TDS 3 Newbie -- ?Mutant trojans

Discussion in 'Trojan Defence Suite' started by redhawkeagle, Sep 7, 2004.

Thread Status:
Not open for further replies.
  1. redhawkeagle

    redhawkeagle Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    5
    When I run an deep scan on my system it shows three alarms:
    pos id <adv>: Possible webDownloader in C:\documents and settings\all users\documents\ss.exe

    pos id; Demo.Leaktest 1.1 (not a trojan): File: C:\documents and settings\monty\my documents\my received files\leaktest.exe

    susicious filename: Dual extensions
    File: C:\program files\kazaa\my shared folder\procreate knockout v.2.0.exe


    What do I do to run the advanced analysis on the possible webdownloader?
    Do i just delete the demo.leaktest? What about the dual extensions?

    Most importantly though, the Memory Mutex scan shows no mutex trojans. However, when I use SysInternals Process Explorer it shows several svchost.exe processes that show Mutant entries. Also, when I pull up the properties a few of them show a Logon SID (S-1-5-5-0-616890 under the Group entry, not to mention the NT AUTHORITY\Authenticated users.

    I have been working on this for weeks now because originally my system was acting funny and it showed a lot of processes running. However, no amount of scans could find anything. Nor could anyone at the pcpitstop forums.

    Can you help me?
    Thanks!
     
  2. redhawkeagle

    redhawkeagle Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    5
    ooops! i forgot to add this....

    in my svchost.exe 1540 Properties under Process Explorer

    the TCP/IP tab shows these entries:

    TCP / carrie:1025/ carrie:0/ LISTENING
    TCP / carrie: 3002/ carrie:0/ LISTENING
    TCP / carrie: 3003/ carrie:0/ LISTENING
    UDP /carrie: radius/ *.*
    UDP /carrie: radacct/ *.*
    UDP /carrie: 1645/*.*
    UDP /carrie: 1646/*.*
    UDP /carrie: ntp/*.*
    UDP/carrie: 3004/*.*
    UDP/carrie: 3005/*.*
    UDP/carrie: ntp/*.*

    Are these ports supposed to be open? Should i be concerned?

    Thank you
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi redhawkeagle, Ther a couple things that you can do.
    Firstly see if you can grabb a copy of those files, zip them up and send to: submit@diamondcs.com.au for analysis.

    Secondly go here: http://www.diamondcs.com.au/index.php?page=products and Down Load Autostart Viewer :

    From the menu options select all three items.
    Save to a text file and copy and paste here, be careful to edit out any personal information before posting.

    Thanks. Pilli
     
  4. redhawkeagle

    redhawkeagle Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    5
    Okay, silly question here --- how do you grab a copy of the files that you requested?
     
  5. redhawkeagle

    redhawkeagle Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    5
    :eek: Wow! Here is the information from the AutoStart that you asked for. Thanks for all your help!


    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Monty@CARRIE, 09-07-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
    C:\Cpqs\Scom\srmclean.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kaspersky Anti-Virus Lite
    C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp MemOptimizer
    C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\Tasks\1-Click Maintenance.job
    C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
    C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk.disabled
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    C:\Program Files\WinZip\WZQKPICK.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{9A5A76F5-042A-4336-B7C6-E3B729E324A2}\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
    C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\AppMgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
    C:\WINDOWS\System32\Ati2evxx.exe
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Cnxtdiag\
    C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys
    HKLM\System\CurrentControlSet\Services\Compaq_RBA\
    C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
    HKLM\System\CurrentControlSet\Services\COMSysApp\
    C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fallback\
    C:\WINDOWS\System32\DRIVERS\C4C_FALL.sys
    HKLM\System\CurrentControlSet\Services\Fsks\
    C:\WINDOWS\System32\DRIVERS\C4C_FSKS.sys
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ImapiService\
    C:\WINDOWS\System32\Imapi.exe
    HKLM\System\CurrentControlSet\Services\K56\
    C:\WINDOWS\System32\DRIVERS\C4C_K56K.sys
    HKLM\System\CurrentControlSet\Services\KAVMonitorService\
    C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    HKLM\System\CurrentControlSet\Services\mdmxsdk\
    C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
    HKLM\System\CurrentControlSet\Services\NetDDE\
    C:\WINDOWS\system32\netdde.exe
    HKLM\System\CurrentControlSet\Services\NetDDEdsdm\
    C:\WINDOWS\system32\netdde.exe
    HKLM\System\CurrentControlSet\Services\NtLmSsp\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\pavdrv\
    C:\WINDOWS\System32\DRIVERS\pavdrv51.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RDSessMgr\
    C:\WINDOWS\system32\sessmgr.exe
    HKLM\System\CurrentControlSet\Services\RemoteAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\RpcLocator\
    C:\WINDOWS\System32\locator.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\RSVP\
    C:\WINDOWS\System32\rsvp.exe
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SoftFax\
    C:\WINDOWS\System32\DRIVERS\C4C_FAXX.sys
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SSDPSRV\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Tones\
    C:\WINDOWS\System32\DRIVERS\C4C_TONE.sys
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\upnphost\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\V124\
    C:\WINDOWS\System32\DRIVERS\C4C_V124.sys
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WmiApSrv\
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hello Redhawkeagle :)

    First, I will let Pilli deal with AS-Viewer log :)

    I can help with couple other things. Shall post in couple posts with screenies to show you. :)

    # Leaktest entry: IGNORE. You/someone downloaded that to test your Firewall.

    Many people have that file, and even if you try to run it, TDS blocks it, as it does 'act in a trojan-like manner'. For you to get it to run, you would have to shut down TDS to test your firewall.

    To be doubly sure of your entry, navigate to that file, just follow the path it gives and then simply put your cursor over it, or right click and select properties and you should have same info like my screenshot. Icon and size! OK :)

    Cheers, TAS
     

    Attached Files:

    Last edited: Sep 7, 2004
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    This one: pos id <adv>: Possible webDownloader in C:\documents and settings\all users\documents\ss.exe

    Go here: McAFEE BackDoor-CGT

    Read thru that, you will note where ss.exe is mentioned, but also the file size.
    Once again, navigate to the file, following the path outlined, then right click on it, Select Properties, and see if file size matches the description or any other information you can get from it via properties.

    Now, to submit the files [ignore Leaktest], once again, navigate thru windows explorer to each of the files location following the paths given, and do the following.

    Rightclick on the file.
    Select Send to.....
    Select Compressed [zipped] Folder
    It will zip up the file and put the zipped version usually in the same location you are in.... or.. if it does ask for a location, select Desktop for ease of use.

    In my screenshot, I did that first, and do you see the green highlighted zipped file it gave me before I took the screenshot .
    [Ignore MY Icon, I have zipped files associated with my primary compression format of Aladdin's StuffIt program]. Your Icon should be like the selection I have chosen to zip with.

    Now.. all you have to do is the same with the other file so you have 2 zipped files.

    Open your email program...in To field: submit(at)diamondcs.com.au [ (at) replaced with @ ]....
    subject something like: 'please check redhawkeagle Wilders'
    Then simply use Attach button and attach the files and send with explanation and a pointer to this thread. :)

    You do know of course that kazza is probably one of the most easiest ways to get crook/trojan/malware/files onto your system?

    Cheers, TAS
     

    Attached Files:

    Last edited: Sep 7, 2004
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    PS: I forgot also.... Suspicious file name Dual Extensions reading..

    It alerts like that, as it reads any extra period [.] like it would an extension, as some files can try to disguise themselves by adding extra spaces and/or extra extension at end so you don't realise it.

    eg: mypic.jpg [lots spaces here] .exe

    so..... seeing the v.1.0.exe it's alerting, etc. on the file name so you can check it out.

    Of course, if you know absolutely for sure the file is a program you downloaded and use from a trustworthy place, then you simply ignore the findings.
    I have 2 files like that, know them by heart. I always get the Leaktest alert and the 2 other Dual Extensions alerts. :)

    TAS

    PS: More info on ss.exe HERE
     
    Last edited: Sep 7, 2004
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Wow nothing for me to do :D thanks Taz !
    Yes ss.exe looks suspicious, ADWARE downloaders are very often caught by the TDS trojan downloader heuristic detection. In cases like this a sample of the file is all we need and we can let you know ASAP
     
  10. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    And to add on this:
    Mutexes are objects that processes create to signal a certain useage or even "reservation" of ressources. It's a very common thing among all sorts of programs, and need not necessarily indicate malware. TDS now goes ahead and checks the mutexes that are right now in your system to see if any of them has characteristics (i.e. the "name" or the resource in question etc.) that is known from a trojan program (because they do use these, too). If TDS doesn't alert, that just means that all the "mutexes" on your system are "clean". And Sysinternals Procexp just shows you all of them.
    So I suppose that there is no mutex issue here. But you should definitely have Gavin check the other mentioned thingies.

    HTHH,
    Andreas
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I remember the ss.exe as one of the files involved with downloading stuff:
    You might get those infected spam mails too, if you would look in the source they have a script, these days the new version is an encoded javascript, which leads unpatched systems to a download site which grabs trojan stuff from another place and installs it to the system turning it into a zombie proxy etc.
    But if you were infected, i would expect a few more files like x.exe and the kind, as well as you noticing sudden connections and CPU usage to 100% etc. As Gavin did not react with alarms on your ASViewer log i guess you were indeed saved for possible disaster.
    Maybe you got the ss.exe file but was it blocked from running (TDS exec protection?) and doing it's further stuff. Looks like it anyway.
     
  12. redhawkeagle

    redhawkeagle Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    5
    I've emailed Tassie with the info. she wanted. Here is my latest Autostart log because I think I now have the Alexa search bar and Advanced Searchbar.
    o_O
    You guys are great! Thanks for helping me with this problem.

    redhawkeagle
    :-*


    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Monty@CARRIE, 10-10-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\srmclean
    C:\Cpqs\Scom\srmclean.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kaspersky Anti-Virus Lite
    C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TuneUp MemOptimizer
    C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\Tasks\1-Click Maintenance.job
    C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk
    C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Smart Wizard Wireless Settings.lnk.disabled
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    C:\Program Files\WinZip\WZQKPICK.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{9A5A76F5-042A-4336-B7C6-E3B729E324A2}\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
    C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\AppMgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
    C:\WINDOWS\System32\Ati2evxx.exe
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Cnxtdiag\
    C:\WINDOWS\System32\DRIVERS\cnxtdiag.sys
    HKLM\System\CurrentControlSet\Services\Compaq_RBA\
    C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
    HKLM\System\CurrentControlSet\Services\COMSysApp\
    C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fallback\
    C:\WINDOWS\System32\DRIVERS\C4C_FALL.sys
    HKLM\System\CurrentControlSet\Services\Fsks\
    C:\WINDOWS\System32\DRIVERS\C4C_FSKS.sys
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ImapiService\
    C:\WINDOWS\System32\Imapi.exe
    HKLM\System\CurrentControlSet\Services\K56\
    C:\WINDOWS\System32\DRIVERS\C4C_K56K.sys
    HKLM\System\CurrentControlSet\Services\KAVMonitorService\
    C:\Program Files\Defender\Defender Pro Anti-Virus\AvpM.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    HKLM\System\CurrentControlSet\Services\mdmxsdk\
    C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
    HKLM\System\CurrentControlSet\Services\NetDDE\
    C:\WINDOWS\system32\netdde.exe
    HKLM\System\CurrentControlSet\Services\NetDDEdsdm\
    C:\WINDOWS\system32\netdde.exe
    HKLM\System\CurrentControlSet\Services\NtLmSsp\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\pavdrv\
    C:\WINDOWS\System32\DRIVERS\pavdrv51.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RDSessMgr\
    C:\WINDOWS\system32\sessmgr.exe
    HKLM\System\CurrentControlSet\Services\RemoteAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\RpcLocator\
    C:\WINDOWS\System32\locator.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\RSVP\
    C:\WINDOWS\System32\rsvp.exe
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SoftFax\
    C:\WINDOWS\System32\DRIVERS\C4C_FAXX.sys
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SSDPSRV\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Tones\
    C:\WINDOWS\System32\DRIVERS\C4C_TONE.sys
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\upnphost\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\V124\
    C:\WINDOWS\System32\DRIVERS\C4C_V124.sys
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WmiApSrv\
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi redhawkeagle...:)

    Just to clarify, I belong to the "Grumpy Old Men" gender, not the lovely fair sex. :) LOL..

    errrr.. email? How did you email, my addy is not enabled for general use?

    Anyhow, the first point would be, did you submit the file outlined above to DCS, oh wait, did you mean by 'emailed Tassie' that was what you did for the submit [at] diamondcs.com.au link?

    If that's what you did, fine, just wait until you hear back from DCS. :)

    As to the log, I am afraid someone more knowledgeable than I shall have to interpret, though I understand a lot of it, I would not want to give wrong advice. ;)

    Cheers, TAS [Grumpy Old Man] :D
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm still overwhelmed with the ASViewer logs, still trying to get a grip on them, i understand better the HiJackthis logs where i know in general terms what to look for, but far from an expert. Could you also post your HJT log please so we might see something more in places where it doesn't belong?
     
  15. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    not to mention that it's a whole lot easier to fix things in a hijackthis log than in an asviewer log. in hjt you can fix every item at the same time, in asviewer you have to right click them one at a time..
     
  16. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Redhawkeagle, seeing as Jooske asked, you can post a HJT log in THIS thread here.

    Go to
    HERE Scroll to Step 2 and follow instructions in Step 2 only. Once you have your log file, cut and paste in this thread here.
    [Make sure the HJT.exe is not run from desktop, it does not need to be installed, make a folder say in C:/, call it HiJackThis and put the downloaded file into it, then proceed from there as per instructions]

    [Note: Wilders no longer does HiJackThis logs unless asked for, as you have been :)]

    Cheers, TAS
     
Thread Status:
Not open for further replies.