows98 displayed this message : C:\WINDOWS\TEMP\WINEUJE.exe Appear to be corrupt. Pls reinstall and try again. and the SYSTEM.INI also have the virus-trigger: [MCIDRV_VER] [iD-slow] [iDslow32] Pls advice and thanks Edited April 17, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 17, 2007 Sality spreads through Network shares, and infected files. So, if you have shared resources on a Network, beware. I am not certain about the exact source of Sality, but it is associated with certain URLs, and contacts certain domains. The fact that you run a system which is not kept updated leaves you out in the open like a magnet looking for metal shavings!! Share this post Link to post Share on other sites
wirosari Report post Posted April 17, 2007 (edited) Dear FZWG, Good Morning Sir! I hear storm and tornado swap US. and snow falling in April.... 1. The Windows XP Restore Point has been done. 2. Should I remove the Kasperski AntiVirus, since the Kasper (unregistered) is on board. Before I install the Grisoft/Avast/Free-AV and the Firewall 3. Is any problem with the function of Our Tools like this : Virus:W32/Sality. Disinfected aware\HijackThis.exe Virus:W32/Sality.Y Disinfected D:\Adaware\sting260.exe Virus:W32/Sality.Y Disinfected D:\Adaware\Ad-Aware SE Personal\UNWISE.EXE Virus:W32/Sality.Y Disinfected D:\Adaware\Ad-Aware SE Personal\Ad-Aware.exe Virus:W32/Sality.Y Disinfected D:\Adaware\Ad-Aware SE Personal\unregaaw.exe I dont know what makes some Windows98 very vulnerable. The Trace of virus appear on the SYSTEM.INI (viewed with SYSEDIT) and NETWATCH with many visitors .... (Is there any equivalent watcher-tools in Windows XP?) But the effect seems rather smaller in Win98. Sality conquered by PANDA ONLINE, but I must plug these Infected Harddisks as Slave. Any better idea Sir? Edited April 17, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 17, 2007 On Kasperski AntiVirus, you can remove the program. It is not a good idea to run two AntiVirus programs, anyway. On AdAware, it is probably best to uninstall the program, and then re-install it. Sality damage to the program is hard to determine, and it may not do its job correctly. HijackThis, you can remove. The NetWatch program should also be available for XP. Your best bet for Network questions and help is the Networking forum: http://forums.pcpitstop.com/index.php?showforum=8 the effect seems rather smaller in Windows 98That is probably the case. W98 does not have the services which show up as O23 in a HijackThis log. Malware also uses services to infect a computer. For your printer problem, go to the following forum for help: http://forums.pcpitstop.com/index.php?showforum=3 Also, I do not respond to PMs. If you have a problem, post it in the appropriate forum instead. Share this post Link to post Share on other sites
wirosari Report post Posted April 18, 2007 (edited) Dear FZWG, the Sality virus cannot be performed in 'full attack' in Windows98. Maybe it resulted in message "WINEUJE.EXE appear to be corrupt" But still ALL THE EXE file infected! (based on Panda report) And ALL the SHARED NETWORK is visited by Sality! (viewed on NetWatch) Still struggling to fight on this... Thank you for giving me the Right Forum for CanoScan TWAIN problem. USER TO USER HELP that's all I need to get the help from Team. I love this PITSTOP to refresh my F1 Edited April 18, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 20, 2007 (edited) Dear FZWG, This is my last report on Sality cs : - Win XP and Win 2000 has the Biggest suffer from this virus. - Win 98 only suffering on infected files (some EXE file, which can be cleaned by Panda Online) - The Network-Searching ability makes the crowded traffic to Network, as other virus did. Searching the source, the suspect is USB-FLASH DISK that infected from somewhere out there.... This Device is the most-threatening today And last but not least... Thanks Thanks Thanks YOU ARE STILL THE BEST IN WEB Edited April 20, 2007 by wirosari Share this post Link to post Share on other sites