Trojans and Worms - yuk yuk

**crunchie** · April 3rd, 2007, 10:35 AM

Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

**LindaHewitt** · April 3rd, 2007, 11:19 AM

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"b9" = "C:\Program Files\Firetrust\Benign\B9.exe /minimize" ["Firetrust Ltd"]
"ctfmon.exe" = "ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TCASUTIEXE" = "TCAUDIAG -off" [empty string]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"UpdReg" = "C:\WINNT\Updreg.exe" ["Creative Technology Ltd."]
"AtiPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"QuickTime Task" = ""D:\programs\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"MailWasher" = "D:\Programs\MailWasher Pro\MailWasher Pro\MailWasher.exe" ["Firetrust Ltd"]
"InCD" = "D:\Programs\Nero InCD Packet-Writing\InCD.exe" ["Copyright (C) ahead software gmbh and its licensors"]
"DIAGENT" = "C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AHQInit" = "C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" ["Creative Technology Ltd"]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Mell Reg Reminder" = "(empty string)" [file not found]
"SCANINICIO" = ""D:\Programs\Panda Platinum 7 - 2007\Inicio.exe"" ["Panda Software"]
"APVXDWIN" = ""D:\Programs\Panda Platinum 7 - 2007\APVXDWIN.EXE" /s" ["Panda Software International"]
"Ninja" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SnagIt Toolbar Loader"
\InProcServer32\(Default) = "D:\Programs\SnagIt 8.2\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0CF0B8EE-6596-11D5-A98E-0003470BB48E}\(Default) = "CCHelper"
-> {HKLM...CLSID} = "CCHelper Class"
\InProcServer32\(Default) = "D:\Programs\Pop-Up Stopper Companion\CCHelper.dll" [empty string]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "D:\Programs\SpywareGuard 2.2\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programs\SPYBOT~1.1\SPYBOT~1.1\SDHelper.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{7c1ce531-09e9-4fc5-9803-1c2956615786}\(Default) = "Google Desktop Search Capture"
-> {HKLM...CLSID} = "IeCaptureBho Object"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar7.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll" [null data]
{C6CEAC32-D45C-11D4-94AF-0050BABD5FD6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ieCom Class"
\InProcServer32\(Default) = "D:\Programs\URL Organizer\UrlOrgIE.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = "Pop-Up Stopper &Companion"
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "D:\Programs\Pop-Up Stopper Companion\popupus.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programs\Microsoft Office 2003\OFFICE11\msohev.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "D:\Programs\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\Programs\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "D:\Programs\Microsoft Office 2003\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "D:\Programs\Microsoft Office 2003\Visio11\VISSHE.DLL" [null data]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\Programs\ASQUAR~1\A2FREE~1\A2CONT~1.DLL" [null data]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "D:\Programs\Panda Platinum 7 - 2007\pavOLE.dll" ["Panda Software"]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "D:\Programs\SpywareGuard 2.2\SpywareGuard\spywareguard.dll" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "D:\Programs\SnagIt 8.2\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "D:\Programs\SnagIt 8.2\SnagItShellExt.dll" ["TechSmith Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "D:\Programs\SpywareGuard 2.2\SpywareGuard\spywareguard.dll" [null data]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "D:\Programs\Panda Platinum 7 - 2007\pavOLE.dll" ["Panda Software"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "D:\Programs\SnagIt 8.2\SnagItShellExt.dll" ["TechSmith Corporation"]
StuffIt Context Menu\(Default) = "{2E336DC0-54F8-11D1-ABD5-447270537467}"
-> {HKLM...CLSID} = "StuffIt Context Menu"
\InProcServer32\(Default) = "D:\Programs\StuffIt 8.0\StuffItMenu.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "D:\Programs\SnagIt 8.2\SnagItShellExt.dll" ["TechSmith Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\Programs\ASQUAR~1\A2FREE~1\A2CONT~1.DLL" [null data]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {HKLM...CLSID} = "Panda Antivirus"
\InProcServer32\(Default) = "D:\Programs\Panda Platinum 7 - 2007\pavOLE.dll" ["Panda Software"]
StuffIt Context Menu\(Default) = "{2E336DC0-54F8-11D1-ABD5-447270537467}"
-> {HKLM...CLSID} = "StuffIt Context Menu"
\InProcServer32\(Default) = "D:\Programs\StuffIt 8.0\StuffItMenu.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRAMS\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Homepage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable changing home page settings}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"MailWasherPro" -> shortcut to: "D:\Programs\MailWasher Pro\MailWasher Pro\MailWasher.exe D:\Programs\MailWasher Pro\MailWasher Pro\MailWasher.exe" ["Firetrust Ltd"]
"Microsoft Office OneNote 2003 Quick Launch" -> shortcut to: "D:\Programs\Microsoft Office 2003\OFFICE11\ONENOTEM.EXE /tsr" [MS]
"SpywareGuard" -> shortcut to: "D:\Programs\SpywareGuard 2.2\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "D:\Programs\Adobe\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Microsoft Office OneNote 2003 Quick Launch" -> shortcut to: "D:\Programs\Microsoft Office 2003\OFFICE11\ONENOTEM.EXE /tsr" [MS]
"NTI Ninja" -> shortcut to: "D:\Programs\NTI Ninja - USB partitioning encryption\Open.exe" ["NewTech Infosystems"]
"SnagIt 8" -> shortcut to: "D:\Programs\SnagIt 8.2\SnagIt32.exe" ["TechSmith Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 3

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll" [null data]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar7.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar7.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8F05B1A8-9D77-4B8F-AF54-6B2202066F95}" = (no title provided)
-> {HKLM...CLSID} = "Pop-Up Stopper &Companion"
\InProcServer32\(Default) = "D:\Programs\Pop-Up Stopper Companion\popupus.dll" [null data]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll" [null data]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar7.dll" ["Google Inc."]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "D:\Programs\SnagIt 8.2\SnagItIEAddin.dll" ["TechSmith Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Programs\Adobe\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Programs\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2E071ADC-ADF8-4B4B-8ACB-EDC49E6D45A2}\
"ButtonText" = "Acronis*Pop-up Blocker"
"MenuText" = "Acronis Pop-up Blocker"
"CLSIDExtension" = "{2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2}"
-> {HKLM...CLSID} = "CAdBlockToolExt Object"
\InProcServer32\(Default) = "D:\Programs\ACRONI~1.0\ACRONI~1\Blocker.dll" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

HOSTS file
----------

C:\WINNT\System32\drivers\etc\HOSTS

maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!

**LindaHewitt** · April 3rd, 2007, 11:22 AM

Crunchie,

This file exceeded the maximum 20000 characters allowed, so I had to split it into two posts, see below for the 2nd part.

Thanks, I really appreciate your help.

Linda

_____________

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

3Com DMI Agent, 3ComDMIService, "C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE" ["3Com Corporation"]
ActionAgent, ActionAgent, "C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe" ["Dell Computer Corporation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
DellDmi, DellDmi, "C:\DMI\WIN32\bin\DellDmi.exe" ["Dell Computer Corporation"]
DLT, DLT, "C:\Program Files\Dell\OpenManage\Client\DLT.exe" ["Dell Computer Corporation"]
Iap, Iap, "C:\Program Files\Dell\OpenManage\Client\Iap.exe" ["Dell Computer Corporation"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
MSSQL$MICROSOFTBCM, MSSQL$MICROSOFTBCM, "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM" [MS]
Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data]
Panda anti-virus service, PAVSRV, "D:\Programs\Panda Platinum 7 - 2007\pavsrv50.exe" ["Panda Software"]
Panda Firewall Service, PAVFIRES, "D:\Programs\Panda Platinum 7 - 2007\Firewall\PavFires.exe" ["Panda Software"]
PDScheduler, PDSched, ""C:\Program Files\Raxco\PerfectDisk\PDSched.exe"" ["Raxco Software, Inc."]
Win32Sl, Win32Sl, "C:\dmi\win32\bin\Win32sl.exe" ["Intel"]

Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "msikbd2k" ["Netropa Corporation"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINNT\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Office Live Meeting Document Writer Monitor\Driver = "lmdimon.dll" [MS]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 50 seconds, including 8 seconds for message boxes)

**crunchie** · April 3rd, 2007, 11:29 AM

Not seeing anything bad in that log. Do you know where the pop ups are from?

**LindaHewitt** · April 3rd, 2007, 08:24 PM

Crunchie,

I ran Ad-Aware this morning and had 41 data miners tracking cookies and items on MRU List.

I get two dialog boxes repeatedly, which are "A Script is Running" and "Error message - Do you want to Debug".

I get the "Do you want to debug" message as many as 30-40 times for a single webpage. Part of the error message says "Object not defined".

I have all scripts blocked in my Panda configuration. I had to remove this block in order for Silent Runners to run, so I don't know what this message means or where it is coming from.

I have attached a sample of both error messages. Whatever is going on is making my system creepy slow.

**crunchie** · April 3rd, 2007, 09:02 PM

Try the solution here http://support.microsoft.com/kb/175500 for the script problem.
For the runtime error, try this http://support.microsoft.com/kb/822521

**LindaHewitt** · April 3rd, 2007, 09:29 PM

Crunchie,

I will perform both of these procedures but there is one other central issue.

In the first thread, I posted the Kaspersky online scan, which identified a number of items as either trojans or a worm. In addition, twice I tried to use Panda to run a full scan of my computer ( I have two hard drives) but Panda was only able to complete 25% of the scan on my C hard drive.

So, I think that something else is going on but you are the expert in this area.

Here is the URL for my first post, which details everything that I did prior to posting this message in the HijackThis conference.

http://discussions.virtualdr.com/sho...62#post1142862

Thanks for all of your help.

Cheers,

Linda

UPDATE:

When I clicked "Post Quick Reply", I got the attached debug error message. I clicked "No" and then the message posted.

**crunchie** · April 3rd, 2007, 09:42 PM

Did you follow the advice there regarding the manual deletion of those files? If so, can you do another kaspersky scan and post the results.

**LindaHewitt** · April 5th, 2007, 10:48 AM

When I run the Kaspersky online scan, they do not make any recommendations about deleting files that I could find.

Summary Information:

1. Tried to run Panda scan twice and it failed twice.

2. SpyBot has updated their software including a registry backup. I downloaded and installed the new version 1.5.1 SpyBot. Then I checked for updates before running SpyBot. SpyBot found 6 tracking cookies which I removed and then I clicked immunize system against all exploits defined in SpyBot.

3. Ran Ad-Aware after checking for updates and it found 11 objects in MRU List -- Ad-Aware says that these are harmless but it is tracking which documents that I am using, etc.; so I don't think the designation of harmless is accurate. There were also 2 tracking cookie objects. The Tracking Cookie objects had a TAC rating of 3. I had Ad-Aware remove all.

4. Ran 2nd Kaspersky online scan and it overview report said 2 viruses and 6 infected objects as compared to the first report, which said 5 viruses and 9 infected objects. However, when I looked at the actual detail it showed 3 instances of net-worm ... (see attached) and 1 instance of email-worm (see attached.

All instances occurred in the directory where I used the program DBXpress to unpack a locked Inbox in Outlook Express. There should not be any infected files in the Inbox because they should have been caught by my various security measures.

The email-worm is reported to infect dbx files, among others.

One other pecularity is that my Google Toolbar in IE is no longer there. I went to download Google Toolbar but it wants me to enable Browser Helper Objects, which I decided not to do. I don't know if this is a good idea or not but first things first. I want to get this problem fixed first. Then I will deal with the Google Toolbar issue and switching to Kaspersky Internet Security suite. In FireFox, the Google Toolbar is still present in the browser.

Here is the Kaspersky online scan report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 05, 2007 9:04:40 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/04/2007
Kaspersky Anti-Virus database records: 275190
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 121003
Number of viruses found: 2
Number of infected objects: 6 / 0
Number of suspicious objects: 0
Duration of the scan process: 07:56:58

Infected Object Name / Virus Name / Last Action
C:\DMI\WIN32\MifDB\errors.log Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\MailWasherPro\tmpLog.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\MailWasherPro\Training\Training archive - junk.rot135 Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\MailWasherPro\Training\Training archive - legitimate.rot135 Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\MailWasherPro\Trash.rot135 Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Business Contact Manager\MSBusinessContactManager.ldf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Business Contact Manager\MSBusinessContactManager.mdf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ds7v9zn4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007040520070406\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF6449.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFE3B.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0299c62c020608e5098b4319d3f79f3e_18a16916-c59e-484e-8235-a291578187d7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00010002.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.fid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.hsh Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP10000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP20000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk2 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps1 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps2 Object is locked skipped
C:\Inetpub\catalog.wci\00010002.ci Object is locked skipped
C:\Inetpub\catalog.wci\cicat.fid Object is locked skipped
C:\Inetpub\catalog.wci\cicat.hsh Object is locked skipped
C:\Inetpub\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP10000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP20000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiST0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\INDEX.000 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk1 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk2 Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\DEBUG\ipsecpa.log Object is locked skipped
C:\WINNT\DEBUG\oakley.log Object is locked skipped
C:\WINNT\DEBUG\PASSWD.LOG Object is locked skipped
C:\WINNT\ModemLog_Conexant HCF V90 56K Data Fax PCI Modem.txt Object is locked skipped
C:\WINNT\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.crmlog Object is locked skipped
C:\WINNT\SCHEDLGU.TXT Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{3476FEA5-661E-4130-8213-16311D26AD15}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT Object is locked skipped
C:\WINNT\SYSTEM32\LogFiles\W3SVC1\ex070405.log Object is locked skipped
C:\WINNT\SYSTEM32\pavjob.log Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_354.dat Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_770.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx/[From "Returned mail" <[email protected]>][Date Fri, 28 Oct 2005 17:21:42 -0700]/UNNAMED/document.zip/[email protected] Infected: Net-Worm.Win32.Mytob.ck skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx/[From "Returned mail" <[email protected]>][Date Fri, 28 Oct 2005 17:21:42 -0700]/UNNAMED/document.zip Infected: Net-Worm.Win32.Mytob.ck skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx/[From "Returned mail" <[email protected]>][Date Fri, 28 Oct 2005 17:21:42 -0700]/UNNAMED Infected: Net-Worm.Win32.Mytob.ck skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx Mail MS Outlook 5: infected - 3 skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\cleanup.log Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\Folders.dbx Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\Inbox.dbx Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\InboxBK1.dbx 634,894 KB\Output for InboxBK1.dbx\spam score 4 10pobox warning.eml/[From [email protected]][Date Wed, 18 Feb 2004 22:44:39 +0000]/mails.txt.com.b9 Infected: Email-Worm.Win32.NetSky.b skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\InboxBK1.dbx 634,894 KB\Output for InboxBK1.dbx\spam score 4 10pobox warning.eml Mail: infected - 1 skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\Offline.dbx Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\Pop3.log Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\Pop3uidl.dbx Object is locked skipped
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\Smtp.log Object is locked skipped
D:\Programs\Panda Platinum 7 - 2007\Firewall\rawlog.log Object is locked skipped
D:\Programs\Panda Platinum 7 - 2007\Firewall\seclog.log Object is locked skipped
D:\Programs\Panda Platinum 7 - 2007\Firewall\syslog.log Object is locked skipped
D:\Programs\Panda Platinum 7 - 2007\Firewall\tralog.log Object is locked skipped

Scan process completed.

Thanks for your help.

Linda

**crunchie** · April 5th, 2007, 11:20 AM

If I were you I would be deleting those backup files on 'D' you created that are coming up as infected. Whether your various security measures should have caught them or not is debatable, but imo, we should look on Kaspersky's results as being accurate

.
MRU results are fairly benign as they only show the Most Recently Used files you have accessed.

**LindaHewitt** · April 5th, 2007, 11:22 AM

Here are the URL links on the two malware components, which Kaspersky reported on my computer.

http://www.viruslist.com/en/viruses/...?virusid=91260 -- net-worm definition in Kaspersky's malware db

http://www.viruslist.com/en/viruses/...?virusid=22745 -- Email-Worm.Win32.NetSky.b in Kaspersky's malware db

What these webpages do not say is how I got these or how to remove them.

Linda

**LindaHewitt** · April 5th, 2007, 11:30 AM

Will deleting these files get rid of both of these worms from my system?

Or is Kaspersky just reporting that there is a worm there that has not been activated yet?

If the worms have already infected my system, how do I get rid of them.

I will delete those files.

Thanks,

Linda

**fink** · April 5th, 2007, 12:30 PM

Or is Kaspersky just reporting that there is a worm there that has not been activated yet?

Yes. As I pointed out in the original thread they are currently archived in a benign state in those email archives. The only way they could be activated is if you opened those emails and those attached viruses by importing them back into the email program.

I don't think your pc was infected at any point during this procedure... the non-activated viruses in the temp int folders were deleted and now there's just these archived emails. Any other problem would now need to be fixed in a more typical method of troubleshooting (which is not by more virus scanning

).

That one other .ini file does appear to have been a false positive.

**LindaHewitt** · April 5th, 2007, 03:41 PM

Thanks Fink.

This is all brand new to me, since I haven't gotten any infection or notification of infected file in 5.5 years. I will go delete those archived entries, then I will attempt to run another Panda scan followed by another Kaspersky online scan. If the Kaspersky scan comes up clean, then I will install Kaspersky.

BTW, does anyone have any idea why my Google Toolbar went poop? I made some changes in advanced mode for IE. Is there some change there, which could have made the toolbar go poop.

I will keep everyone posted.

Cheers,

Linda

Thread: Trojans and Worms - yuk yuk

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions