HijackThis log from May 28 2006

kr4ey · 29-05-2006

I was having possible problems with computer with win.messenger. exploit attacks.
I was getting these attacks very often but my AV was bocking them (Kaspersky Internet
Security) anyway I did a Dump on port 1026 with a tool from Kaspersky (KLdump.exe).
Posted it in this forum. http://www.d-a-l.com/help/showthread.php?t=41291
Here are my finding and I have .dmp file attached.
My HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:48 AM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Afreet\IonoProbe\IonoProbe.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\sistray.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\RtkBtMnt.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Richard\My Documents\Hijack This\HijackThis.exe

O1 - Hosts: 128.104.184.35 # W9RNF
O1 - Hosts: 128.192.52.40:599 # K4UGA
O1 - Hosts: 129.110.99.253 # K5UTD
O1 - Hosts: 130.126.139.93:8000 # K9USA
O1 - Hosts: 130.237.41.41:8000 # SK0BU-5
O1 - Hosts: 131.156.2.132 # W9NIU
O1 - Hosts: 131.156.2.135:41112 # W9NIU-clx
O1 - Hosts: 134.48.91.173 # W9ODD
O1 - Hosts: 142.139.0.194 # VE9EMO-9
O1 - Hosts: 142.58.173.14 # VE7CQD
O1 - Hosts: 146.48.126.26 # IW5DAM
O1 - Hosts: 150.162.38.7 # PP5MCB-8
O1 - Hosts: 151.4.218.10:2222 # I5NXJ-2
O1 - Hosts: 160.97.46.30:9000 # IZ8CCW-9
O1 - Hosts: 193.144.52.168:41112 # EA1URF-5
O1 - Hosts: 193.207.106.230 # I8NHJ-6
O1 - Hosts: 194.154.155.195:9000 # 5B4NDX
O1 - Hosts: 194.192.135.177:53 # OZ5BBS-7
O1 - Hosts: 195.161.45.20 # RN6BN
O1 - Hosts: 195.57.18.13:41112 # EA7URC-7
O1 - Hosts: 195.57.18.13:8000 # ED7ZAB-5
O1 - Hosts: 198.109.212.235 # K8SMC
O1 - Hosts: 200.246.123.252 # PY2XB-6
O1 - Hosts: 207.157.4.17 # W4LEE
O1 - Hosts: 207.54.151.220 # W8GN
O1 - Hosts: 208.164.147.68 # K5MDX
O1 - Hosts: 209.147.70.241 # K4JA
O1 - Hosts: 213.10.48.91 # PI4CC
O1 - Hosts: 213.221.43.253 # RA3AWW
O1 - Hosts: 213.237.10.107:2300 # OZ3BUL-7
O1 - Hosts: 213.59.36.73:41112 # RV0AEV-1
O1 - Hosts: 217.196.102.101 # UA0BA-3
O1 - Hosts: 24.159.185.156 # W4TO
O1 - Hosts: dxc.k2ls.com # K2LS
O1 - Hosts: 44.124.64.253 # N7OO
O1 - Hosts: 44.187.1.1 # LY2ZO-10
O1 - Hosts: 44.64.20.100 # N2BIM
O1 - Hosts: 64.32.255.187 # K2UT
O1 - Hosts: 65.85.204.80 # KA5EYH-1
O1 - Hosts: 66.84.210.68 # N9BMS
O1 - Hosts: 68.14.105.11 # N5UXT-8
O1 - Hosts: ac0x.dynip.com # AC0X
O1 - Hosts: acg.spidernet.com.cy # 5B4NDX
O1 - Hosts: clusea5.uv.es:41112 # EA5URV-5
O1 - Hosts: cluster.dx-central.com # DX-Central
O1 - Hosts: cluster.sk4bw.net:8000 # SM4OWN-7
O1 - Hosts: cluster.w9zrx.net # W9ZRX
O1 - Hosts: dx.aaanet.ru:41112 # RK6LWX
O1 - Hosts: dx.fireroute.com # VA3NA-7
O1 - Hosts: dx.n3ra.com # N3RA
O1 - Hosts: dxc-ka5eyh.drhnet.com # KA5EYH
O1 - Hosts: dxc-us.ab5k.net # AB5K-2
O1 - Hosts: dxc.andys.ru:41112 # RV0AEV-1
O1 - Hosts: dxc.k1ttt.net # K1TTT
O1 - Hosts: dxc.k1xx.com:7300 # K1XX
O1 - Hosts: dxc.kn4f.net # KN4F
O1 - Hosts: dxc.n2tx.net # N2TX
O1 - Hosts: dxc.n7tr.com # N7TR
O1 - Hosts: dxc.w4ml.net # W4ML
O1 - Hosts: dxspots.com # N5IN
O1 - Hosts: dxspots.net # N5IN
O1 - Hosts: ea5elx.sytes.net:8000 # EA5ELX-5
O1 - Hosts: gb7djk.dxcluster.net:7300 # GB7DJK
O1 - Hosts: gb7mbc.spoo.org:8000 # GB7MBC
O1 - Hosts: gb7ujs.shacknet.nu:7373 # GB7UJS
O1 - Hosts: gw-wadg.greatbasin.net # N7TR
O1 - Hosts: harc.hoho.org:4000 # K8DAA
O1 - Hosts: ik4mtk.tzo.com # IK4MTK-6
O1 - Hosts: je3yek.figaro.gr.jp:41112 # JE3YEK
O1 - Hosts: jk1zrw.dyndns.org:41112 # JK1ZRW-9
O1 - Hosts: k0mp.dynip.com # K0MP
O1 - Hosts: k1eu.dynip.com # K1EU
O1 - Hosts: k3nc.no-ip.com:41112 # K3NC
O1 - Hosts: k4up.tzo.com # K4UP
O1 - Hosts: k7ar.net:7300 # K7AR
O1 - Hosts: k8na.com # K8NA
O1 - Hosts: k8smc.com # K8SMC
O1 - Hosts: kb2txp.net:4000 # KB2TXP
O1 - Hosts: kc0djo.dynip.com # KC0DJO
O1 - Hosts: kc2cwt.homeip.net # KC2CWT-9
O1 - Hosts: kf6arx.netlynx.com:4242 # KF6ARX-5
O1 - Hosts: kh2d.tzo.com:23 # KH2D
O1 - Hosts: ks8g.dorm-net.net:9000 # KS8G
O1 - Hosts: linux.figaro.gr.jp:8000 # JA3YTZ
O1 - Hosts: mdx.datasync.com # K5MDX
O1 - Hosts: n1zuk.dyndns.org:8000 # N1ZUK
O1 - Hosts: n7od.pentux.net # N7OD
O1 - Hosts: n7us.net # N7US
O1 - Hosts: nc7j.qrq.com:8000 # NC7J
O1 - Hosts: oz7dxc.dyndns.org:9000 # OZ7DXC
O1 - Hosts: radio.nagano.cz:41112 # OK0DXI
O1 - Hosts: rn6bn.73.ru # RN6BN
O1 - Hosts: va3mw.homeip.net:41112 # VA3MW
O1 - Hosts: ve6dxd.tzo.com # VE6DXD
O1 - Hosts: w0mw.dynip.com # W0MW
O1 - Hosts: w4smg.tzo.com:41112 # W4SMG
O1 - Hosts: w4zr.dyndns.org # W4ZR
O1 - Hosts: w9da.ampr.org # WG9L
O1 - Hosts: wf5e.no-ip.com # WF5E
O1 - Hosts: wr3d.dxcluster.net:7000 # WR3D
O1 - Hosts: www.twoy.net:8000 # OH5NK-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [IonoProbe.exe] C:\Program Files\Afreet\IonoProbe\IonoProbe.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1146861603312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147229938843
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I am Amateur Radio Op (Ham) and use a Program to access DX Clusters.
There like a telnet program to post and recieve spots of people who are the air from all
over the world.
I used L2M and BFU did scan with ewido 4.0(Beta)

kr4ey · 29-05-2006

OK here is Hijack this log after I ran L2M and BTU
I did scan with ewido and it did not find anything.
I retained one post in my Host file.
I installed ccleaner and Spybot and unistalled ewido.

Logfile of HijackThis v1.99.1
Scan saved at 11:59:21 AM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Afreet\IonoProbe\IonoProbe.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\RtkBtMnt.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: dx.ks4q.net # KS4Q
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\system32\safeie.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [IonoProbe.exe] C:\Program Files\Afreet\IonoProbe\IonoProbe.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1146861603312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147229938843
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

How is this?
I Cleaned up alot. I have not run another KL Dump on port 1026
I will try a little later or tomorrow.
BTW. I have the messenger service in the Services tab disabled.
And do not have Windows Messenger installed.
Everthing is stable on computer but did an image with Acronis before and
after just in case.

Thank you
Rick

kr4ey · 29-05-2006

This is Install Log.

7-Zip 4.32
Acronis*True*Image
Adobe Bridge 1.0
Adobe Common File Installer
Adobe ExtendScript Toolkit 1.0
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.7
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Agere Systems AC'97 Modem
Broadcom 802.11 Network Adapter
CCleaner (remove only)
DX Atlas 2.25
DXbase 2005
Flash Player Update for Flash 8
Ham CAP 1.4
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
InCD
IonoProbe 1.3
iSpeed for Windows
ITS HF Propagation 2005.01.19
J2SE Runtime Environment 5.0 Update 6
Kaspersky Internet Security 6.0
Launch Manager
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Word 2000
Morse Runner 1.6
Nero 6 Ultra Edition
Nero Digital
NeroMIX
O&O Defrag Professional Edition
PowerQuest PartitionMagic 8.0
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
SiSAGP driver
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
TrustedQSL 1.11
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
ve7cc
WellGet
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

**Neal** · 29-05-2006

Looks like you did a darn good job. How's it running?

kr4ey · 29-05-2006

Hello Neal
Computer runs real good. Nice and fast. I also installed Firefox 1.5.0.3
again and am using it as my main browser. Have any idea's on the port 1026 dump, I haven't
tried it again yet to see whats going on. But just wondering?

Rick

**Neal** · 29-05-2006

Not really, never seen one of those before.

Let's see if anything is hiding in the bushes,

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

kr4ey · 29-05-2006

Neal
Here,s my log

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"IonoProbe.exe" = "C:\Program Files\Afreet\IonoProbe\IonoProbe.exe" ["Afreet Software, Inc."]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"Broadcom Wireless Manager UI" = "C:\WINDOWS\System32\WLTRAY" ["Broadcom Corporation"]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"LManager" = "C:\Program Files\Launch Manager\QtZgAcer.EXE" ["Dritek System Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Acronis True Image Monitor" = ""C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"" ["Acronis"]
"Acronis Scheduler2 Service" = ""C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Nero AG"]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"kis" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B5D4581D-ED6A-4905-A267-25BAF7BE79C1}\(Default) = "SafeIE Utility"
-> {HKLM...CLSID} = "FiltrateIE Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\safeie.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{9DED7A30-D572-4D21-8D82-6945EA697400}" = "Macromedia FlashPaper Context Menu"
-> {HKLM...CLSID} = "FlashPaperContextHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll" [null data]
"{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" = "OODefrag"
-> {HKLM...CLSID} = "OODShellExtObj Class"
\InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"
-> {HKLM...CLSID} = "Web Anti-Virus"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll" ["Kaspersky Lab"]
Macromedia.FlashPaper.ContextMenu\(Default) = "{9DED7A30-D572-4D21-8D82-6945EA697400}"
-> {HKLM...CLSID} = "FlashPaperContextHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Macromedia\FlashPaper 2\FlashPaperContextMenu.dll" [null data]
OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"
-> {HKLM...CLSID} = "OODShellExtObj Class"
\InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll" ["Kaspersky Lab"]
OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"
-> {HKLM...CLSID} = "OODShellExtObj Class"
\InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Disable changing home page settings}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
HIJACK WARNING! "NoBrowserOptions"=dword:00000001
[disables Tools|Internet Options... in Internet Explorer]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Browser Menus|Tools menu: Disable Internet
Options... menu option}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Richard" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Richard\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus"

{35980F6E-A258-4E50-953D-813BB8556899}\
"ButtonText" = "WellGet"
"Exec" = "C:\Program Files\WellGet\WellGet.exe" [empty string]

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Broadcom Wireless LAN Tray Service, wltrysvc, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Kaspersky Internet Security 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r" ["Kaspersky Lab"]
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]
O&O Defrag, O&O Defrag, "C:\WINDOWS\System32\oodag.exe" ["O&O Software GmbH"]
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 27 seconds, including 4 seconds for message boxes)

**Neal** · 29-05-2006

Nothing there,

One more then let you go.

* Download finditnt2000xp.zip.
www.thatcomputerguy.us/downloads/finditnt2000xp.zip

* Unzip the contents of finditnt2000xp.zip to a convenient location.
* Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
* A command prompt will open and it will search your computer for malicious files.
* Once it has finished a Notepad window will pop up with output.txt.
* Copy the entire contents of output.txt into your next post.

kr4ey · 30-05-2006

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10F8-53AC

Directory of C:\WINDOWS\System32

05/26/2006 06:54 PM <DIR> dllcache
05/05/2006 02:46 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 45,233,860,608 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 10F8-53AC

Directory of C:\WINDOWS\System32

05/26/2006 06:54 PM <DIR> dllcache
05/05/2006 02:27 PM 488 logonui.exe.manifest
05/05/2006 02:27 PM 488 WindowsLogon.manifest
05/05/2006 02:27 PM 749 nwc.cpl.manifest
05/05/2006 02:27 PM 749 sapi.cpl.manifest
05/05/2006 02:27 PM 749 wuaucpl.cpl.manifest
05/05/2006 02:27 PM 749 cdplayer.exe.manifest
05/05/2006 02:27 PM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 45,233,860,608 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 10F8-53AC

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 10F8-53AC

Directory of C:\WINDOWS\System32

03/31/2003 08:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 45,233,856,512 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"sv1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\klogon.dll"
"Logon"="WLEventStop"
"Startup"="WLEventStart"
"Lock"="WLEventStart"
"Unlock"="WLEventStop"
"Logoff"="WLEventStart"
@=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,67,61,4c,6f,67,6f,6e,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Setting s]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c, 7a,00,c0,4f,c2,97,eb,01,00,\
00,00,ab,b3,1f,2b,f1,e2,bb,44,98,d5,68,59,9a,38,8e ,85,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00 ,1c,a4,9f,ba,5b,0f,fa,fe,\
ad,97,ac,21,a4,f0,e3,4c,00,00,00,00,04,80,00,00,a0 ,00,00,00,10,00,00,00,69,\
f7,2a,bd,58,d4,9f,2b,19,c3,bd,bd,67,bd,80,e0,20,00 ,00,00,d5,5b,68,e5,3e,29,\
2c,cd,45,c0,20,9f,92,dd,da,eb,ef,f3,f7,f8,cb,5c,b9 ,ae,aa,5c,8e,1b,91,e3,c1,\
28,14,00,00,00,32,49,0f,d8,e6,17,e4,64,37,85,ff,ac ,0c,0a,8b,a2,09,f5,2b,ad

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri May 5 2006 2:27:28p A..HR 749 0.73 K
logonu~1.man Fri May 5 2006 2:27:34p A..HR 488 0.48 K
ncpacp~1.man Fri May 5 2006 2:27:28p A..HR 749 0.73 K
nwccpl~1.man Fri May 5 2006 2:27:28p A..HR 749 0.73 K
sapicp~1.man Fri May 5 2006 2:27:28p A..HR 749 0.73 K
window~1.man Fri May 5 2006 2:27:34p A..HR 488 0.48 K
wuaucp~1.man Fri May 5 2006 2:27:28p A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: (Aspack %s)
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\System32\\WLTRAY"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LManager"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"kis"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
"SoundMan"="SOUNDMAN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

kr4ey · 30-05-2006

OK. I did another KL Dump on UDP Port 1026 yesterday 5/29/06 at 4:20pm
STILL!! getting these meesages put into this port even after this, anyway it
must be invitable even when you have messenger service disabled (probably
MS is up to this) Oh Well Thank you for your help, Neal. I quess you can call this
resolved, but I think there should be someway to stop this. I know there is NOTHING
wrong with my registry and have NO virus on this computer. At least one thing it runs
alot faster.

Rick

Here's my dump log on UDP Port 1026:

KLDUÑO{D a E S‹‰ 6d,À˜aÆA•.ñ²$? x ø‘{Z ÿÐ©² ÀO¶æü ÿÿÿÿä Windows $ $ inform you about a virus detection Œ Œ WARNING! A critical virus was found on your system.

Follow this steps to fix your system before it gets damaged:

1) Open Internet Explorer or your default web browser.
2) Type in the navigation bar: http://www.rclean.com
3) Download MicroAntivirus and install it on your system.
4) Run MicroAntivirus to fix your system successfully.

Upon completion these warnings will STOP.
www.rclean.com

0 E "+ v_K7-µA•.ñ7ê ( ø‘{Z ÿÐ©² ÀO¶æü1º-èÖw É_m~AÛ ÿÿÿÿ¶ Update Compro ‚ ‚ WINDOWS ERROR MESSAGE - REGISTRY DAMANGED

Your Windows registry is corrupted and needs to be cleaned immediately.

Compromised registry files can lead to the following:

1. Complete access of your PC by hackers
2. Slow speeds resulting in slow downloads of internet files
3. The compromise of personal information stored on your computer
4. Complete system failure resulting in the need for a costly reinstall of your hard drive.

To fix this registry problem:

1. Open Internet Explorer
2. In the URL Field type - www.registrycleanerxp.com
3. Note that all versions of windows are supported.
4. Once you load the program, close this window.

Please note that once you visit www.registrycleanerxp.com and install the
cleaner program you will not receive any more reminders or pop-ups like this one.

www.registrycleanerxp.com E þ @ 38éÌÐoA•.ñ€žê ( ø‘{Z ÿÐ©² ÀO¶æü÷·Bg/`fGZŽÄÎà ÿÿÿÿ’ SECURITY ALERT N N STOP! COMPUTER REQUIRES IMMEDIATE ATTENTION.

You computer may have CRITICAL SYSTEM ERRORS

To fix the errors please do the following:
1. Download Registry Repair from: http://www.registryupdates.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

E ‚± vêË{¶íA•.ñ@5n ( ø‘{Z ÿÐ©² ÀO¶æü+{DZKhiÒ¿ÖxÛ§{ ÿÿÿÿ Updated Comprom â â YOUR WINDOWS REGISTRY IS SEVERELY DAMAGED.

You must clean your Windows Registry on a regular basis to keep your
computer clean and efficient. Doing so will reduce application error messages,
improve startup speeds, and increase overall computer performance.

Windows Registry Cleaner will also clean and repair unwanted debris left
behind by adware and spyware, and prevent unwanted popup messages.

www.winregistrycleaner.com

HijackThis log from May 28 2006

HijackThis log from May 28 2006

Similar Threads

help with winantiviruspro 2006

WinAntiVirus PRO 2006... ???

WinAntivirus Pro 2006 useless or Spyware?

HijackThis Log May 24, 2006

2006