please examin my log from Asviewer.

Discussion in 'malware problems & news' started by Jason Voorhees, Dec 31, 2003.

Thread Status:
Not open for further replies.
  1. Jason Voorhees

    Jason Voorhees Guest

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for W A L D O@WALDO-KMR2TNEB6, 12-31-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKCR\htafile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\vbsfile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\vbefile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\jsfile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\jsefile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\wshfile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKCR\wsffile\shell\open\command\
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zSPGuard
    c:\program files\pjw\spguard\spguard.exe /s
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GSICONEXE
    C:\WINDOWS\system32\GSICON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DSLAGENTEXE
    dslagent.exe USB
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PPMemCheck
    C:\PROGRA~1\PestPatrol\PPMemCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KeyPatrol
    C:\PROGRA~1\PestPatrol\KeyPatrol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookiePatrol
    C:\PROGRA~1\PestPatrol\CookiePatrol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Gainward
    C:\WINDOWS\TBPanel.exe /A
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CyberLat RAM Cleaner
    C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegProt
    c:\regprot\regprot.exe /start
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\ctfmon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PopUpStopperFreeEdition
    C:\PROGRA~1\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\CTFMON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\W A L D O\Menu Start\Programma's\Opstarten\PPControl.lnk
    C:\Program Files\PestPatrol\PPControl.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\AvgServ\
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\gafwload\
    C:\WINDOWS\System32\DRIVERS\gafwload.sys
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SocketLock\
    \??\C:\WINDOWS\System32\socketlock.sys
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\vsdatant\
    \??\C:\WINDOWS\System32\vsdatant.sys
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
    Jason Voorhees, Dec 31, 2003
    #1
  2. Jason voorhees

    Jason voorhees Guest

    I had to reinstall my Xp home complete, after a possibel virus infection.

    I installed my most used software again (system working correct again)...but i'm afraid the malware is still lurking deep beneath my registery.

    I don't know the name of the malware that messed me up, but it killed ALL .exe files, so i couldn't run my AV anymore (Etrust promo)

    When my pc crasched i was running > Etrust promo, PestPatrol, ZA Pro, Scriptdender, regprot > all resident.

    I did got some warning from regprot, but (my bad) i just clicked it away :( and then the misery begon.

    Jason
     
    Jason voorhees, Dec 31, 2003
    #2
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Jason,

    At first view, nothing fishy shows up. We'd like to perform some more checking though; please follow as is posted in these guidelines and post results please.

    regards.

    paul
     
    Paul Wilders, Jan 1, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...