downloader.clispri.A, trojan.byteverify

Discussion in 'other security issues & news' started by subratam, Nov 14, 2003.

Thread Status:
Not open for further replies.
  1. subratam

    subratam Guest

    i hav TDS 3 and all gr8 AVs like Norton and AVG but... none seem to eradicate the downloader.clispri.A or trojan.byteverify or even catch them... AVG catches though but i hav to clean them manually... come on TDS u can do it
     
  2. subratam

    subratam Guest

    trojan.byteverify,downloader.clispri.A

    can anyone say wat i can do with these trojans.... they are new kid on the blocks and yes they are :'( unknown... can anyone temme anything bout these...
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:trojan.byteverify,downloader.clispri.A

    Hi subratam,

    ByteVerify is not that new: http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html
    Also check this thread: http://www.wilderssecurity.com/showthread.php?t=13039

    I can't find anything about downloader.clispri.A
    Can you tell us which scanner identified what file as being clispri.A ?

    Regards,

    Pieter
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    man... thx that i went to the same thread u gave to kno bout byteverify.. i hav all latest updates for win2k pro.. dunno though y still byteverify attacked me.. i think i hav cleaned it as i hav cwshredder done that... i also delete the historis and caches by system mechanic and i just got my cache jars in memory option in java plug in unchked so that it dun keep any cache... i read that updated java VM shudnt cause probz.. actually i dun wanna uninstall it.. hey i hav started downloading latest java plug in frm sun.. shud it b ok then??
    about downloader.clispri.A its a new kid on the block i hav got some info that it generally hav two exes scbr.exe and ptpo.exe.. i dunno wat it doz though till nou for sure.. my AVG caught that but nothin more it cud do.. no heal no delete... i am not sure also that its not anymore ... if u hav downloader... and u dunno u can run the trendmicro online scan and hav AVG 7 installed b4 that... trend opens each file and AVG catches the worm as the infected file is opened.. any got more info or hou to tackle.... plz come on in...
    thanx in advance
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I was going to ask for your HijackThis log, but I think I found it:
    http://forums.techguy.org/t179386/s.html

    Is that correct?

    Regards,

    Pieter
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi subratam,

    I looked up what zephyr at TSG mentioned and that is correct.

    If you had Purityscan this line (or sopmething similar) would have been in your log:
    O4 - HKCU\..\Run: [Opad] C:\Documents and Settings\Administrator\Application Data\scbr.exe

    Other names that are in use for this spyware are Clickspring and Mendware. Obviously AVG decided it needed yet another name. :rolleyes:

    Regards,

    Pieter
     
  7. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hey thats the log of mine u got it rite... and i chked it once for me... and will u plz go thru it and temme if anything wrong is still in my computer... i hav been getting frustrated by these trojans and viruses in the web... they seem to increase every second plz... see thru my hijackthis log... and see if u can find anything not needed...
    Logfile of HijackThis v1.97.6
    Scan saved at 6:16:42 PM, on 11/14/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
    C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Tiny Personal Firewall\persfw.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\igfxtray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton CrashGuard\CGMenu.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Desktop Architect\datray.exe
    C:\Program Files\FreeMem Professional\fmempro.exe
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Tray Wizard\TWizard.exe
    C:\Program Files\Winamp3\Studio.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\mdm.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
    O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125335c4d044a2873906/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
    o_O... thx in advance again :)
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi subratam,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) <= belongs to DAP but the file is missing

    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe <= Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <= System Tray access to Apple's "Quick Time" viewer. Not needed

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <= Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125335c4d044a2873906/netzip/RdxIE601.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

    Then reboot.

    Comments in italics came from: http://www.pacs-portal.co.uk/startup_pages/startup_full.php

    I don't see any spyware or trojans that are active.

    Regards,

    Pieter
     
  9. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    the latest log file ::::

    Logfile of HijackThis v1.97.6
    Scan saved at 7:45:48 PM, on 11/14/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
    C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Tiny Personal Firewall\persfw.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton CrashGuard\CGMenu.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINNT\system32\ntvdm.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Tray Wizard\TWizard.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Desktop Architect\datray.exe
    C:\Program Files\FreeMem Professional\fmempro.exe
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Surfing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_2_3_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\Program Files\Norton CrashGuard\CGMenu.EXE"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKLM\..\Run: [Tray Wizard] C:\Program Files\Tray Wizard\TWizard.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
    O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Professional\fmempro.exe" autostart
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.4057986111
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab

    the striking part in this is i cant eradicate the
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) and i get the same frm spybot it comes again and again.. mayb default.. anyway i hav gone thru security chks, spywareblaster download browser chks everything... as u said... hou do i kno which cookie is good for me and which one is goin to cause havoc...
    thx in advance :)
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi subratam,

    Do you still use DAP?

    Regards,

    Pieter
     
  11. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    ya i do use DAP... is thr any probz with that o_O ... it asks for browser integration at first... and when i try to do it it says "int gailed" anyway shud i uninstall DAP or when it asks at 1st i shudnt integrate it with browser?? :oops:
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi subratam,

    No there isnt much wrong with DAP, I just figured that might be the reason you can't remove that entry.
    So you can leave that one alone and if Spybot finds it again rightclick it in the main screen and choose "Exclude this product from further searches."

    And your log looks fine now.

    Regards,

    Pieter
     
  13. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    :D :D ... u guys rock man... this site really looks into each and every matters... i really appreciate ur attention. :cool: i am amazed at the answer reply rate that i hav been gettin frm this site.. hats off to u all guys to u specially frm my heart Pieter....
    i hope both download.clispri.a and trojan.byteverify have taken a backseat nou... if not and if i do get anything unnecessary i will report sooner than later..
    can u say onething to me... can i continue to hav TDS3 after the trial period.. atleast for chkin trojans..o_O
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi subratam,

    I would advise you to buy TDS3 after the trial is over, or sooner if you decide that it suits your needs. They are working on TDS4 now and you will receive a free upgrade.
    I know I never regretted buying it. :)

    Regards,

    Pieter
     
  15. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi thr.. ya i just saw wat u wrote.. can u plz temme wats the diff that wud come once i get it registered?? and by the way will all the functions of TDS go away after trial period?? o_O.. actually i can ofcourse register in future but till then can i continue to hav the normal functions thoz i hav nou??
    thx in advance..
    oh 1 more thing i was forgettin to get known frm u.. last time i chked full scan thru TDS it gave autoexec.bat was missin... doz that matter too much?? i chked just nou also b4 posting it says file doesnt exist c:\autoexec.bat after verifying the files.. wat is ntvdm.exe??
     
  16. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    SOMEBODY PLZ HELP ME !!!!!

    plz anyone... plz giv a lill attention to this topic :oops: i recently posted one topic namin byteverify and downloader.clispri.a.... many thing may got well till then.. i got all security that almost a person can get
    NAV 2002 latest updates with latest liveupdate installed
    AVG 7
    SpywareBlaster
    SpyBot SD
    CWshredder
    TDS
    Trojan Remover
    Tiny personal firewall
    hijackthis
    i hav even gone thru the security chks and have latest security updates...
    but this downloader.clispri.a once gettin thru purityscan when i din hav the softwares... and nou dun seem to go :oops:
    whenever i scan with trendmicro which scans each file minutely and tries to open the infected file (c:\docum~1\admini~1\locals~1\temp\vsg3ea01060) AVG catches the trojan.. but nothin more it can do.. i heard from other sites the trojan mainly has two exes... scbr.exe and ptpo.exe
    i welcome anyone anybody to help me out....
    thx in advance
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Re:pLZ PLZ..... SOMEBODY PLZ HELP ME !!!!

    If you use any on- line scanner from housecall or any others...then during that time turn off resident AV and AT programs that you installed on your PC and have running.
     
  18. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    Re:pLZ PLZ..... SOMEBODY PLZ HELP ME !!!!

    Hi Subratam!

    I'm sorry that you have to deal with one of those nasties. Although I have never caught a Trojan myself and can't personally coach you much on that matter, I found some info on Trojans that may be of help. There is advice on how to find a Trojan , how to repair damage --if you have already caught one of them --and how to avoid falling prey to Trojans . It is good also that you unhide all Windows extensions filenames before starting scanning you computer. The link I give you here tells how to do it.

    http://www.irchelp.org/irchelp/security/trojan.html

    Additional info:

    I am infected with a Trojan. How do I get rid of it?
    http://www.broadbandreports.com/faq/4191

    And I agree with Primrose's tip, turning off any resident AV and At when scanning your computer with online tools.


    Hope this helps,

    Uguel
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Re:pLZ PLZ..... SOMEBODY PLZ HELP ME !!!!

    Hi subratam,

    Since there is related information in all of them, I've merged your various threads together into the first one you started earlier today.

    Please keep all posts on this problem together as there is useful information in all of them and it helps to have it all in one place.

    Thanks,
    LowWaterMark
     
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello subratam & welcome, If you are still having problems ref your shout for Help

    Can you please go to this link http://www.diamondcs.com.au/index.php?page=asviewer & download AsViewer.

    Run the AsViewer.exe then save the findings to asviewer.txt - paste a copy in your next reply to this thread - This may help us determine why you cannot stop or delete the troublsome files and /or what the Trojan is.

    If you can copy the any files that may belong to the Trojan - Please send them to submit@diamoncs.com.au where they can be analysed.

    To answer your last questions

    You will :
    Get the added feature of Executive Protection if you wish to install it, this basically will not allow a Trojan to run whilst TDS is running.

    Be able to download the radius files from within TDS3.

    Get a free upgrade to TDS4

    Have access to the TDS private forums - A vast knowledge base for TDS Licensed operators. :)

    TDS trial will stop working after the trial period :(

    Cheers LWM.
     
  21. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    i hav the temp folder which contains the trojan as and when its tryin to b opened by the house call it shows... shud i delete the tmp folder hou do i kno wat imp things are thr in my folder?? and i have hijackthis.. doz it work same as autostart or can i copy autostart from TDS?? actually i am not sure nou hou many more AVs ATs and Spywareblasters i need to b protected :'( i have more security softwares nou in my comp than anything else.. and had not been my comp 2.4 Ghz and 256 Ram i wud hav been struggling to manage my comp :blink:
    i hav made all necessary arrangements but i think only this downloader trojan... which once gettin into.. mayb doin nothin but as its also new kid on the block not gettin eradicated.. shud i send the temp folder to u guys?? and if u want i can post my hijackthis file log nxt up... or Autostart Viewer wateva u guys think is good
    thx in advance and waitin eagerly
     
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Subratam, Zip a copy of the folder if you like and send it to submit@diamondcs.com.au
    We would like to see a printout from your autostartviewer please. Ensure that both services & drivers are selected in "Main" before saving the text.
     
  23. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    o_O here lies the AS viewer report if anything else yall need do temme... i am waitin
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    c:\winnt\system.ini [boot]\scrnsave.exe
    C:\WINNT\Webshots.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINNT\Webshots.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
    C:\PROGRA~1\NORTON~1\navapw32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
    C:\Program Files\Norton CrashGuard\CGMenu.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
    C:\WINNT\loadqm.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
    C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINNT\system32\\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
    C:\Program Files\Trojan Remover\Trjscan.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
    C:\Program Files\Tray Wizard\TWizard.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Mechanic Cache Cleanup
    C:\Program Files\iolo\System Mechanic 4\SysMech4.exe /COMPLETECACHE
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
    C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
    C:\Program Files\Desktop Architect\datray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
    C:\Program Files\FreeMem Professional\fmempro.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
    C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\system32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\SIM3 Scan 1.job
    C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk /r \??\C:
    autocheck autochk *
    smrgdf C:\Program Files\iolo\System Mechanic 4\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD

    :oops: thx in advance
     
  24. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    oops i din see that u told me to chk the services and drivers... sorry

    the updated viewer log :

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Subratam@CHWEETY, 11-15-2003
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    c:\winnt\system.ini [boot]\scrnsave.exe
    C:\WINNT\Webshots.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINNT\Webshots.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_CC
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_EMC
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV Agent
    C:\PROGRA~1\NORTON~1\navapw32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton CrashGuard Monitor
    C:\Program Files\Norton CrashGuard\CGMenu.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadQM
    C:\WINNT\loadqm.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DownloadAccelerator
    C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINNT\system32\\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrojanScanner
    C:\Program Files\Trojan Remover\Trjscan.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSnD
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tray Wizard
    C:\Program Files\Tray Wizard\TWizard.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Mechanic Cache Cleanup
    C:\Program Files\iolo\System Mechanic 4\SysMech4.exe /COMPLETECACHE
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo! Pager
    C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Architect
    C:\Program Files\Desktop Architect\datray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FreeMem Pro
    C:\Program Files\FreeMem Professional\fmempro.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iolo Task Agent
    C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\system32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\WINNT\Tasks\SIM3 Scan 1.job
    C:\Program Files\GFI\System Integrity Monitor 3\cfstart.exe
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk /r \??\C:
    autocheck autochk *
    smrgdf C:\Program Files\iolo\System Mechanic 4\
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINNT\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Avg7Alrt\
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    HKLM\System\CurrentControlSet\Services\Avg7UpdSvc\
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\GFI LANguard System Integrity Monitor 3 agent service\
    C:\Program Files\GFI\System Integrity Monitor 3\cfservice.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\lnss_sscans\
    C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\navapsvc\
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    HKLM\System\CurrentControlSet\Services\NtmsSvc\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\PersFw\
    C:\Program Files\Tiny Personal Firewall\persfw.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINNT\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINNT\system32\regsvc.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINNT\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINNT\system32\MSTask.exe
    HKLM\System\CurrentControlSet\Services\SecDrv\
    \??\C:\WINNT\system32\drivers\SECDRV.SYS
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINNT\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\SYMTDI\
    \??\C:\WINNT\System32\Drivers\SYMTDI.SYS
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\WinMgmt\
    C:\WINNT\System32\WBEM\WinMgmt.exe
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINNT\system32\svchost.exe -k wugroup
     
  25. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    anybody out thro_O

    and i got one more question this TDS scan says c:\autoexec.bat is missin after chkin the files , and wat is ntvdm.exeo_O
     
Thread Status:
Not open for further replies.