Member_2_49692
asked on
VIRUS ????
Hello everyone...
I have a Windows XP system that I am working on that I am pretty sure has a virus...
These are the symptoms
Cannot access the control panel
Clicking on internet explorer does nothing
Cannot access My network Places
In command prompt I am getting an IP address, gateway etc... I can release and renew but still no connection to the internet through Internet Explorer.
Also can ping 127.0.0.1 which is successful...
Tried to run windows messenger to establish a remote assitance connection... it asks to launch the web browser to register... the browser never launches all I get is a script error message.
Tried to reinstall Internet Explorer - no result
Tried to install Road Runner Medic - no result
Email will not work.
Checked under registry in H-Key-Local_Machine - software-microsoft-windows -current version - run .... one of the items listed is 17669.exe
When booting an error message occurs stating DLL intialization failed 17669.exe
I looked in the log files for app errors their are a lot of WCI ERRORS.... I do not know what this is but the description says "Cleaning up corrupt Content Index Metadata C:\system volume information"
Their is are also application errors stating MCShield6.0 is the faulting application in Kernel32.DLL
which MCShield is a component of Mcafee anti virus...
I also tried sfc /scannow which just disappeared.
I cannot access my computer
I can access system properties
I can access file and folders through the run command.
Application and control panel type windows will either not appear at all or just pop off the screen for no reason.
I am thinking it may be this virus but I am not sure
http://securityresponse.symantec.com/avcenter/venc/data/w32.nofer.a@mm.html
Since I am unable to connect to any sort of internet or network connection I cannot run any online virus scanners.
I am wondering if anyone knows of any virus that may behave this way and/or of any anti virus software that can be downloaded and used for free.
I have a Windows XP system that I am working on that I am pretty sure has a virus...
These are the symptoms
Cannot access the control panel
Clicking on internet explorer does nothing
Cannot access My network Places
In command prompt I am getting an IP address, gateway etc... I can release and renew but still no connection to the internet through Internet Explorer.
Also can ping 127.0.0.1 which is successful...
Tried to run windows messenger to establish a remote assitance connection... it asks to launch the web browser to register... the browser never launches all I get is a script error message.
Tried to reinstall Internet Explorer - no result
Tried to install Road Runner Medic - no result
Email will not work.
Checked under registry in H-Key-Local_Machine - software-microsoft-windows
When booting an error message occurs stating DLL intialization failed 17669.exe
I looked in the log files for app errors their are a lot of WCI ERRORS.... I do not know what this is but the description says "Cleaning up corrupt Content Index Metadata C:\system volume information"
Their is are also application errors stating MCShield6.0 is the faulting application in Kernel32.DLL
which MCShield is a component of Mcafee anti virus...
I also tried sfc /scannow which just disappeared.
I cannot access my computer
I can access system properties
I can access file and folders through the run command.
Application and control panel type windows will either not appear at all or just pop off the screen for no reason.
I am thinking it may be this virus but I am not sure
http://securityresponse.symantec.com/avcenter/venc/data/w32.nofer.a@mm.html
Since I am unable to connect to any sort of internet or network connection I cannot run any online virus scanners.
I am wondering if anyone knows of any virus that may behave this way and/or of any anti virus software that can be downloaded and used for free.
You seem to have a network connection. If that is the case, make sure you have up-to-date anti virus definitions on another box attached to the n/w and then run a virus check on the problem system from there. You may need to enable sharing on the root of the drive of the affected system and map the drive on the other system in order to be able to do that. I'm not sure the online scanners will scan a n/w drive, but you should be able to scan from another system on your local n/w.
Good Luck.
JohnT
Good Luck.
JohnT
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
AVG free version won't work in a networked environment.
JohnT
JohnT
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK this is what was discovered...
IN task manager CPU utilization was 100% even after adjusting windows for best performance.
SVCHOST.EXE (which their was 4 of these listed one local one network and two others that were not specified. When I checked this it was using 99% CPU utilization .. Could not access Internet Explorer, My Computer, My Network Places none of them would open it would go to an hour glass then it the screen would remove all the icons and basically go to a blank desktop then the screen would flash all the icons would come back but yet the computer was still running extremely slow..
Checked the registry under the key H_Key_Local_Machine - Software - Microsoft - Windows - Current Version - Run their was an entry saying 17669.exe this entry had no further information.
I did a search for the 17669.exe in windows it was located in C:\Windows directory and also C:\windows\Prefetch in prefetch everything has a .pf extension which seems weird this is a dell computer not sure if this is part of dells preload or backup setup but it does not seem right.
The 17669.exe file also had -13ABA5DD.PF after it in the c:\windows\prefetch directory no publisher information or anything in any of the property pages. on either one of them the one in c:\windows or c:\windows\prefetch...
Ran Adaware 6.0 and it found 192 objects this is the log
ArchiveData(auto-quarantin e- 03-04-2004 23-51-16.bckp)
========================== ========== ========== ========
ZIPCLIXTOOLBAR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
obj[0]=RegKey : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\ZipC lix
obj[7]=RegValue : SOFTWARE\Microsoft\Interne t Explorer\Toolbar
obj[12]=RegKey : SOFTWARE\Zipclix
obj[15]=RegKey : ZipclixObj.ZipclixObj
obj[16]=RegKey : ZipclixObj.ZipclixObj.1
obj[17]=RegKey : Typelib\{BBCD25C8-A31E-4DF B-B204-B54 BBA477B23}
obj[21]=RegKey : Interface\{EC34A4B3-809A-4 A71-88D4-5 5B5183D604 1}
obj[32]=RegKey : CLSID\{319A68DB-06D0-46DA- 9F93-A810D 5A70836}
obj[36]=Folder : c:\program files\Zipclix
obj[48]=File : c:\program files\zipclix\zipclix.ini
obj[49]=File : c:\program files\zipclix\zipclix.exe
obj[50]=File : c:\program files\zipclix\zipclix.dll
obj[51]=File : c:\program files\zipclix\unwise.exe
obj[52]=File : c:\program files\zipclix\install.log
CLARIA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
obj[1]=RegKey : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\Prec isionTime
obj[2]=RegKey : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\Date Manager
obj[3]=RegValue : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Run
obj[9]=RegKey : SOFTWARE\Gator.com
obj[10]=RegKey : Software\CLASSES\GetAndRun .DFRun
obj[11]=RegKey : Software\CLASSES\GetAndRun .DFRun.1
obj[13]=RegKey : Software\Microsoft\Windows \CurrentVe rsion\Expl orer\MenuO rder\Start Menu\Programs\GAIN
obj[27]=RegKey : getandrun.dfrun
obj[28]=RegKey : getandrun.dfrun.1
obj[33]=RegKey : CLSID\{21FFB6C0-0DA1-11D5- A9D5-00500 413153C}
obj[38]=Folder : c:\program files\PrecisionTime
obj[40]=Folder : c:\program files\Gator.com
obj[41]=Folder : c:\program files\Date Manager
obj[43]=Folder : c:\program files\common files\GMT
obj[44]=Folder : c:\program files\common files\CMEII
obj[45]=File : c:\windows\gatorplugin.log
obj[46]=File : c:\windows\gatorpdpsetup.l og
obj[47]=File : c:\windows\gatorpatch.log
obj[53]=File : c:\program files\precisiontime\unwise .exe
obj[54]=File : c:\program files\precisiontime\precis iontimeweb site.url
obj[55]=File : c:\program files\precisiontime\precis iontime.lc l
obj[56]=File : c:\program files\precisiontime\precis iontime.in i
obj[57]=File : c:\program files\precisiontime\precis iontime.ex e.manifest
obj[58]=File : c:\program files\precisiontime\instal l.log
obj[63]=File : c:\program files\gator.com\gator
obj[64]=File : c:\program files\date manager\unwise.exe
obj[65]=File : c:\program files\date manager\install.log
obj[66]=File : c:\program files\date manager\datemanager.exe.ma nifest
obj[67]=File : c:\program files\date manager\datemanager.exe
obj[68]=File : c:\program files\date manager\datemanager.dat
obj[69]=File : c:\program files\date manager\date manager website.url
obj[70]=File : c:\program files\common files\gmt\scripts
obj[71]=File : c:\program files\common files\gmt\meprca.dat
obj[72]=File : c:\program files\common files\gmt\mepimg.dat
obj[73]=File : c:\program files\common files\gmt\mepgh.dat
obj[74]=File : c:\program files\common files\gmt\mepcmeft.dat
obj[75]=File : c:\program files\common files\gmt\mepcme.dat
obj[76]=File : c:\program files\common files\gmt\mepbs.dat
obj[77]=File : c:\program files\common files\gmt\helper.wav
obj[78]=File : c:\program files\common files\gmt\guninstaller.exe
obj[79]=File : c:\program files\common files\gmt\gmt.exe.manifest
obj[80]=File : c:\program files\common files\gmt\gatorstubsetup.e xe
obj[81]=File : c:\program files\common files\gmt\gatorres.dll
obj[82]=File : c:\program files\common files\gmt\gator.log
obj[83]=File : c:\program files\common files\gmt\fillin.wav
obj[84]=File : c:\program files\common files\gmt\egnsengine.dll
obj[85]=File : c:\program files\common files\gmt\egieprocess.dll
obj[86]=File : c:\program files\common files\gmt\egieengine.dll
obj[87]=File : c:\program files\common files\gmt\eggcengine.dll
obj[88]=File : c:\program files\common files\gmt\downloadtemp
obj[89]=File : c:\program files\common files\gmt\data
obj[90]=File : c:\program files\common files\gmt\63735n58cj
obj[91]=File : c:\program files\common files\cmeii\store
obj[92]=File : c:\program files\common files\cmeii\gui
obj[93]=File : c:\program files\common files\cmeii\gtools.dll
obj[94]=File : c:\program files\common files\cmeii\gstoreserver.d ll
obj[95]=File : c:\program files\common files\cmeii\gstore.dll
obj[96]=File : c:\program files\common files\cmeii\gobjs.dll
obj[97]=File : c:\program files\common files\cmeii\gmtproxy.dll
obj[98]=File : c:\program files\common files\cmeii\gioclclient.dl l
obj[99]=File : c:\program files\common files\cmeii\giocl.dll
obj[100]=File : c:\program files\common files\cmeii\gdwldeng.dll
obj[101]=File : c:\program files\common files\cmeii\gcontroller.dl l
obj[102]=File : c:\program files\common files\cmeii\gatorsupportin fo.txt
obj[103]=File : c:\program files\common files\cmeii\gappmgr.dll
obj[104]=File : c:\program files\common files\cmeii\cmesys.exe
obj[105]=File : c:\program files\common files\cmeii\cmeiiapi.dll
obj[106]=File : c:\program files\common files\cmeii\cmediagnostics .log
obj[107]=File : c:\program files\common files\cmeii\apps
obj[191]=File : c:\documents and settings\all users\start menu\programs\startup\prec isiontime. lnk
obj[192]=File : c:\documents and settings\all users\start menu\programs\startup\gsta rtup.lnk
obj[193]=File : c:\documents and settings\all users\start menu\programs\startup\date manager.lnk
BLAZEFIND
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
obj[4]=RegKey : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{C5941EE5-6DFA-11D 8-86B0-000 2441A9695}
obj[29]=RegKey : CLSID\{C5941EE5-6DFA-11D8- 86B0-00024 41A9695}
HUNGRYHANDS BHO
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
obj[5]=RegKey : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{bcf96fb4-5f1b-497 b-aecc-910 304a55011}
obj[19]=RegKey : TYPELIB\{03f8822f-8877-400 2-8bcd-b53 2d53d8471}
obj[20]=RegKey : Interface\{F8FB4EA2-6C05-4 DE5-8CD0-6 25B03F48E2 2}
obj[23]=RegKey : hungryhands.hungrybho
obj[24]=RegKey : hungryhands.hungrybho.1
obj[30]=RegKey : CLSID\{bcf96fb4-5f1b-497b- aecc-91030 4a55011}
obj[34]=RegKey : AppID\{03F8822F-8877-4002- 8BCD-B532D 53D8471}
obj[35]=RegKey : AppID\HungryHands.DLL
HTTPER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
obj[6]=RegKey : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{a5483501-070c-41d d-af44-9bd 8864b3015}
obj[14]=RegKey : Software\Httper
obj[18]=RegKey : TYPELIB\{ab7b627d-b2af-4b6 d-bda1-493 0579ffcd8}
obj[22]=RegKey : Interface\{7D49A302-3C1C-4 706-B6DC-8 C8BBB500BA 0}
obj[25]=RegKey : httper.iefriendly
obj[26]=RegKey : httper.iefriendly.1
obj[31]=RegKey : CLSID\{a5483501-070c-41dd- af44-9bd88 64b3015}
obj[39]=Folder : c:\program files\Httper
obj[59]=File : c:\program files\httper\unwise.exe
obj[60]=File : c:\program files\httper\install.log
obj[61]=File : c:\program files\httper\httper.ini
obj[62]=File : c:\program files\httper\httper.dll
ALEXA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
obj[8]=RegKey : SOFTWARE\Microsoft\Interne t Explorer\Extensions\{c95fe 080-8f5d-1 1d2-a20b-0 0aa003c157 a
CLARIA would not remove intially also listed as cmeii adaware could not intially remove it but I instructed it to remove it after reboot... which it did successfully do.
I also ran AVG Anti Virus it found nothing...
I then ran HIJACK THIS and i removed this entry
HKCU\Software\Microsoft\Cu rrentVersi on\Interne t Settings\Proxy Override = ;127.0.0.1;<local>
after that I regained internet access
I went to trendmicroHousecall and ran the online virus scan it found:
Malware.JS_FORTNIGHT.M and removed it this was the only thing that it found.
Here is the logfile from HIJACK THIS...
StartupList report, 4/4/2004, 1:01:10 AM
StartupList version: 1.52
Started from : C:\HiJackThis\HijackThis.E XE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
========================== ========== ========== ====
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\Grisoft\AVG6\a vgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\driver s\CDAC11BA .EXE
C:\WINDOWS\system32\cisvc. exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\CTsvcC DA.exe
C:\WINDOWS\System32\nvsvc3 2.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\MsPMSP Sv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshie ld.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdi an.exe
C:\Program Files\Creative\SBLive\Diag nostics\di agent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Dell\EUSW\Support.ex e
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Washer Pro\iw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm 12.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\WINZIP\wzqkpic k.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\HiJackThis\HijackThis.e xe
-------------------------- ---------- ---------- ----
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Lavon\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Digital Line Detect.lnk = ?
hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
Microsoft Works Calendar Reminders.lnk = ?
officejet 6100.lnk = ?
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
-------------------------- ---------- ---------- ----
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W indows NT\CurrentVersion\Winlogon ]
UserInit = C:\WINDOWS\system32\userin it.exe,
[HKLM\Software\Microsoft\W indows\Cur rentVersio n\Winlogon ]
*Registry key not found*
[HKCU\Software\Microsoft\W indows NT\CurrentVersion\Winlogon ]
*Registry value not found*
[HKCU\Software\Microsoft\W indows\Cur rentVersio n\Winlogon ]
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl. dll,NvStar tup
BCMSMMSG = BCMSMMSG.exe
diagent = "C:\Program Files\Creative\SBLive\Diag nostics\di agent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdi an.exe" /SU
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.ex e
nwiz = nwiz.exe /install
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe /STARTUP
MSConfig = C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe /auto
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run
McAfee.InstantUpdate.Monit or = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe " /background
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Internet Washer Pro = C:\Program Files\Internet Washer Pro\iw.exe min
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Run
[OptionalComponents]
*No values found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnce
*No subkeys found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunOnceEx
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic es
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \RunServic esOnce
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi ndows NT\CurrentVersion\Run
*Registry key not found*
-------------------------- ---------- ---------- ----
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\ shell\open \command
(Default) = "%1" %*
-------------------------- ---------- ---------- ----
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\ shell\open \command
(Default) = "%1" /S
-------------------------- ---------- ---------- ----
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\ shell\open \command
(Default) = C:\WINDOWS\System32\mshta. exe "%1" %*
-------------------------- ---------- ---------- ----
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Ac tive Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab -0080c74c7 e95}]
StubPath = C:\WINDOWS\inf\unregmp2.ex e /ShowWMP
[>{26923b43-4d38-484f-9b9e -de4607462 76c}] *
StubPath = %systemroot%\system32\shmg rate.exe OCInstallUserConfigIE
[>{39347012-A94D-4CF3-A2B3 -5EA3E924A 728}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061 -f3f88e8be 88a}] *
StubPath = %systemroot%\system32\shmg rate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3- F3508C9228 ED}] *
StubPath = %SystemRoot%\system32\regs vr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\them eui.dll
[{44BBA840-CC51-11CF-AAFA- 00AA00B601 5C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA- 00AA00B601 5B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSecti on C:\WINDOWS\INF\msnetmtg.in f,NetMtg.I nstall.Per User.NT
[{5945c046-1e7d-11d1-bc44- 00c04fd912 be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSecti on %SystemRoot%\INF\msmsgs.in f,BLC.Inst all.PerUse r
[{6BF52A52-394A-11d3-B153- 00C04F79FA A6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSecti on C:\WINDOWS\INF\wmp.inf,Per UserStub
[{7790769C-0471-11d2-AF11- 00C04FA35D 02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85- 00AA005B43 40}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85- 00AA005B43 83}] *
StubPath = %SystemRoot%\system32\ie4u init.exe
[{89B4C1CD-B018-4511-B0A1- 5476DBF708 20}] *
StubPath = C:\WINDOWS\System32\Rundll 32.exe C:\WINDOWS\System32\mscori es.dll,Ins tall
-------------------------- ---------- ---------- ----
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\IC Q\Agent\Ap ps
*Registry key not found*
-------------------------- ---------- ---------- ----
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon : load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon : run=*Registry value not found*
HKLM\..\Windows\CurrentVer sion\WinLo gon: load=*Registry key not found*
HKLM\..\Windows\CurrentVer sion\WinLo gon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon : load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon : run=*Registry value not found*
HKCU\..\Windows\CurrentVer sion\WinLo gon: load=*Registry key not found*
HKCU\..\Windows\CurrentVer sion\WinLo gon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
-------------------------- ---------- ---------- ----
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
-------------------------- ---------- ---------- ----
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explor er.exe: not present
C:\WINDOWS\System\Explorer .exe: not present
C:\WINDOWS\System32\Explor er.exe: not present
C:\WINDOWS\Command\Explore r.exe: not present
C:\WINDOWS\Fonts\Explorer. exe: not present
-------------------------- ---------- ---------- ----
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
-------------------------- ---------- ---------- ----
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
-------------------------- ---------- ---------- ----
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-2 09B6AD74AC C}
-------------------------- ---------- ---------- ----
Enumerating Task Scheduler jobs:
FRU Task #Hewlett-Packard#hp psc 2100 series#1040263182.job
-------------------------- ---------- ---------- ----
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\cla sses\dajav a.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\cla sses\xmlds o.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[{421A63BA-4632-43E0-A942- 3B4AB645BE 51}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL
CODEBASE = http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/123e635de35d01745823/netzip/RdxIE601.cab
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan5 3.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
[CQD2Loader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\installer.dll
CODEBASE = http://smartdownloader.com/installer.dll
[CustomerCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs5b.instantservice.com/jars/customerxsigned33.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macrom ed\Flash\F lash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab
-------------------------- ---------- ---------- ----
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsoc k.dll
NameSpace #2: C:\WINDOWS\System32\winrnr .dll
NameSpace #3: C:\WINDOWS\System32\mswsoc k.dll
Protocol #1: C:\WINDOWS\system32\mswsoc k.dll
Protocol #2: C:\WINDOWS\system32\mswsoc k.dll
Protocol #3: C:\WINDOWS\system32\mswsoc k.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp .dll
Protocol #5: C:\WINDOWS\system32\rsvpsp .dll
Protocol #6: C:\WINDOWS\system32\mswsoc k.dll
Protocol #7: C:\WINDOWS\system32\mswsoc k.dll
Protocol #8: C:\WINDOWS\system32\mswsoc k.dll
Protocol #9: C:\WINDOWS\system32\mswsoc k.dll
Protocol #10: C:\WINDOWS\system32\mswsoc k.dll
Protocol #11: C:\WINDOWS\system32\mswsoc k.dll
-------------------------- ---------- ---------- ----
Enumerating Windows NT/2000/XP services
abp480n5: \SystemRoot\System32\DRIVE RS\ABP480N 5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVE RS\adpu160 m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drive rs\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sy s (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVE RS\agpCPQ. sys (disabled)
Aha154x: \SystemRoot\System32\DRIVE RS\aha154x .sys (disabled)
aic78u2: \SystemRoot\System32\DRIVE RS\aic78u2 .sys (disabled)
aic78xx: \SystemRoot\System32\DRIVE RS\aic78xx .sys (disabled)
Alerter: %SystemRoot%\System32\svch ost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg. exe (manual start)
AliIde: \SystemRoot\System32\DRIVE RS\aliide. sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVE RS\alim154 1.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVE RS\amdagp. sys (disabled)
amsint: \SystemRoot\System32\DRIVE RS\amsint. sys (disabled)
Application Management: %SystemRoot%\system32\svch ost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVE RS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVE RS\asc3350 p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVE RS\asc3550 .sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET \Framework \v1.1.4322 \aspnet_st ate.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac. sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.s ys (manual start)
Windows Audio: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.s ys (manual start)
AutoComplete Service: C:\PROGRA~1\INTERN~2\autoc omp.exe (manual start)
AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AV G6\avgcore .sys (autostart)
AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AV G6\avgfsh. sys (autostart)
AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\a vgserv.exe (autostart)
AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart)
BCM V.92 56K Modem: System32\DRIVERS\BCMSM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
C-DillaCdaC11BA: C:\WINDOWS\System32\driver s\CDAC11BA .EXE (autostart)
cbidf: \SystemRoot\System32\DRIVE RS\cbidf2k .sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVE RS\cd20xrn t.sys (disabled)
CdaC15BA: \??\C:\WINDOWS\System32\dr ivers\CdaC 15BA.SYS (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisv c.exe (autostart)
ClipBook: %SystemRoot%\system32\clip srv.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVE RS\cmdide. sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhos t.exe /Processid:{02D4B3F1-FD88- 11D1-960D- 00805FC792 35} (manual start)
Cpqarray: \SystemRoot\System32\DRIVE RS\cpqarra y.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcC DA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVE RS\dac2w2k .sys (disabled)
dac960nt: \SystemRoot\System32\DRIVE RS\dac960n t.sys (disabled)
DHCP Client: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmad min.exe /com (manual start)
dmboot: System32\drivers\dmboot.sy s (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sy s (disabled)
Logical Disk Manager: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sy s (manual start)
DNS Client: %SystemRoot%\System32\svch ost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVE RS\dpti2o. sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.s ys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325. sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5. sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\serv ices.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchos t.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk. sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sy s (system)
Game Port Enumerator: System32\DRIVERS\gameenum. sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svch ost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVE RS\hpn.sys (disabled)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412. sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12. sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12. sys (manual start)
i2omp: \SystemRoot\System32\DRIVE RS\i2omp.s ys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt. sys (system)
i81x: System32\DRIVERS\i81xnt5.s ys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt. sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT. sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT. sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx. sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx. sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt. sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT. sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt. sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt. sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT. sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi. exe (manual start)
ini910u: \SystemRoot\System32\DRIVE RS\ini910u .sys (disabled)
IntelIde: \SystemRoot\System32\DRIVE RS\intelid e.sys (disabled)
IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv. sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sy s (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sy s (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sy s (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass. sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sy s (manual start)
Server: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svch ost.exe -k LocalService (autostart)
McShield: "C:\Program Files\Common Files\Network Associates\McShield\Mcshie ld.exe" (manual start)
Messenger: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrv c.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA. sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass. sys (system)
mraid35x: \SystemRoot\System32\DRIVE RS\mraid35 x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sy s (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sy s (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc. exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexe c.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.s ys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK. sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
NaiFiltr: System32\DRIVERS\NaiFiltr. sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi. sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.s ys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.s ys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.s ys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netd de.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netd de.exe (manual start)
Net Logon: %SystemRoot%\System32\lsas s.exe (manual start)
Network Connections: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
NIC Management Service Configuration Driver: \??\C:\WINDOWS\System32\dr ivers\NMSC FG.SYS (manual start)
Intel(R) NMS: C:\WINDOWS\System32\NMSSvc .exe (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsas s.exe (manual start)
Removable Storage: %SystemRoot%\system32\svch ost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini. sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsv c32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt. sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd. sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.s ys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sy s (system)
perc2: \SystemRoot\System32\DRIVE RS\perc2.s ys (disabled)
perc2hib: \SystemRoot\System32\DRIVE RS\perc2hi b.sys (disabled)
PfModNT: \??\C:\WINDOWS\System32\Pf ModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\serv ices.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm 12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsas s.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.s ys (manual start)
Processor Driver: System32\DRIVERS\processr. sys (system)
Protected Storage: %SystemRoot%\system32\lsas s.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sy s (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.s ys (manual start)
ql1080: \SystemRoot\System32\DRIVE RS\ql1080. sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVE RS\ql10wnt .sys (disabled)
ql12160: \SystemRoot\System32\DRIVE RS\ql12160 .sys (disabled)
ql1240: \SystemRoot\System32\DRIVE RS\ql1240. sys (disabled)
ql1280: \SystemRoot\System32\DRIVE RS\ql1280. sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sy s (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.s ys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe. sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sy s (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sy s (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmg r.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.s ys (system)
Routing and Remote Access: %SystemRoot%\System32\svch ost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\loca tor.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svch ost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp .exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsas s.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCar dSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCar dSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sy s (manual start)
Secondary Logon: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.s ys (manual start)
Serial port driver: System32\DRIVERS\serial.sy s (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVE RS\sisagp. sys (disabled)
Sparrow: \SystemRoot\System32\DRIVE RS\sparrow .sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter. sys (manual start)
Print Spooler: %SystemRoot%\system32\spoo lsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svch ost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svch ost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sy s (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sy s (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhos t.exe /Processid:{F79A1568-D6C5- 4C69-A086- 936CF52DBB E3} (manual start)
symc810: \SystemRoot\System32\DRIVE RS\symc810 .sys (disabled)
symc8xx: \SystemRoot\System32\DRIVE RS\symc8xx .sys (disabled)
sym_hi: \SystemRoot\System32\DRIVE RS\sym_hi. sys (disabled)
sym_u3: \SystemRoot\System32\DRIVE RS\sym_u3. sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio. sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlo gsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sy s (system)
Terminal Services: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVE RS\toside. sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVE RS\ultra.s ys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sy s (manual start)
Upload Manager: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svch ost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups. exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.s ys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.s ys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sy s (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint. sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.s ys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.s ys (manual start)
VgaSave: \SystemRoot\System32\drive rs\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVE RS\viaagp. sys (disabled)
ViaIde: \SystemRoot\System32\DRIVE RS\viaide. sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssv c.exe (manual start)
Windows Time: %SystemRoot%\system32\svch ost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sy s (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.s ys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sy s (manual start)
WebClient: %SystemRoot%\System32\svch ost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svch ost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSP Sv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svch ost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\w miapsrv.ex e (manual start)
Automatic Updates: %systemroot%\system32\svch ost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svch ost.exe -k netsvcs (autostart)
-------------------------- ---------- ---------- ----
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation s: *Registry value not found*
-------------------------- ---------- ---------- ----
Enumerating ShellServiceObjectDelayLoa d items:
PostBootReminder: C:\WINDOWS\system32\SHELL3 2.dll
CDBurn: C:\WINDOWS\system32\SHELL3 2.dll
WebCheck: C:\WINDOWS\System32\webche ck.dll
SysTray: C:\WINDOWS\System32\stobje ct.dll
-------------------------- ---------- ---------- ----
End of report, 36,869 bytes
LET ME KNOW IF ANY OF YOU SEE ANYTHING THAT LOOKS OUT OF THE ORDINARY THE System seems to be back to normal.
IN task manager CPU utilization was 100% even after adjusting windows for best performance.
SVCHOST.EXE (which their was 4 of these listed one local one network and two others that were not specified. When I checked this it was using 99% CPU utilization .. Could not access Internet Explorer, My Computer, My Network Places none of them would open it would go to an hour glass then it the screen would remove all the icons and basically go to a blank desktop then the screen would flash all the icons would come back but yet the computer was still running extremely slow..
Checked the registry under the key H_Key_Local_Machine - Software - Microsoft - Windows - Current Version - Run their was an entry saying 17669.exe this entry had no further information.
I did a search for the 17669.exe in windows it was located in C:\Windows directory and also C:\windows\Prefetch in prefetch everything has a .pf extension which seems weird this is a dell computer not sure if this is part of dells preload or backup setup but it does not seem right.
The 17669.exe file also had -13ABA5DD.PF after it in the c:\windows\prefetch directory no publisher information or anything in any of the property pages. on either one of them the one in c:\windows or c:\windows\prefetch...
Ran Adaware 6.0 and it found 192 objects this is the log
ArchiveData(auto-quarantin
==========================
ZIPCLIXTOOLBAR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : SOFTWARE\Microsoft\Windows
obj[7]=RegValue : SOFTWARE\Microsoft\Interne
obj[12]=RegKey : SOFTWARE\Zipclix
obj[15]=RegKey : ZipclixObj.ZipclixObj
obj[16]=RegKey : ZipclixObj.ZipclixObj.1
obj[17]=RegKey : Typelib\{BBCD25C8-A31E-4DF
obj[21]=RegKey : Interface\{EC34A4B3-809A-4
obj[32]=RegKey : CLSID\{319A68DB-06D0-46DA-
obj[36]=Folder : c:\program files\Zipclix
obj[48]=File : c:\program files\zipclix\zipclix.ini
obj[49]=File : c:\program files\zipclix\zipclix.exe
obj[50]=File : c:\program files\zipclix\zipclix.dll
obj[51]=File : c:\program files\zipclix\unwise.exe
obj[52]=File : c:\program files\zipclix\install.log
CLARIA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=RegKey : SOFTWARE\Microsoft\Windows
obj[2]=RegKey : SOFTWARE\Microsoft\Windows
obj[3]=RegValue : SOFTWARE\Microsoft\Windows
obj[9]=RegKey : SOFTWARE\Gator.com
obj[10]=RegKey : Software\CLASSES\GetAndRun
obj[11]=RegKey : Software\CLASSES\GetAndRun
obj[13]=RegKey : Software\Microsoft\Windows
obj[27]=RegKey : getandrun.dfrun
obj[28]=RegKey : getandrun.dfrun.1
obj[33]=RegKey : CLSID\{21FFB6C0-0DA1-11D5-
obj[38]=Folder : c:\program files\PrecisionTime
obj[40]=Folder : c:\program files\Gator.com
obj[41]=Folder : c:\program files\Date Manager
obj[43]=Folder : c:\program files\common files\GMT
obj[44]=Folder : c:\program files\common files\CMEII
obj[45]=File : c:\windows\gatorplugin.log
obj[46]=File : c:\windows\gatorpdpsetup.l
obj[47]=File : c:\windows\gatorpatch.log
obj[53]=File : c:\program files\precisiontime\unwise
obj[54]=File : c:\program files\precisiontime\precis
obj[55]=File : c:\program files\precisiontime\precis
obj[56]=File : c:\program files\precisiontime\precis
obj[57]=File : c:\program files\precisiontime\precis
obj[58]=File : c:\program files\precisiontime\instal
obj[63]=File : c:\program files\gator.com\gator
obj[64]=File : c:\program files\date manager\unwise.exe
obj[65]=File : c:\program files\date manager\install.log
obj[66]=File : c:\program files\date manager\datemanager.exe.ma
obj[67]=File : c:\program files\date manager\datemanager.exe
obj[68]=File : c:\program files\date manager\datemanager.dat
obj[69]=File : c:\program files\date manager\date manager website.url
obj[70]=File : c:\program files\common files\gmt\scripts
obj[71]=File : c:\program files\common files\gmt\meprca.dat
obj[72]=File : c:\program files\common files\gmt\mepimg.dat
obj[73]=File : c:\program files\common files\gmt\mepgh.dat
obj[74]=File : c:\program files\common files\gmt\mepcmeft.dat
obj[75]=File : c:\program files\common files\gmt\mepcme.dat
obj[76]=File : c:\program files\common files\gmt\mepbs.dat
obj[77]=File : c:\program files\common files\gmt\helper.wav
obj[78]=File : c:\program files\common files\gmt\guninstaller.exe
obj[79]=File : c:\program files\common files\gmt\gmt.exe.manifest
obj[80]=File : c:\program files\common files\gmt\gatorstubsetup.e
obj[81]=File : c:\program files\common files\gmt\gatorres.dll
obj[82]=File : c:\program files\common files\gmt\gator.log
obj[83]=File : c:\program files\common files\gmt\fillin.wav
obj[84]=File : c:\program files\common files\gmt\egnsengine.dll
obj[85]=File : c:\program files\common files\gmt\egieprocess.dll
obj[86]=File : c:\program files\common files\gmt\egieengine.dll
obj[87]=File : c:\program files\common files\gmt\eggcengine.dll
obj[88]=File : c:\program files\common files\gmt\downloadtemp
obj[89]=File : c:\program files\common files\gmt\data
obj[90]=File : c:\program files\common files\gmt\63735n58cj
obj[91]=File : c:\program files\common files\cmeii\store
obj[92]=File : c:\program files\common files\cmeii\gui
obj[93]=File : c:\program files\common files\cmeii\gtools.dll
obj[94]=File : c:\program files\common files\cmeii\gstoreserver.d
obj[95]=File : c:\program files\common files\cmeii\gstore.dll
obj[96]=File : c:\program files\common files\cmeii\gobjs.dll
obj[97]=File : c:\program files\common files\cmeii\gmtproxy.dll
obj[98]=File : c:\program files\common files\cmeii\gioclclient.dl
obj[99]=File : c:\program files\common files\cmeii\giocl.dll
obj[100]=File : c:\program files\common files\cmeii\gdwldeng.dll
obj[101]=File : c:\program files\common files\cmeii\gcontroller.dl
obj[102]=File : c:\program files\common files\cmeii\gatorsupportin
obj[103]=File : c:\program files\common files\cmeii\gappmgr.dll
obj[104]=File : c:\program files\common files\cmeii\cmesys.exe
obj[105]=File : c:\program files\common files\cmeii\cmeiiapi.dll
obj[106]=File : c:\program files\common files\cmeii\cmediagnostics
obj[107]=File : c:\program files\common files\cmeii\apps
obj[191]=File : c:\documents and settings\all users\start menu\programs\startup\prec
obj[192]=File : c:\documents and settings\all users\start menu\programs\startup\gsta
obj[193]=File : c:\documents and settings\all users\start menu\programs\startup\date
BLAZEFIND
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegKey : SOFTWARE\Microsoft\Windows
obj[29]=RegKey : CLSID\{C5941EE5-6DFA-11D8-
HUNGRYHANDS BHO
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[5]=RegKey : SOFTWARE\Microsoft\Windows
obj[19]=RegKey : TYPELIB\{03f8822f-8877-400
obj[20]=RegKey : Interface\{F8FB4EA2-6C05-4
obj[23]=RegKey : hungryhands.hungrybho
obj[24]=RegKey : hungryhands.hungrybho.1
obj[30]=RegKey : CLSID\{bcf96fb4-5f1b-497b-
obj[34]=RegKey : AppID\{03F8822F-8877-4002-
obj[35]=RegKey : AppID\HungryHands.DLL
HTTPER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[6]=RegKey : SOFTWARE\Microsoft\Windows
obj[14]=RegKey : Software\Httper
obj[18]=RegKey : TYPELIB\{ab7b627d-b2af-4b6
obj[22]=RegKey : Interface\{7D49A302-3C1C-4
obj[25]=RegKey : httper.iefriendly
obj[26]=RegKey : httper.iefriendly.1
obj[31]=RegKey : CLSID\{a5483501-070c-41dd-
obj[39]=Folder : c:\program files\Httper
obj[59]=File : c:\program files\httper\unwise.exe
obj[60]=File : c:\program files\httper\install.log
obj[61]=File : c:\program files\httper\httper.ini
obj[62]=File : c:\program files\httper\httper.dll
ALEXA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[8]=RegKey : SOFTWARE\Microsoft\Interne
CLARIA would not remove intially also listed as cmeii adaware could not intially remove it but I instructed it to remove it after reboot... which it did successfully do.
I also ran AVG Anti Virus it found nothing...
I then ran HIJACK THIS and i removed this entry
HKCU\Software\Microsoft\Cu
after that I regained internet access
I went to trendmicroHousecall and ran the online virus scan it found:
Malware.JS_FORTNIGHT.M and removed it this was the only thing that it found.
Here is the logfile from HIJACK THIS...
StartupList report, 4/4/2004, 1:01:10 AM
StartupList version: 1.52
Started from : C:\HiJackThis\HijackThis.E
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==========================
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\driver
C:\WINDOWS\system32\cisvc.
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\CTsvcC
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\svchos
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\MsPMSP
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshie
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdi
C:\Program Files\Creative\SBLive\Diag
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Dell\EUSW\Support.ex
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Washer Pro\iw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\WINDOWS\System32\HPZipm
C:\Program Files\Hewlett-Packard\Digi
C:\PROGRA~1\WINZIP\wzqkpic
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\HiJackThis\HijackThis.e
--------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Lavon\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Digital Line Detect.lnk = ?
hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi
Microsoft Works Calendar Reminders.lnk = ?
officejet 6100.lnk = ?
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\W
UserInit = C:\WINDOWS\system32\userin
[HKLM\Software\Microsoft\W
*Registry key not found*
[HKCU\Software\Microsoft\W
*Registry value not found*
[HKCU\Software\Microsoft\W
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
BCMSMMSG = BCMSMMSG.exe
diagent = "C:\Program Files\Creative\SBLive\Diag
UpdReg = C:\WINDOWS\UpdReg.EXE
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdi
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.ex
nwiz = nwiz.exe /install
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\reals
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\a
MSConfig = C:\WINDOWS\PCHealth\HelpCt
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
McAfee.InstantUpdate.Monit
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Internet Washer Pro = C:\Program Files\Internet Washer Pro\iw.exe min
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*No values found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
[OptionalComponents]
*No values found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*No subkeys found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Wi
*Registry key not found*
--------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Wi
*Registry key not found*
--------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\
(Default) = "%1" %*
--------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\
(Default) = "%1" %*
--------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\
(Default) = "%1" %*
--------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\
(Default) = "%1" %*
--------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\
(Default) = "%1" /S
--------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\
(Default) = C:\WINDOWS\System32\mshta.
--------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Ac
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab
StubPath = C:\WINDOWS\inf\unregmp2.ex
[>{26923b43-4d38-484f-9b9e
StubPath = %systemroot%\system32\shmg
[>{39347012-A94D-4CF3-A2B3
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061
StubPath = %systemroot%\system32\shmg
[{2C7339CF-2B09-4501-B3F3-
StubPath = %SystemRoot%\system32\regs
[{44BBA840-CC51-11CF-AAFA-
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-
StubPath = rundll32.exe advpack.dll,LaunchINFSecti
[{5945c046-1e7d-11d1-bc44-
StubPath = rundll32.exe advpack.dll,LaunchINFSecti
[{6BF52A52-394A-11d3-B153-
StubPath = rundll32.exe advpack.dll,LaunchINFSecti
[{7790769C-0471-11d2-AF11-
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-
StubPath = %SystemRoot%\system32\ie4u
[{89B4C1CD-B018-4511-B0A1-
StubPath = C:\WINDOWS\System32\Rundll
--------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\IC
*Registry key not found*
--------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon
HKLM\..\Windows NT\CurrentVersion\WinLogon
HKLM\..\Windows\CurrentVer
HKLM\..\Windows\CurrentVer
HKCU\..\Windows NT\CurrentVersion\WinLogon
HKCU\..\Windows NT\CurrentVersion\WinLogon
HKCU\..\Windows\CurrentVer
HKCU\..\Windows\CurrentVer
HKCU\..\Windows NT\CurrentVersion\Windows:
HKCU\..\Windows NT\CurrentVersion\Windows:
HKLM\..\Windows NT\CurrentVersion\Windows:
HKLM\..\Windows NT\CurrentVersion\Windows:
HKLM\..\Windows NT\CurrentVersion\Windows:
--------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explor
C:\WINDOWS\System\Explorer
C:\WINDOWS\System32\Explor
C:\WINDOWS\Command\Explore
C:\WINDOWS\Fonts\Explorer.
--------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll
--------------------------
Enumerating Task Scheduler jobs:
FRU Task #Hewlett-Packard#hp psc 2100 series#1040263182.job
--------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\cla
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\cla
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[{421A63BA-4632-43E0-A942-
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL
CODEBASE = http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/123e635de35d01745823/netzip/RdxIE601.cab
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan5
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
[CQD2Loader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\installer.dll
CODEBASE = http://smartdownloader.com/installer.dll
[CustomerCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs5b.instantservice.com/jars/customerxsigned33.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macrom
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab
--------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsoc
NameSpace #2: C:\WINDOWS\System32\winrnr
NameSpace #3: C:\WINDOWS\System32\mswsoc
Protocol #1: C:\WINDOWS\system32\mswsoc
Protocol #2: C:\WINDOWS\system32\mswsoc
Protocol #3: C:\WINDOWS\system32\mswsoc
Protocol #4: C:\WINDOWS\system32\rsvpsp
Protocol #5: C:\WINDOWS\system32\rsvpsp
Protocol #6: C:\WINDOWS\system32\mswsoc
Protocol #7: C:\WINDOWS\system32\mswsoc
Protocol #8: C:\WINDOWS\system32\mswsoc
Protocol #9: C:\WINDOWS\system32\mswsoc
Protocol #10: C:\WINDOWS\system32\mswsoc
Protocol #11: C:\WINDOWS\system32\mswsoc
--------------------------
Enumerating Windows NT/2000/XP services
abp480n5: \SystemRoot\System32\DRIVE
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVE
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drive
Intel AGP Bus Filter: System32\DRIVERS\agp440.sy
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVE
Aha154x: \SystemRoot\System32\DRIVE
aic78u2: \SystemRoot\System32\DRIVE
aic78xx: \SystemRoot\System32\DRIVE
Alerter: %SystemRoot%\System32\svch
Application Layer Gateway Service: %SystemRoot%\System32\alg.
AliIde: \SystemRoot\System32\DRIVE
ALI AGP Bus Filter: \SystemRoot\System32\DRIVE
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVE
amsint: \SystemRoot\System32\DRIVE
Application Management: %SystemRoot%\system32\svch
asc: \SystemRoot\System32\DRIVE
asc3350p: \SystemRoot\System32\DRIVE
asc3550: \SystemRoot\System32\DRIVE
ASP.NET State Service: %SystemRoot%\Microsoft.NET
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.s
Windows Audio: %SystemRoot%\System32\svch
Audio Stub Driver: System32\DRIVERS\audstub.s
AutoComplete Service: C:\PROGRA~1\INTERN~2\autoc
AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AV
AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AV
AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\a
AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart)
BCM V.92 56K Modem: System32\DRIVERS\BCMSM.sys
Background Intelligent Transfer Service: %SystemRoot%\System32\svch
Computer Browser: %SystemRoot%\System32\svch
C-DillaCdaC11BA: C:\WINDOWS\System32\driver
cbidf: \SystemRoot\System32\DRIVE
cd20xrnt: \SystemRoot\System32\DRIVE
CdaC15BA: \??\C:\WINDOWS\System32\dr
CD-ROM Driver: System32\DRIVERS\cdrom.sys
Indexing Service: %SystemRoot%\system32\cisv
ClipBook: %SystemRoot%\system32\clip
CmdIde: \SystemRoot\System32\DRIVE
COM+ System Application: C:\WINDOWS\System32\dllhos
Cpqarray: \SystemRoot\System32\DRIVE
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcC
Cryptographic Services: %SystemRoot%\system32\svch
dac2w2k: \SystemRoot\System32\DRIVE
dac960nt: \SystemRoot\System32\DRIVE
DHCP Client: %SystemRoot%\System32\svch
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmad
dmboot: System32\drivers\dmboot.sy
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sy
Logical Disk Manager: %SystemRoot%\System32\svch
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sy
DNS Client: %SystemRoot%\System32\svch
dpti2o: \SystemRoot\System32\DRIVE
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.s
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.
Error Reporting Service: %SystemRoot%\System32\svch
Event Log: %SystemRoot%\system32\serv
COM+ Event System: C:\WINDOWS\System32\svchos
Fast User Switching Compatibility: %SystemRoot%\System32\svch
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.
Volume Manager Driver: System32\DRIVERS\ftdisk.sy
Game Port Enumerator: System32\DRIVERS\gameenum.
Generic Packet Classifier: System32\DRIVERS\msgpc.sys
Help and Support: %SystemRoot%\System32\svch
Human Interface Device Access: %SystemRoot%\System32\svch
hpn: \SystemRoot\System32\DRIVE
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.
i2omp: \SystemRoot\System32\DRIVE
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.
i81x: System32\DRIVERS\i81xnt5.s
iAimFP0: System32\DRIVERS\wADV01nt.
iAimFP1: System32\DRIVERS\wADV02NT.
iAimFP2: System32\DRIVERS\wADV05NT.
iAimFP3: System32\DRIVERS\wSiINTxx.
iAimFP4: System32\DRIVERS\wVchNTxx.
iAimTV0: System32\DRIVERS\wATV01nt.
iAimTV1: System32\DRIVERS\wATV02NT.
iAimTV2: System32\DRIVERS\wATV03nt.
iAimTV3: System32\DRIVERS\wATV04nt.
iAimTV4: System32\DRIVERS\wCh7xxNT.
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.
ini910u: \SystemRoot\System32\DRIVE
IntelIde: \SystemRoot\System32\DRIVE
IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svch
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sy
IP Network Address Translator: System32\DRIVERS\ipnat.sys
IPSEC driver: System32\DRIVERS\ipsec.sys
IR Enumerator Service: System32\DRIVERS\irenum.sy
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sy
Keyboard Class Driver: System32\DRIVERS\kbdclass.
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sy
Server: %SystemRoot%\System32\svch
Workstation: %SystemRoot%\System32\svch
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svch
McShield: "C:\Program Files\Common Files\Network Associates\McShield\Mcshie
Messenger: %SystemRoot%\System32\svch
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrv
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.
Mouse Class Driver: System32\DRIVERS\mouclass.
mraid35x: \SystemRoot\System32\DRIVE
WebDav Client Redirector: System32\DRIVERS\mrxdav.sy
MRXSMB: System32\DRIVERS\mrxsmb.sy
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.
Windows Installer: C:\WINDOWS\System32\msiexe
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.s
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys
NaiFiltr: System32\DRIVERS\NaiFiltr.
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.s
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.s
NetBIOS Interface: System32\DRIVERS\netbios.s
NetBios over Tcpip: System32\DRIVERS\netbt.sys
Network DDE: %SystemRoot%\system32\netd
Network DDE DSDM: %SystemRoot%\system32\netd
Net Logon: %SystemRoot%\System32\lsas
Network Connections: %SystemRoot%\System32\svch
Network Location Awareness (NLA): %SystemRoot%\System32\svch
NIC Management Service Configuration Driver: \??\C:\WINDOWS\System32\dr
Intel(R) NMS: C:\WINDOWS\System32\NMSSvc
NT LM Security Support Provider: %SystemRoot%\System32\lsas
Removable Storage: %SystemRoot%\system32\svch
nv: System32\DRIVERS\nv4_mini.
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsv
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.s
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sy
perc2: \SystemRoot\System32\DRIVE
perc2hib: \SystemRoot\System32\DRIVE
PfModNT: \??\C:\WINDOWS\System32\Pf
Plug and Play: %SystemRoot%\system32\serv
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm
IPSEC Services: %SystemRoot%\System32\lsas
WAN Miniport (PPTP): System32\DRIVERS\raspptp.s
Processor Driver: System32\DRIVERS\processr.
Protected Storage: %SystemRoot%\system32\lsas
QoS Packet Scheduler: System32\DRIVERS\psched.sy
Direct Parallel Link Driver: System32\DRIVERS\ptilink.s
ql1080: \SystemRoot\System32\DRIVE
Ql10wnt: \SystemRoot\System32\DRIVE
ql12160: \SystemRoot\System32\DRIVE
ql1240: \SystemRoot\System32\DRIVE
ql1280: \SystemRoot\System32\DRIVE
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sy
Remote Access Auto Connection Manager: %SystemRoot%\System32\svch
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.s
Remote Access Connection Manager: %SystemRoot%\System32\svch
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.
Direct Parallel: System32\DRIVERS\raspti.sy
Rdbss: System32\DRIVERS\rdbss.sys
RDPCDD: System32\DRIVERS\RDPCDD.sy
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmg
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.s
Routing and Remote Access: %SystemRoot%\System32\svch
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\loca
Remote Procedure Call (RPC): %SystemRoot%\system32\svch
QoS RSVP: %SystemRoot%\System32\rsvp
Security Accounts Manager: %SystemRoot%\system32\lsas
Smart Card Helper: %SystemRoot%\System32\SCar
Smart Card: %SystemRoot%\System32\SCar
Task Scheduler: %SystemRoot%\System32\svch
Secdrv: System32\DRIVERS\secdrv.sy
Secondary Logon: %SystemRoot%\System32\svch
System Event Notification: %SystemRoot%\system32\svch
Serenum Filter Driver: System32\DRIVERS\serenum.s
Serial port driver: System32\DRIVERS\serial.sy
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svch
Shell Hardware Detection: %SystemRoot%\System32\svch
SIS AGP Bus Filter: \SystemRoot\System32\DRIVE
Sparrow: \SystemRoot\System32\DRIVE
Microsoft Kernel Audio Splitter: system32\drivers\splitter.
Print Spooler: %SystemRoot%\system32\spoo
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svch
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svch
Windows Image Acquisition (WIA): %SystemRoot%\System32\svch
Software Bus Driver: System32\DRIVERS\swenum.sy
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sy
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhos
symc810: \SystemRoot\System32\DRIVE
symc8xx: \SystemRoot\System32\DRIVE
sym_hi: \SystemRoot\System32\DRIVE
sym_u3: \SystemRoot\System32\DRIVE
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.
Performance Logs and Alerts: %SystemRoot%\system32\smlo
Telephony: %SystemRoot%\System32\svch
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys
Terminal Device Driver: System32\DRIVERS\termdd.sy
Terminal Services: %SystemRoot%\System32\svch
Themes: %SystemRoot%\System32\svch
TosIde: \SystemRoot\System32\DRIVE
Distributed Link Tracking Client: %SystemRoot%\system32\svch
ultra: \SystemRoot\System32\DRIVE
Microcode Update Driver: System32\DRIVERS\update.sy
Upload Manager: %SystemRoot%\System32\svch
Universal Plug and Play Device Host: %SystemRoot%\System32\svch
Uninterruptible Power Supply: %SystemRoot%\System32\ups.
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.s
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.s
USB2 Enabled Hub: System32\DRIVERS\usbhub.sy
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.
USB Scanner Driver: System32\DRIVERS\usbscan.s
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.s
VgaSave: \SystemRoot\System32\drive
VIA AGP Bus Filter: \SystemRoot\System32\DRIVE
ViaIde: \SystemRoot\System32\DRIVE
Volume Shadow Copy: %SystemRoot%\System32\vssv
Windows Time: %SystemRoot%\system32\svch
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sy
WAN Miniport (ATW): System32\DRIVERS\wanatw4.s
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sy
WebClient: %SystemRoot%\System32\svch
Windows Management Instrumentation: %systemroot%\system32\svch
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSP
Portable Media Serial Number Service: %SystemRoot%\System32\svch
WMI Performance Adapter: C:\WINDOWS\System32\wbem\w
Automatic Updates: %systemroot%\system32\svch
Wireless Zero Configuration: %SystemRoot%\System32\svch
--------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperation
--------------------------
Enumerating ShellServiceObjectDelayLoa
PostBootReminder: C:\WINDOWS\system32\SHELL3
CDBurn: C:\WINDOWS\system32\SHELL3
WebCheck: C:\WINDOWS\System32\webche
SysTray: C:\WINDOWS\System32\stobje
--------------------------
End of report, 36,869 bytes
LET ME KNOW IF ANY OF YOU SEE ANYTHING THAT LOOKS OUT OF THE ORDINARY THE System seems to be back to normal.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try Scanning with TrendMicro's free virus scan, it may find what your looking for
http://housecall.trendmicro.com/housecall/start_corp.asp
http://housecall.trendmicro.com/housecall/start_corp.asp
ASKER
skaha I already did that and also Norton and AVG none of them detected the 17669.exe file as a virus. I am going to submit it to symantec and see what they say.
ASKER
symantec would not let me submit it at all through their automatic system said it was not a virus tried submitting it through SARC which is their downloadable submisson tool (which ended up when it took the file(s) I saved on disk that were the virus files and put them in a temp folder on the hard drive of my other PC (how nice of them)-sarcasim
At any rate they still have not gotten back I also submitted it to F-Prot who came back saying it is a Trojan known as W32/Rdom.a but gave no further info other then it was a backdoor program.
In addition I just found out last night when I used Trend Micro' housecall to scan the system last night (since I have lost my sense of security with symantec) which still reports no virus Trend micro discovered the submitted virus in a temp folder under the directory of SARC which is symantec's submission tool. I do not know why SARC saved this to my hard drive considering I pointed SARC to the diskette with the virus files. SARC also required the diskette to have write access (which to me is a security risk).
Symantec still has no answer for why I am paying for their anti virus product when two of their competitors have identified the trojan. They keep telling me in email I can have a Virus suport technician help me by either calling a 900 number or paying $20.00 to $50.00 for them to remove it they do not seem to understand I have already removed I just want to know about it and why they did not pick it up.
At any rate here is what housecall identified it as sdown.a
here is the link http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SDOWN.A
QUICK LINKS Solution
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Virus type: Trojan
Destructive: No
Aliases: SDOWN.A
Pattern file needed: 848 (1.848.25)
Scan engine needed: 6.500
Overall risk rating: Very Low
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Reported infections: Low
Damage Potential: Low
Distribution Potential: Low
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Description:
This memory-resident Trojan checks if a system has Internet connection and then links to a particular IP address to download a malicious file.
It drops a copy of itself using a randomly generated 5-character file name in the Windows folder.
This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective way to terminate its process. In this procedure, you will need the name/s of the file/s detected earlier.
Open Registry Editor. Click Start>Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Softwar e>Microsof t>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.
In the wild: Yes
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Size of virus: 27,648 Bytes (compressed)
57,344 Bytes (decompressed)
Pattern file needed: 848 (1.848.25)
Scan engine needed: 6.500
Discovered: Apr. 4, 2004
Detection available: Apr. 4, 2004
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Details:
Installation
Upon execution, this memory-resident Trojan drops a copy of itself using a randomly generated file name in the Windows folder. The file name is composed of 5-character combinations of letters and numbers (i.e. 4a086.exe, 5740f.exe, 38dbd.exe, etc.).
Once executed, it checks if a system is currently connected to the Internet. If so, it connects to the following IP address:
209.4<BLOCKED>15.83
It then tries to download one of the following files, which are suspected to be malicious:
FT39.COM
KR62.COM
QT94.COM
RD19.COM
XT40.COM
Autostart Technique
This malware creates the following registry entry so that it executes at every system startup:
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\
Windows\CurrentVersion\Run
<5-digit_filename.exe> = <"5-digit_filename.exe">
(Note: 5-digit_filename.exe represents the dropped copy of this malware.)
Other Details
The following text strings are found in the body of this malware:
"Program:
<program name unknown>
A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Buffer overrun detected!
A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Unknown security failure detected!"
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
Analysis by: Reuel A. Morales
Description created: Apr. 4, 2004
At any rate they still have not gotten back I also submitted it to F-Prot who came back saying it is a Trojan known as W32/Rdom.a but gave no further info other then it was a backdoor program.
In addition I just found out last night when I used Trend Micro' housecall to scan the system last night (since I have lost my sense of security with symantec) which still reports no virus Trend micro discovered the submitted virus in a temp folder under the directory of SARC which is symantec's submission tool. I do not know why SARC saved this to my hard drive considering I pointed SARC to the diskette with the virus files. SARC also required the diskette to have write access (which to me is a security risk).
Symantec still has no answer for why I am paying for their anti virus product when two of their competitors have identified the trojan. They keep telling me in email I can have a Virus suport technician help me by either calling a 900 number or paying $20.00 to $50.00 for them to remove it they do not seem to understand I have already removed I just want to know about it and why they did not pick it up.
At any rate here is what housecall identified it as sdown.a
here is the link http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SDOWN.A
QUICK LINKS Solution
--------------------------
Virus type: Trojan
Destructive: No
Aliases: SDOWN.A
Pattern file needed: 848 (1.848.25)
Scan engine needed: 6.500
Overall risk rating: Very Low
--------------------------
Reported infections: Low
Damage Potential: Low
Distribution Potential: Low
--------------------------
Description:
This memory-resident Trojan checks if a system has Internet connection and then links to a particular IP address to download a malicious file.
It drops a copy of itself using a randomly generated 5-character file name in the Windows folder.
This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective way to terminate its process. In this procedure, you will need the name/s of the file/s detected earlier.
Open Registry Editor. Click Start>Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Softwar
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.
In the wild: Yes
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Size of virus: 27,648 Bytes (compressed)
57,344 Bytes (decompressed)
Pattern file needed: 848 (1.848.25)
Scan engine needed: 6.500
Discovered: Apr. 4, 2004
Detection available: Apr. 4, 2004
--------------------------
Details:
Installation
Upon execution, this memory-resident Trojan drops a copy of itself using a randomly generated file name in the Windows folder. The file name is composed of 5-character combinations of letters and numbers (i.e. 4a086.exe, 5740f.exe, 38dbd.exe, etc.).
Once executed, it checks if a system is currently connected to the Internet. If so, it connects to the following IP address:
209.4<BLOCKED>15.83
It then tries to download one of the following files, which are suspected to be malicious:
FT39.COM
KR62.COM
QT94.COM
RD19.COM
XT40.COM
Autostart Technique
This malware creates the following registry entry so that it executes at every system startup:
HKEY_LOCAL_MACHINE\Softwar
Windows\CurrentVersion\Run
<5-digit_filename.exe> = <"5-digit_filename.exe">
(Note: 5-digit_filename.exe represents the dropped copy of this malware.)
Other Details
The following text strings are found in the body of this malware:
"Program:
<program name unknown>
A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Buffer overrun detected!
A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Unknown security failure detected!"
--------------------------
Analysis by: Reuel A. Morales
Description created: Apr. 4, 2004
I would suggest uninstalling the road runner medic. I have heard of major issues due to Road Runner Medic installed. You may have to resort to a fresh system format.
ASKER
I don't have road runner medic on the system i got rid of that a long time ago because it installs broadjump client foundation (which is spyware)
Thanks for the points briancassin, hope I helped a little.
ASKER
Your welcome and yes you helped :)
Thank you.
ASKER
your welcome gemarti thank you for your help sorry to all of you it took so long for me to close out.
Assume that anything may attempt to create nuisance.
When you experience this - go to "Windows" and "Windows\system32" - place Explorer in "details" and display the directories according to modified date. Only "Performance Logs" should be a late entries. Take "Properties" on all late ".exe" files - check for orgination, version identification. Hit CRTL+ALT+DEL to activate Taskman/Processes - and try to stop the process with this image. Rename image from "xx.exe" - to "xx.exe.vir" if you are suspicious. Use the copied image in the cached folder if you have to rename a "DLL" file. You will not be able to copy running images..
In Regedit - verify the two RUN keys. Remove all entries you do not know - or rename key with '% first in the key name if you are suspicous.
Now reboot after power down. take notice of messages that occur and inspect the event logs at succesful boot.
Back up, go to Windows - raname all ".exe" files with a combination of UPPERcase and lowerCASE letter - according to your pattern - e.g. 3rd and 6th letter in UPPER case:
rename taskman.exe taSkmAn.exe
Copy or zip all ".exe"+ ".dll" to "System32.zip" and "Windows.zip" - restore changed files from this, remake library after every system upgrade.
Next time you reboot, you will be able to see "trusted" files immediately in Taskman and "novelties" will stand out, e.g. if you have renamed dlLhoSt.exe - back to old DLLHOST.EXE is revealing.
Search the "Documents and Settings" for ".exe" files. Usually the viruses are temporarily stored here before being copied. If you find any files - then search the computer for copies - and remove any reference in the registry.
Do not rely on virus scanner - viruses now come as adverts on sites and on a 50Mbps wireless connection you can get a pile of them in a few seconds. IT TAKES HOUR TO UPGRADE A VIRUS SCANNER WITH NEW "PATTERNS". Finally, post your findings in places like this for others to review.
When you experience this - go to "Windows" and "Windows\system32" - place Explorer in "details" and display the directories according to modified date. Only "Performance Logs" should be a late entries. Take "Properties" on all late ".exe" files - check for orgination, version identification. Hit CRTL+ALT+DEL to activate Taskman/Processes - and try to stop the process with this image. Rename image from "xx.exe" - to "xx.exe.vir" if you are suspicious. Use the copied image in the cached folder if you have to rename a "DLL" file. You will not be able to copy running images..
In Regedit - verify the two RUN keys. Remove all entries you do not know - or rename key with '% first in the key name if you are suspicous.
Now reboot after power down. take notice of messages that occur and inspect the event logs at succesful boot.
Back up, go to Windows - raname all ".exe" files with a combination of UPPERcase and lowerCASE letter - according to your pattern - e.g. 3rd and 6th letter in UPPER case:
rename taskman.exe taSkmAn.exe
Copy or zip all ".exe"+ ".dll" to "System32.zip" and "Windows.zip" - restore changed files from this, remake library after every system upgrade.
Next time you reboot, you will be able to see "trusted" files immediately in Taskman and "novelties" will stand out, e.g. if you have renamed dlLhoSt.exe - back to old DLLHOST.EXE is revealing.
Search the "Documents and Settings" for ".exe" files. Usually the viruses are temporarily stored here before being copied. If you find any files - then search the computer for copies - and remove any reference in the registry.
Do not rely on virus scanner - viruses now come as adverts on sites and on a 50Mbps wireless connection you can get a pile of them in a few seconds. IT TAKES HOUR TO UPGRADE A VIRUS SCANNER WITH NEW "PATTERNS". Finally, post your findings in places like this for others to review.
If "malware" is so bad then why does Norton or any of the other major anit-v programs detect this? Should this person be running adaware in ADDITION??
>>If "malware" is so bad then why does Norton or any of the other major anit-v programs detect this?
It's an opportunity to make more money and expand the product line. Simple economics. ....
It's an opportunity to make more money and expand the product line. Simple economics. ....
Most people don't consider the stuff that adware picks up to be harmful. But looks like it is! EEK!
Yeah it's a nuisance...
How can i Remove IE Small Icon from the title bar of theModal DIalog Box.
HELLO EXPERTS,
I WANT TO KNOW HOW CAN I REMOVE SMALL INTERNET EXPLORER ICON AND THE "WEB DIALOG BOX" TITLE FROM THE MODAL DIAOG BOX OR ANY OTHER TYPE OF DIALOG BOX.
I SEE THE AUTOCOMPLETE ADVERTISEMENT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON IT WHEN I BROWSE GOOGLE.COM.
PLEASE ANSWER MY QUESTION AND SEND THE SCRIPT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON THE TOP LEFT CORNER SITE...
HELLO EXPERTS,
I WANT TO KNOW HOW CAN I REMOVE SMALL INTERNET EXPLORER ICON AND THE "WEB DIALOG BOX" TITLE FROM THE MODAL DIAOG BOX OR ANY OTHER TYPE OF DIALOG BOX.
I SEE THE AUTOCOMPLETE ADVERTISEMENT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON IT WHEN I BROWSE GOOGLE.COM.
PLEASE ANSWER MY QUESTION AND SEND THE SCRIPT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON THE TOP LEFT CORNER SITE...
msnia,
This is a new question. Please raise it properly. [And don't shout (use block capitals.)]
lol
JohnT
This is a new question. Please raise it properly. [And don't shout (use block capitals.)]
lol
JohnT
"Malware" or not, I raised this with the "Better Business Beurau".
If you consider it appropriate that another company can at any time inspect you computer - see all installed software, what you are running and possibly intercept what is typed - then fine; just leave this discussion.
I also know that trace of the doings of "commercial exploitation" is not searched for by any virus scanner - including Norton. You have to detect this yourself - remove what is inapropriate and retain sufficient to allow e.g. Kodak camera software to be used.
There is a need for the public (US and the rest of the world) to stand up and dictate to companies what we find "reasonable" trespassing on our computer; - where they cross the border of "privacy". Is it acceptable to leave a port open "LISTEN" for code update? - that send "I'm on the net"? - or does a company need to notify the user of an update policy, and leave it to this to "the consumer" to chose? To make the Kodak update, much of the Blaster virus code was used, while Kodak claim that they just outsourced this to a company that provided the sollution they distribute - and they are unaware of links between the codes.
To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics.
So I ask the moderator to recommend further action
Knut H.
If you consider it appropriate that another company can at any time inspect you computer - see all installed software, what you are running and possibly intercept what is typed - then fine; just leave this discussion.
I also know that trace of the doings of "commercial exploitation" is not searched for by any virus scanner - including Norton. You have to detect this yourself - remove what is inapropriate and retain sufficient to allow e.g. Kodak camera software to be used.
There is a need for the public (US and the rest of the world) to stand up and dictate to companies what we find "reasonable" trespassing on our computer; - where they cross the border of "privacy". Is it acceptable to leave a port open "LISTEN" for code update? - that send "I'm on the net"? - or does a company need to notify the user of an update policy, and leave it to this to "the consumer" to chose? To make the Kodak update, much of the Blaster virus code was used, while Kodak claim that they just outsourced this to a company that provided the sollution they distribute - and they are unaware of links between the codes.
To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics.
So I ask the moderator to recommend further action
Knut H.
ASKER
As far as I am concerned the spyware should be illegal.... it opens up ports like opening doors and windows on your house... If my computer was a work computer say a laptop that connects through VPN or what not to my company this is a big security risk in my eyes having this spyware on a system. If companies can code stuff like coolweb search (which should be considered 100% malicious code because of what it does) and distribute it and then cause my system and other peoples systems to be unusable in addition to hogging bandwidth etc... this should be illegal...
cable theft is illegal so why is not illegal for companies to rip off my bandwidth allocated to me by my ISP who is a cable provider ?
Tapping someones phone or recording a conversation without consent is illegal so why is it legal for companies to tap my computer ?
If I put a program on someone elses computer it would be considered hacking and so forth if it collected data about them so why is it that these companies that make spyware do not go to jail ?
With the Patriot act why is it not illegal for these companies to aquire personal data about you ? How do we know that some of these spywares are not developed by other goverments or individuals just waiting for the spyware to get on the right persons PC to get information off of their system to sell or use for other malicious purposes.
Even better yet these marketing companies are making money off of putting their junk on peoples computers seeing as how no one will buy the telemarketing junk and/or participate in surveys now they have to be sneaky about it and they get money for this, this data is sold to the highest bidder for demographic / marketing data.
I think personally a class action lawsuit should be started based on and seeking:
Invasion of privacy
Loss of functionality / use of equipment
Emotional Damages - based on the stress of trying to get the garbage off the PC.
Misrepresentation / Fraud / False Advertising
Punitive damages - based on the above mentioned.
Repair costs and reimbursement for time loss due to problems caused by the spyware and also the removal of it. ( this should be available to the home user and corporations).
Using someone elses equipment for profit without written consent ( I would think anyone would charge money to rent equipment or space these days... so if their software is using my pc as a server then I want to be paid as a hosting company would be).
cable theft is illegal so why is not illegal for companies to rip off my bandwidth allocated to me by my ISP who is a cable provider ?
Tapping someones phone or recording a conversation without consent is illegal so why is it legal for companies to tap my computer ?
If I put a program on someone elses computer it would be considered hacking and so forth if it collected data about them so why is it that these companies that make spyware do not go to jail ?
With the Patriot act why is it not illegal for these companies to aquire personal data about you ? How do we know that some of these spywares are not developed by other goverments or individuals just waiting for the spyware to get on the right persons PC to get information off of their system to sell or use for other malicious purposes.
Even better yet these marketing companies are making money off of putting their junk on peoples computers seeing as how no one will buy the telemarketing junk and/or participate in surveys now they have to be sneaky about it and they get money for this, this data is sold to the highest bidder for demographic / marketing data.
I think personally a class action lawsuit should be started based on and seeking:
Invasion of privacy
Loss of functionality / use of equipment
Emotional Damages - based on the stress of trying to get the garbage off the PC.
Misrepresentation / Fraud / False Advertising
Punitive damages - based on the above mentioned.
Repair costs and reimbursement for time loss due to problems caused by the spyware and also the removal of it. ( this should be available to the home user and corporations).
Using someone elses equipment for profit without written consent ( I would think anyone would charge money to rent equipment or space these days... so if their software is using my pc as a server then I want to be paid as a hosting company would be).
I have tried the "Invasion of Privacy" - where the BBB (US "Consumer councils") rejected the case on the basis that the distributor of the "software" was "ignorant of malice" and "relied on professional recommendation when developing the software". I needed to provide evidence of intent of malice - furthermore the distribution was a "free" ad-on to a product, where functionality could be acheived without it. (So - what is the purpose, other than surveillance of buyers' behaviour?)
Illegal.
- Which law do you apply: US state law, UK law - my Kodak company has a mailing address in NJ - where complaints where treated out of courtesy because I was not a NJ resident.
In Europe, it is simpler - we may raise issues like this with local consumer councils that will make recommendation first with national ramifications - and then gradually end up as EC against ... - but until then we fight a dodging US community. I would recommend full public reporting of the activity - possibly even as virus, with full removal as an option. I would also like to see an agency that could "approve" code. That would involve verifying the source code, describe top-level actions, and the nature of he reporting. There used to be standards here - as a vendor we had to warrant that the code had no side effects and made no usage of other resources - and expected to be dragged to court of deviating from this. We could not subcontract development to other companies if we could not inspect the code to verify and ensure that they did not reopardise us.
There is a "cowboy" attitude in the industry - someone got away with it makes presendence. It is with full intent I refer to the company that brought this to my attention. I ask everyone to do likewise - not
"I received spyware the other day" - but
.."after installing new camara drivers from Kodak - I discovered that..." - ready with full name and address, to enable others that have installed a similar driver to inspect, see and learn.
My hope is that finally the companies will learn. This may entail that we may have to discourage installation and recommend against purchase of things. However, companies should be certain that the products they develop and sell products that the consumer meets consumer requirement - and not everything else.
I agree that we may need to get some lawyers out.
Illegal.
- Which law do you apply: US state law, UK law - my Kodak company has a mailing address in NJ - where complaints where treated out of courtesy because I was not a NJ resident.
In Europe, it is simpler - we may raise issues like this with local consumer councils that will make recommendation first with national ramifications - and then gradually end up as EC against ... - but until then we fight a dodging US community. I would recommend full public reporting of the activity - possibly even as virus, with full removal as an option. I would also like to see an agency that could "approve" code. That would involve verifying the source code, describe top-level actions, and the nature of he reporting. There used to be standards here - as a vendor we had to warrant that the code had no side effects and made no usage of other resources - and expected to be dragged to court of deviating from this. We could not subcontract development to other companies if we could not inspect the code to verify and ensure that they did not reopardise us.
There is a "cowboy" attitude in the industry - someone got away with it makes presendence. It is with full intent I refer to the company that brought this to my attention. I ask everyone to do likewise - not
"I received spyware the other day" - but
.."after installing new camara drivers from Kodak - I discovered that..." - ready with full name and address, to enable others that have installed a similar driver to inspect, see and learn.
My hope is that finally the companies will learn. This may entail that we may have to discourage installation and recommend against purchase of things. However, companies should be certain that the products they develop and sell products that the consumer meets consumer requirement - and not everything else.
I agree that we may need to get some lawyers out.
"To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics."
I totally agree with all these comments. Technology is great. But - Sheesh between the malware and outsourcing, companies are exploiting loopholes that interfere with our rights as far as I am concerned. Big business is a worse threat than Big Brother. Let them do business just don't interfere with my rights! look at all of the posts of late with people upset about them screwing with our personal computers. This is outrageous.
I totally agree with all these comments. Technology is great. But - Sheesh between the malware and outsourcing, companies are exploiting loopholes that interfere with our rights as far as I am concerned. Big business is a worse threat than Big Brother. Let them do business just don't interfere with my rights! look at all of the posts of late with people upset about them screwing with our personal computers. This is outrageous.
Beware,
It is not your "personal" computer that suffers the most.
In another discusion group I posted a virus that left a bank open - Anyone could write a simple VBA program. I used an LDAP browser to see who worked in the bank - link names, email addresses, PC/LAN names - and what they worked on. What you could have done with their banking systems is left for me and you to imagine. Had I hacked my way into the bank - instead of writing an email to the sysadm - they could have prosecuted me for criminal conduct. That they left a security hole and tried to infect my PC with a virus would be irrelevant. I would have a lot of explaining to do to the judge - and wonder if I ever would have got off the hook.
One company that was traced last year as orginator for such "Adware" - caused a major hickup on the Internet yesterday according to the Washington Post.
It makes me believe it is no long "Big Business" - but "Greedy Business", usually relatively small companies that cause the big problems. It is also the rest of us that leave it to others to fix our own problems. A virus scanner will detect persistent objects as "files" on your computer, compare with what has been found on others, give them a name that you can report and delete the files. Their skills in networking bothers me - and I rely on continuing updating Stinger - and no scanner- but a firewall that is effective. Beware the Microsoft's implementations of tcp/ip is incomplete and with so many security holes that I wonder why nobody has seen the business opprotunity in making a full "Winsocket" implementation - without the "Commercial exploitations".
Very much of all this could have been avoided by all of us if we had used a browser like Opera, that traps Adware.
It is not your "personal" computer that suffers the most.
In another discusion group I posted a virus that left a bank open - Anyone could write a simple VBA program. I used an LDAP browser to see who worked in the bank - link names, email addresses, PC/LAN names - and what they worked on. What you could have done with their banking systems is left for me and you to imagine. Had I hacked my way into the bank - instead of writing an email to the sysadm - they could have prosecuted me for criminal conduct. That they left a security hole and tried to infect my PC with a virus would be irrelevant. I would have a lot of explaining to do to the judge - and wonder if I ever would have got off the hook.
One company that was traced last year as orginator for such "Adware" - caused a major hickup on the Internet yesterday according to the Washington Post.
It makes me believe it is no long "Big Business" - but "Greedy Business", usually relatively small companies that cause the big problems. It is also the rest of us that leave it to others to fix our own problems. A virus scanner will detect persistent objects as "files" on your computer, compare with what has been found on others, give them a name that you can report and delete the files. Their skills in networking bothers me - and I rely on continuing updating Stinger - and no scanner- but a firewall that is effective. Beware the Microsoft's implementations of tcp/ip is incomplete and with so many security holes that I wonder why nobody has seen the business opprotunity in making a full "Winsocket" implementation - without the "Commercial exploitations".
Very much of all this could have been avoided by all of us if we had used a browser like Opera, that traps Adware.
ASKER