Adamsun HJT log - please help
http://www.short-media.com/forum/showthread.php?t=12367 is on this topic.
It is closed, I can not reply there. What happened to my PC yesterday was:
Like Strainul04-24-2004, 09:23 AM:
"I ran into your discussion after searching for a solution to a similar problem:
my browser settings, speciffically the search pane, get changed after every reboot to topsearcher.com. After a short interval, a new, impossible to close window pops with that site loaded"
I tried ad-aware 6.0 and Spybot - Search & Destroy, they had not fixed this problem.
This morning, I run "Spy Sweeper", it fixes this problem.
The folder for c:\program files\common files\wintools must be removed manually,
Spy Sweeper can not remove it. I restart PC in safe mode(press F8) then remove it.
Also go to regedit to delete this registry(listed in startuplist).
Startuplist before it is fixed:
StartupList report, 10/13/2004, 3:45:03 PM
StartupList version: 1.52
Started from : C:\sys-check\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using verbose mode
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\qttask.exe
C:\PROGRA~1\SPAMAM~1\SiteTick.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\InterWise\Student\pull.exe
C:\OPING\ingres\bin\iigcn.exe
C:\OPING\ingres\bin\iigcc.exe
C:\WINNT\system32\taskmgr.exe
C:\pfe\PFE32.EXE
C:\WINNT\system32\cmd.exe
C:\sys-check\StartupList.exe
This lists all processes running in memory, which are all active
programs and some non-exe system components.
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\asun\Start Menu\Programs\Startup]
rmingres.bat
Shortcut to Microsoft Outlook.lnk = ?
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Push Client.lnk = C:\InterWise\Student\pull.exe
This lists all programs or shortcuts in folders marked by Windows as
'Autostart folder', which means any files within these folders are
launched when Windows is started. The Windows standard is that only
shortcuts (*.lnk, *.pif) should be present in these folders.
The location of these folders is set in the Registry.
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
QuickTime Task = C:\WINNT\system32\qttask.exe
listbook = C:\PROGRA~1\SPAMAM~1\SiteTick.exe
WinTools = C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
CITY EGGS DVD RULE = C:\Documents and Settings\All Users\Application Data\fileactivecityeggs\Build up.exe
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(Default) =
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssbezier.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll - {87766247-311C-43B4-8499-3D5FEC94A183}
(no name) - C:\PROGRA~1\ANTINU~1\cash play.exe - {FA8CE069-FEE9-91A3-97BA-0858B6BE1ADE}
MSIE features Browser Helper Objects (BHO) that plug into MSIE and
can do virtually anything on your system. Benevolant examples are
the Google Toolbar and the Acrobat Reader plugin. More often though,
BHO's are installed by spyware and serve you to a neverending flow
of popups and ads as well as tracking your browser habits, claiming
they 'enhance your browsing experience'.
Enumerating Task Scheduler jobs:
A48E5B2E9185D592.job
The Windows Task Scheduler can run programs at a certain time,
automatically. Though very unlikely, this can be exploited by
making a job that runs a virus or trojan.
Enumerating Download Program Files:
[IWSystemchecks Control]
InProcServer32 = C:\WINNT\DOWNLO~1\IWSYST~1.OCX
CODEBASE = http://webcast.peoplesoft.com/psft1/English/ActiveX/IWsystemchecks.cab
[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll
CODEBASE = http://webcast.peoplesoft.com/IWCampus/student/client/iftwclix.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.2733796296
[ConnectPKICtrl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ConnectPKI.dll
CODEBASE = https://connectcerts.ca.com/ConnectPKI.dll
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\asun\LOCALS~1\Temp\~643387.tmp
Windows NT4/2000/XP can be setup to run scripts at user logon,
logoff, and system startup or shutdown.
These scripts can do virtually anything, from mapping a
network drive to starting a trojan horse virus. If scripts
are started on your system and you don't know what
they are, consider disabling them using the Group Policy
Editor (click Start, Run, type "gpedit.msc" and hit Enter).
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.
End of report, 9,139 bytes
Report generated in 0.078 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Startuplist after it is fixed:
StartupList report, 10/14/2004, 12:55:32 PM
StartupList version: 1.52
Started from : C:\sys-check\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using verbose mode
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\OPING\ingres\bin\iigcn.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\cmd.exe
C:\OPING\ingres\bin\iigcc.exe
C:\pfe\PFE32.EXE
C:\sys-check\StartupList.exe
This lists all processes running in memory, which are all active
programs and some non-exe system components.
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\asun\Start Menu\Programs\Startup]
rmingres.bat
Shortcut to Microsoft Outlook.lnk = ?
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
This lists all programs or shortcuts in folders marked by Windows as
'Autostart folder', which means any files within these folders are
launched when Windows is started. The Windows standard is that only
shortcuts (*.lnk, *.pif) should be present in these folders.
The location of these folders is set in the Registry.
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(Default) =
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssbezier.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing) - {87766247-311C-43B4-8499-3D5FEC94A183}
(no name) - C:\PROGRA~1\ANTINU~1\cash play.exe (file missing) - {FA8CE069-FEE9-91A3-97BA-0858B6BE1ADE}
MSIE features Browser Helper Objects (BHO) that plug into MSIE and
can do virtually anything on your system. Benevolant examples are
the Google Toolbar and the Acrobat Reader plugin. More often though,
BHO's are installed by spyware and serve you to a neverending flow
of popups and ads as well as tracking your browser habits, claiming
they 'enhance your browsing experience'.
Enumerating Task Scheduler jobs:
A48E5B2E9185D592.job
The Windows Task Scheduler can run programs at a certain time,
automatically. Though very unlikely, this can be exploited by
making a job that runs a virus or trojan.
Enumerating Download Program Files:
[IWSystemchecks Control]
InProcServer32 = C:\WINNT\DOWNLO~1\IWSYST~1.OCX
CODEBASE = http://webcast.peoplesoft.com/psft1/English/ActiveX/IWsystemchecks.cab
[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll
CODEBASE = http://webcast.peoplesoft.com/IWCampus/student/client/iftwclix.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.2733796296
[ConnectPKICtrl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ConnectPKI.dll
CODEBASE = https://connectcerts.ca.com/ConnectPKI.dll
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.
End of report, 8,117 bytes
Report generated in 0.110 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
It is closed, I can not reply there. What happened to my PC yesterday was:
Like Strainul04-24-2004, 09:23 AM:
"I ran into your discussion after searching for a solution to a similar problem:
my browser settings, speciffically the search pane, get changed after every reboot to topsearcher.com. After a short interval, a new, impossible to close window pops with that site loaded"
I tried ad-aware 6.0 and Spybot - Search & Destroy, they had not fixed this problem.
This morning, I run "Spy Sweeper", it fixes this problem.
The folder for c:\program files\common files\wintools must be removed manually,
Spy Sweeper can not remove it. I restart PC in safe mode(press F8) then remove it.
Also go to regedit to delete this registry(listed in startuplist).
Startuplist before it is fixed:
StartupList report, 10/13/2004, 3:45:03 PM
StartupList version: 1.52
Started from : C:\sys-check\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using verbose mode
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\qttask.exe
C:\PROGRA~1\SPAMAM~1\SiteTick.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\InterWise\Student\pull.exe
C:\OPING\ingres\bin\iigcn.exe
C:\OPING\ingres\bin\iigcc.exe
C:\WINNT\system32\taskmgr.exe
C:\pfe\PFE32.EXE
C:\WINNT\system32\cmd.exe
C:\sys-check\StartupList.exe
This lists all processes running in memory, which are all active
programs and some non-exe system components.
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\asun\Start Menu\Programs\Startup]
rmingres.bat
Shortcut to Microsoft Outlook.lnk = ?
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Push Client.lnk = C:\InterWise\Student\pull.exe
This lists all programs or shortcuts in folders marked by Windows as
'Autostart folder', which means any files within these folders are
launched when Windows is started. The Windows standard is that only
shortcuts (*.lnk, *.pif) should be present in these folders.
The location of these folders is set in the Registry.
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
QuickTime Task = C:\WINNT\system32\qttask.exe
listbook = C:\PROGRA~1\SPAMAM~1\SiteTick.exe
WinTools = C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
CITY EGGS DVD RULE = C:\Documents and Settings\All Users\Application Data\fileactivecityeggs\Build up.exe
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(Default) =
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssbezier.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll - {87766247-311C-43B4-8499-3D5FEC94A183}
(no name) - C:\PROGRA~1\ANTINU~1\cash play.exe - {FA8CE069-FEE9-91A3-97BA-0858B6BE1ADE}
MSIE features Browser Helper Objects (BHO) that plug into MSIE and
can do virtually anything on your system. Benevolant examples are
the Google Toolbar and the Acrobat Reader plugin. More often though,
BHO's are installed by spyware and serve you to a neverending flow
of popups and ads as well as tracking your browser habits, claiming
they 'enhance your browsing experience'.
Enumerating Task Scheduler jobs:
A48E5B2E9185D592.job
The Windows Task Scheduler can run programs at a certain time,
automatically. Though very unlikely, this can be exploited by
making a job that runs a virus or trojan.
Enumerating Download Program Files:
[IWSystemchecks Control]
InProcServer32 = C:\WINNT\DOWNLO~1\IWSYST~1.OCX
CODEBASE = http://webcast.peoplesoft.com/psft1/English/ActiveX/IWsystemchecks.cab
[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll
CODEBASE = http://webcast.peoplesoft.com/IWCampus/student/client/iftwclix.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.2733796296
[ConnectPKICtrl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ConnectPKI.dll
CODEBASE = https://connectcerts.ca.com/ConnectPKI.dll
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\asun\LOCALS~1\Temp\~643387.tmp
Windows NT4/2000/XP can be setup to run scripts at user logon,
logoff, and system startup or shutdown.
These scripts can do virtually anything, from mapping a
network drive to starting a trojan horse virus. If scripts
are started on your system and you don't know what
they are, consider disabling them using the Group Policy
Editor (click Start, Run, type "gpedit.msc" and hit Enter).
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.
End of report, 9,139 bytes
Report generated in 0.078 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Startuplist after it is fixed:
StartupList report, 10/14/2004, 12:55:32 PM
StartupList version: 1.52
Started from : C:\sys-check\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using verbose mode
==================================================
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\OPING\ingres\bin\iigcn.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\cmd.exe
C:\OPING\ingres\bin\iigcc.exe
C:\pfe\PFE32.EXE
C:\sys-check\StartupList.exe
This lists all processes running in memory, which are all active
programs and some non-exe system components.
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\asun\Start Menu\Programs\Startup]
rmingres.bat
Shortcut to Microsoft Outlook.lnk = ?
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
This lists all programs or shortcuts in folders marked by Windows as
'Autostart folder', which means any files within these folders are
launched when Windows is started. The Windows standard is that only
shortcuts (*.lnk, *.pif) should be present in these folders.
The location of these folders is set in the Registry.
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager = mobsync.exe /logon
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
(Default) =
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
Shell & screensaver key from C:\WINNT\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssbezier.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing) - {87766247-311C-43B4-8499-3D5FEC94A183}
(no name) - C:\PROGRA~1\ANTINU~1\cash play.exe (file missing) - {FA8CE069-FEE9-91A3-97BA-0858B6BE1ADE}
MSIE features Browser Helper Objects (BHO) that plug into MSIE and
can do virtually anything on your system. Benevolant examples are
the Google Toolbar and the Acrobat Reader plugin. More often though,
BHO's are installed by spyware and serve you to a neverending flow
of popups and ads as well as tracking your browser habits, claiming
they 'enhance your browsing experience'.
Enumerating Task Scheduler jobs:
A48E5B2E9185D592.job
The Windows Task Scheduler can run programs at a certain time,
automatically. Though very unlikely, this can be exploited by
making a job that runs a virus or trojan.
Enumerating Download Program Files:
[IWSystemchecks Control]
InProcServer32 = C:\WINNT\DOWNLO~1\IWSYST~1.OCX
CODEBASE = http://webcast.peoplesoft.com/psft1/English/ActiveX/IWsystemchecks.cab
[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll
CODEBASE = http://webcast.peoplesoft.com/IWCampus/student/client/iftwclix.cab
[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37897.2733796296
[ConnectPKICtrl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ConnectPKI.dll
CODEBASE = https://connectcerts.ca.com/ConnectPKI.dll
[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.
Enumerating ShellServiceObjectDelayLoad items:
Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll
This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.
End of report, 8,117 bytes
Report generated in 0.110 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
0
This discussion has been closed.
Comments
|··· Thursday, 14 October 2004 11:35 AM ···|
Updating software definitions
Your software definitions have been updated.
11:38 AM Sweeping memory for active software.
Found: Memory-resident Software WebSearch Toolbar, version 1
Found: Memory-resident Software WebSearch Toolbar, version 1
Found: Memory-resident Software WebSearch Toolbar, version 1
11:38 AM Memory sweep has completed.
Found: 2nd-thought registry trace.
Found: AdDestroyer registry trace.
Found: Alexa Toolbar registry trace.
Found: BlazeFind registry trace.
Found: BlazeFind registry trace.
Found: CWS_xplugin registry trace.
Found: My Daily Horoscope registry trace.
Found: Squire Webhelper registry trace.
Found: Surebar registry trace.
Found: Surebar registry trace.
Found: VirtualBouncer registry trace.
Found: WebSearch Toolbar registry trace.
Found: Websearch.com Hijacker registry trace.
11:41 AM Registry sweep completed.
11:41 AM Full sweep on all local drives initiated.
11:41 AM Now sweeping drive C:
Found Adware: Netpal, version 1
Found: WebSearch Toolbar, version 1
Found Adware: WebSearch Toolbar, version 1
Found Adware: Twain-Tech, version 1
Found Adware: AdDestroyer, version 1
Found Adware: AdDestroyer, version 1
Found: SideSearch, version 1
Found Cookie: go.com Cookie, version 1
Found Cookie: AdKnowledge Cookie, version 1
Found Cookie: Adrevolver Cookie, version 1
Found Cookie: Pointroll Cookie, version 1
Found Cookie: Bizrate Cookie, version 1
Found Cookie: Casalemedia Cookie, version 1
Found Cookie: Com.com Cookie, version 1
Found Cookie: go.com Cookie, version 1
Found Cookie: go.com Cookie, version 1
Found Cookie: Com.com Cookie, version 1
Found Cookie: Gamespy Cookie, version 1
Found Cookie: Pricegrabber Cookie, version 1
Found Cookie: Overture Cookie, version 1
Found Cookie: Pricegrabber Cookie, version 1
Found Cookie: go.com Cookie, version 1
Found Cookie: Serving-sys Cookie, version 1
Found Cookie: specificclick.com Cookie, version 1
Found Cookie: Specificpop Cookie, version 1
Found Cookie: go.com Cookie, version 1
Found Cookie: Trafficmp Cookie, version 1
Found Cookie: Com.com Cookie, version 1
Found Cookie: Com.com Cookie, version 1
Found Cookie: Com.com Cookie, version 1
Found Cookie: Zedo Cookie, version 1
Found Adware: WebSearch Toolbar, version 1
Found: AdDestroyer, version 1
Found Adware: AdDestroyer, version 1
Found: Squire Webhelper, version 1
Found: WebSearch Toolbar, version 1
Found: SideSearch, version 1
Found Adware: Squire Webhelper, version 1
Found Adware: WebSearch Toolbar, version 1
Found: Squire Webhelper, version 1
Found: Targetsoft, version 1
Found Adware: Lopdotcom, version 1
Found Adware: Squire Webhelper, version 1
Found Adware: vx2 (Transponder), version 1
Found Adware: SeekSeek, version 1
Found Adware: Lopdotcom, version 1
Found Adware: Lopdotcom, version 1
Found Adware: Lopdotcom, version 1
Found Adware: Powerstrip, version 1
Found Trojan Horse: 2nd-thought, version 1
Found Adware: SideSearch, version 1
Found Adware: vx2 (Transponder), version 1
Found Adware: vx2 (Transponder), version 1
Found Adware: AdTomi, version 1
Found Adware: vx2 (Transponder), version 1
Found Adware: AdTomi, version 1
Found Adware: My Daily Horoscope, version 1
Found Adware: Gator (GAIN), version 4.054
Found Adware: SquireSearch, version 1
Found Adware: Surebar, version 1
Found Adware: Zestyfind Desktop Links, version 1
Found Adware: Spotresults desktop Links, version 1
Found Adware: vx2 (Transponder), version 1
Found Adware: vx2 (Transponder), version 1
Found Adware: Twain-Tech, version 1
Found Adware: Twain-Tech, version 1
Found Adware: Look2Me, version 1
Found Trojan Horse: 2nd-thought, version 1
Found Adware: Look2Me, version 1
Found Adware: Surebar, version 1
Found Adware: Netpal, version 1
Found Adware: AdDestroyer, version 1
Found Adware: VirtualBouncer, version 1
Found: Surebar, version 1
Found Adware: KeenValue, version 1
Found Adware: Squire Webhelper, version 1
Found Adware: VirtualBouncer, version 1
12:13 PM Full Sweep has completed. Elapsed time 0 hours, 34 minutes, 56 seconds.
Files swept: 81,456
Software Located: 1039
Spy Sweeper quarantined registry traces of: 2nd-thought
Spy Sweeper quarantined registry traces of: 2nd-thought
Spy Sweeper quarantined: 2nd-thought
Spy Sweeper quarantined: 2nd-thought
Spy Sweeper quarantined registry traces of: AdDestroyer
Spy Sweeper quarantined registry traces of: AdDestroyer
Spy Sweeper quarantined: AdDestroyer
Spy Sweeper quarantined: AdDestroyer
Spy Sweeper quarantined: AdDestroyer
Spy Sweeper quarantined: AdDestroyer
Spy Sweeper quarantined a cookie: AdKnowledge Cookie
Spy Sweeper quarantined a cookie: Adrevolver Cookie
Spy Sweeper quarantined: AdTomi
Spy Sweeper quarantined: AdTomi
Spy Sweeper quarantined registry traces of: Alexa Toolbar
Spy Sweeper quarantined a cookie: Bizrate Cookie
Spy Sweeper quarantined registry traces of: BlazeFind
Spy Sweeper quarantined registry traces of: BlazeFind
Spy Sweeper quarantined registry traces of: BlazeFind
Spy Sweeper quarantined registry traces of: BlazeFind
Spy Sweeper quarantined a cookie: Casalemedia Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined a cookie: Com.com Cookie
Spy Sweeper quarantined registry traces of: CWS_xplugin
Spy Sweeper quarantined a cookie: Gamespy Cookie
Spy Sweeper quarantined: Gator (GAIN)
Spy Sweeper quarantined a cookie: go.com Cookie
Spy Sweeper quarantined a cookie: go.com Cookie
Spy Sweeper quarantined a cookie: go.com Cookie
Spy Sweeper quarantined a cookie: go.com Cookie
Spy Sweeper quarantined a cookie: go.com Cookie
Spy Sweeper quarantined: KeenValue
Spy Sweeper quarantined: Look2Me
Spy Sweeper quarantined: Lopdotcom
Spy Sweeper quarantined: Lopdotcom
Spy Sweeper quarantined: Lopdotcom
Spy Sweeper quarantined: Lopdotcom
Spy Sweeper quarantined: Lopdotcom
Spy Sweeper quarantined: Lopdotcom
Spy Sweeper quarantined registry traces of: My Daily Horoscope
Spy Sweeper quarantined registry traces of: My Daily Horoscope
Spy Sweeper quarantined: My Daily Horoscope
Spy Sweeper quarantined: Netpal
Spy Sweeper quarantined: Netpal
Spy Sweeper quarantined: Netpal
Spy Sweeper quarantined: Netpal
Spy Sweeper quarantined a cookie: Overture Cookie
Spy Sweeper quarantined a cookie: Pointroll Cookie
Spy Sweeper quarantined: Powerstrip
Spy Sweeper quarantined a cookie: Pricegrabber Cookie
Spy Sweeper quarantined a cookie: Pricegrabber Cookie
Spy Sweeper quarantined: SeekSeek
Spy Sweeper quarantined a cookie: Serving-sys Cookie
Spy Sweeper quarantined: SideSearch
Spy Sweeper quarantined a cookie: specificclick.com Cookie
Spy Sweeper quarantined a cookie: Specificpop Cookie
Spy Sweeper quarantined: Spotresults desktop Links
Spy Sweeper quarantined registry traces of: Squire Webhelper
Spy Sweeper quarantined registry traces of: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: Squire Webhelper
Spy Sweeper quarantined: SquireSearch
Spy Sweeper quarantined registry traces of: Surebar
Spy Sweeper quarantined registry traces of: Surebar
Spy Sweeper quarantined registry traces of: Surebar
Spy Sweeper quarantined registry traces of: Surebar
Spy Sweeper quarantined: Surebar
Spy Sweeper quarantined: Surebar
Spy Sweeper quarantined: Targetsoft
Spy Sweeper quarantined: Targetsoft
Spy Sweeper quarantined: Targetsoft
Spy Sweeper quarantined: Targetsoft
Spy Sweeper quarantined a cookie: Trafficmp Cookie
Spy Sweeper quarantined: Twain-Tech
Spy Sweeper quarantined: Twain-Tech
Spy Sweeper quarantined registry traces of: VirtualBouncer
Spy Sweeper quarantined registry traces of: VirtualBouncer
Spy Sweeper quarantined: VirtualBouncer
Spy Sweeper quarantined: VirtualBouncer
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper quarantined: vx2 (Transponder)
Spy Sweeper removed from memory: WebSearch Toolbar
Spy Sweeper quarantined registry traces of: WebSearch Toolbar
Spy Sweeper quarantined registry traces of: WebSearch Toolbar
Spy Sweeper quarantined registry traces of: WebSearch Toolbar
Spy Sweeper quarantined: WebSearch Toolbar
Spy Sweeper quarantined: WebSearch Toolbar
Spy Sweeper quarantined registry traces of: Websearch.com Hijacker
Spy Sweeper quarantined registry traces of: Websearch.com Hijacker
Spy Sweeper quarantined registry traces of: Websearch.com Hijacker
Spy Sweeper quarantined a cookie: Zedo Cookie
Spy Sweeper quarantined: Zestyfind Desktop Links
Spy Sweeper removed a folder: c:\documents and settings\all users\start menu\programs\web search tools
Spy Sweeper removed a folder: c:\documents and settings\asun\start menu\programs\addestroyer
Spy Sweeper removed a folder: c:\documents and settings\asun\application data\lycos
Spy Sweeper removed a folder: c:\program files\common files\wintools\update
Spy Sweeper removed a folder: c:\program files\target soft\templates
Spy Sweeper removed a folder: c:\program files\sqwire\39158765
Spy Sweeper removed a folder: c:\program files\common files\sq
Spy Sweeper removed a folder: c:\program files\target soft
Spy Sweeper removed a folder: c:\winnt\system32\surepics
Spy Sweeper removed a folder: c:\program files\sqwire
Spy Sweeper removed a folder: c:\program files\lycos