« previous next »
Pages: 1 ... 4 5 [6] 7 8 9   Go Down

Author Topic: Please help Avast found this trojan file cp1041.nls  (Read 62656 times)

0 Members and 1 Guest are viewing this topic.

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #75 on: January 17, 2008, 04:49:30 AM »
I keep forgetting to ask do I turn the system recovery back on yet?
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #76 on: January 17, 2008, 05:06:25 AM »
Yes, please turn system restore on.

What version of Norton did you have? We'll remove what left with their tools. Then go after what ever is bringing that bug back.

The anti root kit is okay to keep, no conflicts there.
Logged

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #77 on: January 17, 2008, 05:08:16 AM »
I'm not sure it was eitehr Norton Utilities 2002 or Norton Systemworks 2003
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #78 on: January 17, 2008, 05:25:23 AM »
I saw Utilities 2002 in the combofix log anfd there is only manual removeal instructions.

Did you do the command prompt removal  of the nprotect folder?

If not then do that now,

Then open HJT, run a system scan only, checkmark these lines, if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.playfirst.com/play/game/dinerdash2/dinerdash2.cab


click fix and close HJT

Run combofix again and post that log along with a new HJT log.

You can attach the logs using the additional options button on the reply page.
Logged

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #79 on: January 17, 2008, 05:36:59 AM »
Here is the combofix log
Logged

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #80 on: January 17, 2008, 05:37:49 AM »
Here is the hijackthis log after I fixed the files you mentioned. 
Logged

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #81 on: January 17, 2008, 05:45:27 AM »
I did the thing from post #57 if that is what you are talking about. 
Logged

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #82 on: January 17, 2008, 05:46:28 AM »
I didn't see this anywhere in the hijackthis when I ran it
http://www.playfirst.com/play/game/dinerdash2/dinerdash2.cab
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #83 on: January 17, 2008, 06:42:19 AM »
Good
Some times the lines the lines disappear when the program is removed.

I have to tak a break from this for a few hours. My real job is calling. I'll get back to this asap.

For now do this

Open the Windows Control Panel
Double-click Power Options

Click the Hibernate tab, uncheck the 'Enable hibernate support' check box, and then click Apply.

Restart your computer and let me know if you get another warning. I'll go over your logs with a fine tooth comb when I get home in a couple of hours.
Logged

jbalcorn

  • Guest
Re: Please help Avast found this trojan file cp1041.nls
« Reply #84 on: January 17, 2008, 01:54:59 PM »
Hi,
    I had to get some sleep after the 7 hours on the computer last night.  I also have to be out for several hours today and won't be back until sometime after 1 or so EST.  I did what your last post said and restarted the computer and the same warning came up in the avast and I moved it to the chest.  I'll check back as soon as I get back home this afternoon. 
Thank you so much.
Logged

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Please help Avast found this trojan file cp1041.nls
« Reply #85 on: January 17, 2008, 10:47:02 PM »
Well, let's take a deeper look.

Pay particular attention to notepad's format as given in the instructions.




Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      NOTE: no additional scan required at this time
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    This log will be quite long.  You can either use multiple post or attach the log file if its easier.  In either case make sure the last line is < End of Report >.

    Just set it like in the image in the picture in this link, except change the two dates from 30 days to 90 days


    http://forum.avast.com/index.php?topic=31261.msg260811#msg260811

    click the pic to enlarge

    Logged

    jbalcorn

    • Guest
    Re: Please help Avast found this trojan file cp1041.nls
    « Reply #86 on: January 18, 2008, 12:55:10 AM »
    WinPFind3 logfile created on: 1/18/2008 6:02:51 PM
    WinPFind3U by OldTimer - Version 1.0.44   Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u\
    Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
    Internet Explorer (Version = 6.0.2900.2180)
     
    895.36 Mb Total Physical Memory | 400.54 Mb Available Physical Memory | 44.74% Memory free
    2.12 Gb Paging File | 1.54 Gb Available in Paging File | 72.65% Paging File free
    Paging file location(s): C:\pagefile.sys 1344 2688;
     
    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 182.23 Gb Total Space | 161.08 Gb Free Space | 88.39% Space Free
    Drive D: | 4.06 Gb Total Space | 2.38 Gb Free Space | 58.70% Space Free
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded

    Computer Name: ALCORN
    Current User Name: Owner
    Logged in as Administrator.
    Current Boot Mode: Normal


    [Processes - Non-Microsoft Only]
    aolacsd.exe -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> AOL LLC [Ver = 4.6.1.2               | Size = 46640 bytes | Modified Date = 10/23/2006 7:50:36 AM | Attr = R  ]
    aoltpspd.exe -> %CommonProgramFiles%\AOL\TopSpeed\2.0\aoltpspd.exe -> America Online Inc [Ver = 2, 0, 0, 0 | Size = 46768 bytes | Modified Date = 10/15/2004 3:54:12 PM | Attr =    ]
    aoltsmon.exe -> %CommonProgramFiles%\AOL\TopSpeed\2.0\aoltsmon.exe -> America Online, Inc [Ver = 2, 0, 0, 0 | Size = 100016 bytes | Modified Date = 10/15/2004 3:54:14 PM | Attr =    ]
    ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:24 AM | Attr =    ]
    ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:54 AM | Attr =    ]
    ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr =    ]
    ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:02 AM | Attr =    ]
    aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:34 AM | Attr =    ]
    cdac11ba.exe -> %System32%\drivers\CDAC11BA.EXE -> C-Dilla Ltd [Ver = 4.11.050 | Size = 39936 bytes | Modified Date = 7/21/2006 6:55:32 PM | Attr =    ]
    desktopweather.exe -> %ProgramFiles%\The Weather Channel FW\Desktop Weather\DesktopWeather.exe -> The Weather Channel Interactive [Ver = 5, 0, 1, 0 | Size = 715888 bytes | Modified Date = 10/30/2006 3:27:24 PM | Attr =    ]
    mgapp.exe -> %ProgramFiles%\Magentic\bin\MgApp.exe ->  [Ver = 1, 3, 1, 0547 | Size = 106537 bytes | Modified Date = 10/9/2007 1:42:14 PM | Attr =    ]
    nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8133 | Size = 131139 bytes | Modified Date = 9/18/2005 11:32:00 AM | Attr =    ]
    pctsauxs.exe -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 5.5.0.37 | Size = 747912 bytes | Modified Date = 12/10/2007 2:53:44 PM | Attr =    ]
    pctssvc.exe -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 5.5.0.68 | Size = 946568 bytes | Modified Date = 12/10/2007 2:53:46 PM | Attr =    ]
    pctstray.exe -> %ProgramFiles%\Spyware Doctor\pctsTray.exe -> PC Tools [Ver = 5.5.0.51 | Size = 1103752 bytes | Modified Date = 12/10/2007 2:53:46 PM | Attr =    ]
    prismxl.sys -> %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS -> New Boundary Technologies, Inc. [Ver = 6.0.1.22 | Size = 172032 bytes | Modified Date = 1/31/2006 10:40:32 PM | Attr =    ]
    qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 1/31/2006 10:53:22 PM | Attr =    ]
    uaservice7.exe -> %System32%\UAService7.exe ->  [Ver =  | Size = 126976 bytes | Modified Date = 10/6/2007 6:44:34 PM | Attr =    ]
    washer.exe -> %ProgramFiles%\Washer\washer.exe -> Webroot Software, Inc. [Ver = 4.7.1024.2 | Size = 428544 bytes | Modified Date = 8/15/2002 3:07:02 AM | Attr =    ]
    webshots.scr -> %ProgramFiles%\Webshots\Webshots.scr -> Webshots.com [Ver = 2, 5, 1, 7009 | Size = 1650688 bytes | Modified Date = 10/9/2006 12:56:34 PM | Attr =    ]
    winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr =    ]

    [Win32 Services - Non-Microsoft Only]
    (AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> AOL LLC [Ver = 4.6.1.2               | Size = 46640 bytes | Modified Date = 10/23/2006 7:50:36 AM | Attr = R  ]
    (AOL TopSpeedMonitor) AOL TopSpeed Monitor [Win32_Own | Auto | Running] -> %CommonProgramFiles%\AOL\TopSpeed\2.0\aoltsmon.exe -> America Online, Inc [Ver = 2, 0, 0, 0 | Size = 100016 bytes | Modified Date = 10/15/2004 3:54:14 PM | Attr =    ]
    (aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:34 AM | Attr =    ]
    (avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr =    ]
    (avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:54 AM | Attr =    ]
    (avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:02 AM | Attr =    ]
    (C-DillaCdaC11BA) C-DillaCdaC11BA [Win32_Own | Auto | Running] -> %System32%\drivers\CDAC11BA.EXE -> C-Dilla Ltd [Ver = 4.11.050 | Size = 39936 bytes | Modified Date = 7/21/2006 6:55:32 PM | Attr =    ]
    (dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/10/2004 2:00:00 PM | Attr =    ]
    (gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 9/2/2007 11:06:42 PM | Attr =    ]
    (IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 10.50.125 | Size = 73728 bytes | Modified Date = 10/22/2004 2:24:18 AM | Attr =    ]
    (NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8133 | Size = 131139 bytes | Modified Date = 9/18/2005 11:32:00 AM | Attr =    ]
    (PrismXL) PrismXL [Win32_Own | Auto | Running] -> %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS -> New Boundary Technologies, Inc. [Ver = 6.0.1.22 | Size = 172032 bytes | Modified Date = 1/31/2006 10:40:32 PM | Attr =    ]
    (sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 5.5.0.37 | Size = 747912 bytes | Modified Date = 12/10/2007 2:53:44 PM | Attr =    ]
    (sdCoreService) PC Tools Security Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 5.5.0.68 | Size = 946568 bytes | Modified Date = 12/10/2007 2:53:46 PM | Attr =    ]
    (ThreatFire) ThreatFire [Win32_Own | Auto | Stopped] ->  -> File not found
    (UserAccess7) SecuROM User Access Service (V7) [Win32_Own | Auto | Running] -> %System32%\UAService7.exe ->  [Ver =  | Size = 126976 bytes | Modified Date = 10/6/2007 6:44:34 PM | Attr =    ]
    Logged

    jbalcorn

    • Guest
    Re: Please help Avast found this trojan file cp1041.nls
    « Reply #87 on: January 18, 2008, 12:56:21 AM »
    [Registry - Non-Microsoft Only]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
    avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:24 AM | Attr =    ]
    ISTray -> %ProgramFiles%\Spyware Doctor\pctsTray.exe -> PC Tools [Ver = 5.5.0.51 | Size = 1103752 bytes | Modified Date = 12/10/2007 2:53:46 PM | Attr =    ]
    NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.8133 | Size = 7204864 bytes | Modified Date = 9/18/2005 11:32:00 AM | Attr =    ]
    QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 1/31/2006 10:53:22 PM | Attr =    ]
    < RunOnceEx [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx ->
     ->  -> File not found
    < OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
    IMAIL -> Installed = 1 ->
    MAPI -> Installed = 1 ->
    MSFS -> Installed = 1 ->
    < Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
    DW4 -> %ProgramFiles%\The Weather Channel FW\Desktop Weather\DesktopWeather.exe -> The Weather Channel Interactive [Ver = 5, 0, 1, 0 | Size = 715888 bytes | Modified Date = 10/30/2006 3:27:24 PM | Attr =    ]
    Magentic -> %ProgramFiles%\Magentic\bin\Magentic.exe ->  [Ver = 1, 3, 1, 0547 | Size = 475180 bytes | Modified Date = 10/9/2007 1:42:52 PM | Attr =    ]
    Washer -> %ProgramFiles%\Washer\washer.exe -> Webroot Software, Inc. [Ver = 4.7.1024.2 | Size = 428544 bytes | Modified Date = 8/15/2002 3:07:02 AM | Attr =    ]
    < User Startup > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup ->
    %UserStartup%\Webshots.lnk -> %ProgramFiles%\Webshots\Launcher.exe ->  [Ver =  | Size = 45056 bytes | Modified Date = 10/9/2006 12:52:18 PM | Attr =    ]
    < SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
    < Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
    < Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
    < CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus -> 2 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoResolveSearch -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallVisualStyle -> C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallTheme -> C:\WINDOWS\Resources\Themes\Royale.theme ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ ->  ->
    < CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoResolveTrack -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 149 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\LinkResolveIgnoreLinkInfo -> 0 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\Shell\ ->  ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ ->  ->


    Logged

    jbalcorn

    • Guest
    Re: Please help Avast found this trojan file cp1041.nls
    « Reply #88 on: January 18, 2008, 12:56:50 AM »
    < HOSTS File > (1006 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
    127.0.0.1       localhost ->  ->
    127.0.0.1 multitrader.info ->  ->
    127.0.0.1 reggame.biz ->  ->
    127.0.0.1 tele-globus.biz ->  ->
    127.0.0.1 newasp.com.cn ->  ->
    127.0.0.1 mygolddinar.com ->  ->
    127.0.0.1 xfatum.com ->  ->
    127.0.0.1 think-adz2.com ->  ->
    127.0.0.1 cyberica.net ->  ->
    127.0.0.1 netw8.info ->  ->
    127.0.0.1 vpt-studio.com ->  ->
    127.0.0.1 netw6.info ->  ->
    < Internet Explorer Settings > ->  ->
    HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
    HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
    HKLM: Local Page -> C:\WINDOWS\SYSTEM32\blank.htm ->
    HKLM: Search Page -> http://www.msn.com ->
    HKLM: Start Page -> http://www.msn.com ->
    HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
    HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
    HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
    HKCU: Local Page -> C:\WINDOWS\SYSTEM32\blank.htm ->
    HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
    HKCU: Start Page -> http://www.msn.com/ ->
    HKCU: SearchAssistant -> http://www.google.com/ie ->
    HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr =    ]
    HKCU: ProxyEnable -> 0 ->
    < Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
    msn.com [ - ] ->  ->
    < Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
    samsung-emp.com
    • ->  ->

    samsunggsbn.com
    • ->  ->

    samsungwireless.com
    • ->  ->

    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
    {02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr =    ]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 4:16:42 AM | Attr =    ]
    {53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 12:04:00 AM | Attr =    ]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 3:00:36 AM | Attr =    ]
    {A057A204-BACC-4D26-CEC4-75A487FD6484} [HKLM] -> %ProgramFiles%\mypoints\mypoints.dll [MYPOINTS] ->   [Ver = 5.0.1.248 | Size = 1909248 bytes | Modified Date = 10/2/2007 3:31:50 PM | Attr =    ]
    {AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R  ]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 9/2/2007 11:06:44 PM | Attr =    ]
    {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> %System32%\bae.dll [CBrowserHelperObject Object] -> Gateway Inc. [Ver = 1.1.0.1 | Size = 94208 bytes | Modified Date = 2/1/2006 6:54:30 AM | Attr =    ]
    < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R  ]
    {327C2873-E90D-4c37-AA9D-10AC9BABA46C} [HKLM] -> %ProgramFiles%\Canon\Easy-WebPrint\Toolband.dll [Easy-WebPrint] ->  [Ver = 2, 5, 1, 6 | Size = 405504 bytes | Modified Date = 8/26/2004 11:27:32 AM | Attr =    ]
    {A057A204-BACC-4D26-CEC4-75A487FD6484} [HKLM] -> %ProgramFiles%\mypoints\mypoints.dll [MYPOINTS] ->   [Ver = 5.0.1.248 | Size = 1909248 bytes | Modified Date = 10/2/2007 3:31:50 PM | Attr =    ]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr =    ]
    SITEguard [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
    WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R  ]
    Logged

    jbalcorn

    • Guest
    Re: Please help Avast found this trojan file cp1041.nls
    « Reply #89 on: January 18, 2008, 12:57:13 AM »
    WebBrowser\\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
    WebBrowser\\{A057A204-BACC-4D26-CEC4-75A487FD6484} [HKLM] -> %ProgramFiles%\mypoints\mypoints.dll [MYPOINTS] ->   [Ver = 5.0.1.248 | Size = 1909248 bytes | Modified Date = 10/2/2007 3:31:50 PM | Attr =    ]
    WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 10:28:40 AM | Attr =    ]
    < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_02\bin\npjpi160_02.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 132496 bytes | Modified Date = 7/12/2007 3:00:36 AM | Attr =    ]
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_02\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.20.6 | Size = 501136 bytes | Modified Date = 7/12/2007 3:00:36 AM | Attr =    ]
    {92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
    {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -> %ProgramFiles%\PartyGaming\PartyPoker\RunApp.exe [ButtonText: PartyPoker.com] ->  [Ver = 1, 0, 0, 2 | Size = 110592 bytes | Modified Date = 6/23/2006 11:05:24 AM | Attr =    ]
    {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
    < Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
    &Add animation to IncrediMail Style Box -> %ProgramFiles%\IncrediMail\bin\resources\WebMenuImg.htm ->  [Ver =  | Size = 591 bytes | Modified Date = 4/12/2006 8:21:14 AM | Attr =    ]
    &Webshots Photo Search -> %ProgramFiles%\Webshots\WSToolbar4IE.dll\MENUSEARCH.HTM -> File not found
    E&xport to Microsoft Excel ->  -> File not found
    Easy-WebPrint Add To Print List -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_AddToList.htm -> File not found
    Easy-WebPrint High Speed Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_HSPrint.htm -> File not found
    Easy-WebPrint Preview -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_Preview.htm -> File not found
    Easy-WebPrint Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_Print.htm -> File not found
    Yahoo! &SMS -> %ProgramFiles%\Yahoo!\Common\ycsms.htm -> File not found
    < Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\ ->
    .spop -> Reg Data - Value does not exist [Reg Data - Value does not exist] -> File not found
    < User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
    SV1 ->  ->
    < DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
    {7A0487F0-26B8-4D8E-A727-E9831BDF48FA} ->    (Linksys NC100 Fast Ethernet Adapter) ->
    {BCD77BB1-D2B0-4238-A5BD-FC81679EEDF4} ->    (NVIDIA nForce Networking Controller) ->
    < Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
    ipp -> Reg Data - Key not found -> File not found
    msdaipp -> Reg Data - Key not found -> File not found
    < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
    {166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
    {233C1507-6A77-46A4-9443-F871F945D258} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
    {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll ->
    {33564D57-0000-0010-8000-00AA00389B71} ->  - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB ->
    {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> McAfee.com Operating System Class - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab ->
    {62789780-B744-11D0-986B-00609731A21D} -> Autodesk MapGuide ActiveX Control - CodeBase = http://www.crsdata.net/maps/install/mgaxctrlv65.cab ->
    {6F750202-1362-4815-A476-88533DE61D0C} -> Kodak Gallery Easy Upload Manager Class - CodeBase = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab ->
    {77E32299-629F-43C6-AB77-6A1E6D7663F6} -> Groove Control - CodeBase = http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab ->
    {8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
    {9522B3FB-7A2B-4646-8AF6-36E7F593073C} ->  - CodeBase =  ->
    {B991DA79-51F7-4011-98D2-1F2592E82A56} -> ACNPlayer2 Class - CodeBase = http://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab ->
    {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} -> Toontown Installer ActiveX Control - CodeBase = http://a.download.toontown.com/sv1.0.24.24/ttinst.cab ->
    {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} -> Virtools WebPlayer Class - CodeBase = http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe ->
    {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_07 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab ->
    {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
    {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_11 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab ->
    {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_02 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab ->
    {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -> CGameManagerCtrl Object - CodeBase = https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab ->
    {D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
    {E463DD62-1D07-425E-B82A-539FBA2F4162} -> GSBN_Updater.UserControl1 - CodeBase = http://www.samsunggsbn.com/PSI3/Cab/GSBN_Updater.CAB ->
    {EF148DBB-5B6D-4130-B2A1-661571E86260} -> Playtime Games Launcher - CodeBase = http://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab ->
    Logged
    Pages: 1 ... 4 5 [6] 7 8 9   Go Up
    « previous next »