Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 25th, 2008, 6:09am
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Not scanning password-protected file crack.exe		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Not scanning password-protected file crack.exe  (Read 2211 times)
pseudoreality
Newbie
*





   


Posts: 11
Not scanning password-protected file crack.exe
« on: Jan 11th, 2007, 2:07am »		 Quote Quote  Modify Modify
I found this after using TrojanHunter software.  
 
Not scanning password-protected file crack.exe in C:\DOCUME~1\PSEUDO~1\LOCALS~1\Temp\wma.zip
Not scanning password-protected file swmr651b.zip in C:\DOCUME~1\PSEUDO~1\LOCALS~1\Temp\wma.zip
 
I went in to folders, but couldn't find wma.zip anywhere. Does this mean I have a trojan? and why wouldn't TrojanHuner scan this?
 
I am worried about these files as I have had many problems in the last five days. I have done 3 formats, two fresh installs of windows, but still have been under attack.
 
Any good advice out there?
 
Thanks
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not scanning password-protected file crack.exe
« Reply #1 on: Jan 11th, 2007, 3:35am »		 Quote Quote  Modify Modify
Welcome to the forum pseudoreality  Cheesy
 
TH cannot scan files that are password protected because it does not have the password.  I don't know of any scanner that can for the same reason.
 
There is a possibility that you are infected, yes.  Crack.exe is a possible infection.
 
Let's see if you can run CCleaner to clean out your temp files and get rid of this.
 
1.  Run LiveUpdate in TrojanHunter to install the very latest Rulesets.
 
2.  Go to http://www.ccleaner.com and download/install freebie program CCleaner.  
 
3.  Go to the link below and follow the instructions to download and install Hijackthis.  You do not need to run a scan just yet.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
4.  Reboot your computer into SAFE MODE.
 
5.  Run the Cleaner component of CCleaner.  Do not run the Issues component as this is a registry cleaner.  The Cleaner component will clean out all the temporary files and folders.  This should dump out wma.zip.
 
6.  Run a FULL system scan with TrojanHunter and let it quarantine what it finds.  Save a log of the scan and cleaning.  A log is saved by going to the FILE menu in the top menu bar and instructing TH to save the log.
 
7.  Reboot your computer back into NORMAL MODE.
 
8.  Run a remote scan with Bit Defender.  The link below will guide you to Bit Defender's online scanner.  You will need to use Internet Explorer because an ActiveX download is required.  BE SURE to disable your normal antivirus program before running the remote scan.  Let Bit Defender clean what it finds.
 
http://www.misec.net/forum/board/FAQ/1141894786
 
9.  After the Bit Defender scan is completed, immediately reboot your computer.
 
10.  Now run a Hijackthis scan and post the scan log back here please.
 
11.  Post the TH log and Bit Defender log.  
 
Hopefully your HiJackthis log will show clean once TH and Bit Defender scans are completed.  
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #2 on: Jan 11th, 2007, 8:24pm »		 Quote Quote  Modify Modify
I followed instructions and here are the logs first from TrojanHunter.
 
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
File scan
Found NTFS alternate data stream: C:\hijackthis\hijackthis.zip:Zone.Identifier:$DATA  
(View ADS stream...)  
(Delete ADS stream)
C:\pagefile.sys  Not scanned (in use by another application)
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libatk-1.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libgdk-win32-2.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libgdk_pixbuf-2.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libglib-2.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libgmodule-2.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libgobject-2.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libgtk-win32-2.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libpango-1.0-0.dll
Warning: Executable file with double extensions found: C:\Program Files\Wireshark\libpangowin32-1.0-0.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
No trojan files found
Port scan
No suspicious open ports found
AppInitChecker Executing
exefile\shell\open\command is OK
Shell executable scan
Shell entry is OK
WinIniChecker Executing
C:\WINDOWS\win.ini: load and run entries OK
Enumerating Layered Service Providers
  DLL file: imon.dll
  DLL file: imon.dll
  DLL file: imon.dll
  DLL file: imon.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\rsvpsp.dll
  DLL file: %SystemRoot%\system32\rsvpsp.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
  DLL file: %SystemRoot%\system32\mswsock.dll
 
 
 
BitDefender
 
Statistics
 
Time
 01:03:56
 
Files
 173515
 
Folders
 3986
 
Boot Sectors
 3
 
Archives
 2280
 
Packed Files
 10078
 
   
   
 
Results
 
Identified Viruses  
 1
 
Infected Files  
 2
 
Suspect Files  
 0
 
Warnings
 0
 
Disinfected
 0
 
Deleted Files
 2
 
   
   
 
Engines Info
 
Virus Definitions
 369683
 
Engine build
  (i386) (Dec 13 2006 11:16:42)
 
Scan plugins
 14
 
Archive plugins
 38
 
Unpack plugins
 6
 
E-mail plugins
 6
 
System plugins
 1
 
   
   
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
   
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
   
   
 
  Scanned File
  Status
 
H:\My Documents\My Documents\Games\GameSpy\GameSpyInstaller.exe=>wise0037
 Infected with: DeepScan:Generic.PWStealer.CE639538
 
H:\My Documents\My Documents\Games\GameSpy\GameSpyInstaller.exe=>wise0037
 Disinfection failed
 
H:\My Documents\My Documents\Games\GameSpy\GameSpyInstaller.exe=>wise0037
 Deleted
 
H:\My Documents\My Documents\Games\GameSpy\GameSpyInstaller.exe
 Update failed
 
H:\My Documents\Old CD\Programs\Games\GameSpy\GameSpyInstaller.exe=>wise0037
 Infected with: DeepScan:Generic.PWStealer.CE639538
 
H:\My Documents\Old CD\Programs\Games\GameSpy\GameSpyInstaller.exe=>wise0037
 Disinfection failed
 
H:\My Documents\Old CD\Programs\Games\GameSpy\GameSpyInstaller.exe=>wise0037
 Deleted
 
H:\My Documents\Old CD\Programs\Games\GameSpy\GameSpyInstaller.exe
 Update failed
IP Logged
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #3 on: Jan 11th, 2007, 8:34pm »		 Quote Quote  Modify Modify
As for the hijackthis Log, there seems to be alot of useful informtion here that I don't understand, but fear it could be helpful to hackers, but I will drop here hoping I am getting the help I need. Thanks in advance!
 
Logfile of HijackThis v1.99.1
Scan saved at 6:16:16 PM, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HJT\analyse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1168335094338
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PNCXAIMQXJ - Unknown owner - C:\DOCUME~1\PSEUDO~1\LOCALS~1\Temp\PNCXAIMQXJ.exe (file missing)
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
IP Logged
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #4 on: Jan 12th, 2007, 1:21am »		 Quote Quote  Modify Modify
IS there a reason for  
Sent packets
12,884,901,893
and received
0
once a connection found. Isn't that alot of packets sent?
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not scanning password-protected file crack.exe
« Reply #5 on: Jan 12th, 2007, 2:14am »		 Quote Quote  Modify Modify
Thanks for posting the logs.  Your TH log and HiJackthis log are showing clean.  I see that Bit Defender found an item that it deleted.  
 
Are you on a corporate network or other network of computers?  The reason I ask is that you have Lanovation\PrismXL\PRISMXL.SYS which is typical used to distribute programs over a network.  
 
Quote:
IS there a reason for  
Sent packets  
12,884,901,893  
and received  
0  
once a connection found. Isn't that alot of packets sent?

 
This is quite concerning to me as well.  It sounds like you are continuous transmitting information of some sort.  
 
I would like you to run a test for rootkits.  Please install and run Blacklight from F-Secure and see it detects any rootkits.  Be sure to download Blacklight, not the Internet Security Suite from the site below.
 
http://www.f-secure.com/blacklight/blacklight.html
 
Please post back the log from the Blacklight scan.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #6 on: Jan 12th, 2007, 8:44am »		 Quote Quote  Modify Modify
I have recently disabled PRISMXL.SYS as I am not running on a corporate network or anyother network for that matter.
 
01/12/07 07:19:29 [Info]: BlackLight Engine 1.0.55 initialized
01/12/07 07:19:29 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/12/07 07:19:29 [Note]: 7019 4
01/12/07 07:19:29 [Note]: 7005 0
01/12/07 07:19:46 [Note]: 7006 0
01/12/07 07:19:47 [Note]: 7011 1280
01/12/07 07:19:47 [Note]: 7026 0
01/12/07 07:19:47 [Note]: 7026 0
01/12/07 07:19:56 [Note]: FSRAW library version 1.7.1021
01/12/07 07:23:58 [Note]: 2000 1012
01/12/07 07:23:58 [Note]: 2000 1012
01/12/07 07:23:58 [Note]: 2000 1012
01/12/07 07:27:27 [Note]: 7007 0
 
 
 
By the way thanks for helping me out.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not scanning password-protected file crack.exe
« Reply #7 on: Jan 12th, 2007, 8:56am »		 Quote Quote  Modify Modify
U are most welcome  Wink
 
From what I can see in your logs and the actions taken, nothing is showing up as an infection.
 
Where did you find the info on the packets?  If you START>SETTINGS>CONTROL PANEL>NETWORK CONNECTIONS>Local Area Connections, what does it say the sent/received packets are?
 
Download/install TCPView to monitor your connections
 
http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
 
Do you see any connections that you cannot explain?
« Last Edit: Jan 12th, 2007, 9:02am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #8 on: Jan 12th, 2007, 11:30pm »		 Quote Quote  Modify Modify
I went started my computer started my packet monitor, went to check mail, and logged into this site. Went to site you gave and downloaded and started. I then went to  
START>SETTINGS>CONTROL PANEL>NETWORK CONNECTIONS>Local Area Connections, what does it say the sent/received packets are?
SENT  
3,113,851,302,511
Received
12,454
 
This is a log of the download you asked me to install and run
 
[System Process]:0TCP175-:1025localhost:2071TIME_WAIT
[System Process]:0TCP175-:1025localhost:2074TIME_WAIT
[System Process]:0TCP175-:2075bs1.vip.scd.yahoo.com:httpTIME_WAIT
[System Process]:0TCP175-:1025localhost:2078TIME_WAIT
[System Process]:0TCP175-:2087bs1.vip.scd.yahoo.com:httpTIME_WAIT
iexplore.exe:1856UDP175-:1998*:*
iexplore.exe:1856TCP175-:2081a72-246-51-115.deploy.akamaitechnologies.co m:httpESTABLISHED
iexplore.exe:1856TCP175-:2082a72-246-51-115.deploy.akamaitechnologies.co m:httpESTABLISHED
iexplore.exe:1856TCP175-:2083a72-246-51-112.deploy.akamaitechnologies.co m:httpESTABLISHED
iexplore.exe:1856TCP175-:2084a72-246-51-105.deploy.akamaitechnologies.co m:httpESTABLISHED
iexplore.exe:1856TCP175-:2085a72-246-51-105.deploy.akamaitechnologies.co m:httpESTABLISHED
iexplore.exe:1856TCP175-:2086a72-246-51-112.deploy.akamaitechnologies.co m:httpESTABLISHED
iexplore.exe:2080UDP175-:1874*:*
svchost.exe:1232UDP175-:1080*:*
svchost.exe:1232UDP175-:1031*:*
System:4TCP175-:microsoft-ds175-ee6c1db0e95:0LISTENING
System:4UDP175-:microsoft-ds*:*
vsmon.exe:1260TCP175-:1025175-ee6c1db0e95:0LISTENING
wireshark.exe:3768UDP175-:2002*:*
IP Logged
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #9 on: Jan 12th, 2007, 11:32pm »		 Quote Quote  Modify Modify
I did get the packets from there to begin with, but I am now running wireshark. I only see one connection.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not scanning password-protected file crack.exe
« Reply #10 on: Jan 13th, 2007, 12:56am »		 Quote Quote  Modify Modify
None of the connections you show seem to be suspicious.  However, the number of Iexplore connections is a bit weird.  They are probably related to your toolbars.  
 
Would you please try this.
 
1.  Reboot your computer.
 
2.  DO NOT OPEN Internet Explorer or email following the reboot.
 
3.  Wait about 10 minutes.  Then check your packets sent/received via the Network Connections in the Control Panel.
 
What does it show without having opened IE ?
 
« Last Edit: Jan 13th, 2007, 12:57am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #11 on: Jan 13th, 2007, 2:07am »		 Quote Quote  Modify Modify
Rebooted, checked connection.
SENT
8,589,934,596
RECIEVED
0
Opened IE
SENT
34,359,738,396
RECIEVED
21
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not scanning password-protected file crack.exe
« Reply #12 on: Jan 13th, 2007, 2:21am »		 Quote Quote  Modify Modify
Hmmm, it certainly does "appear" that your system is transmitting a huge amount of data out.  There are some services showing up on your system that I am not familiar with at all.  
 
Do you know what these two are?
 
O23 - Service: PNCXAIMQXJ - Unknown owner - C:\DOCUME~1\PSEUDO~1\LOCALS~1\Temp\PNCXAIMQXJ.exe (file missing)  
 
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)  
 
Would you please search your system and see if you find rpcapd.exe and PNCXAIMQXJ.exe
 
The one below, I think you said you deactivated it.  Is that correct?  
 
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS  
 
Also, please check your HOSTS files:
 
1.  Using Windows Explorer, navigate to the folder named ETC at C:\Windows\System32\Drivers\ETC.  Open folder ETC.
 
2.  You should see a file with the name HOSTS with no extension.  Right click on this file and open it with NOTEPAD.  
 
Is the very first non-commented line as shown below? (a commented line starts with #).
 
127.0.0.1 localhost
 
Are there other entries in this file?  If so, scan down through the list.  Each line should start with   127.0.0.1
 
 
« Last Edit: Jan 13th, 2007, 3:23am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
pseudoreality
Newbie
*





   


Posts: 11
Re: Not scanning password-protected file crack.exe
« Reply #13 on: Jan 13th, 2007, 9:46am »		 Quote Quote  Modify Modify
PNCXAIMQXJ.EXE-04762FE9.pf    is in the C:\windows\Prefetch Folder
 
rpcapd.ini   Did a search, but came up nothing
 
I did deactivate PrismXL.SYS
 
I also opened HOSTS with no extension with NOTEPAD and this is what is read.
 
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97     rhino.acme.com     # source server
#  38.25.63.10     x.acme.com    # x client host
 
127.0.0.1  localhost
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not scanning password-protected file crack.exe
« Reply #14 on: Jan 13th, 2007, 10:52am »		 Quote Quote  Modify Modify
Okay your HOSTS file is clean.  As you probably know this is often used by the cyber criminals to re-direct your browser to their infected sites.  Unless you personally modify it, it should always be like you found it this time.
 
The part that is a bit confusing to me is that your HJT log shows this:
 
Quote:
Running processes:  
C:\WINDOWS\System32\smss.exe  
C:\WINDOWS\system32\csrss.exe  
C:\WINDOWS\system32\winlogon.exe  
C:\WINDOWS\system32\services.exe  
C:\WINDOWS\system32\lsass.exe  
C:\WINDOWS\system32\svchost.exe  
C:\WINDOWS\system32\svchost.exe  
C:\WINDOWS\System32\svchost.exe  
C:\WINDOWS\system32\svchost.exe  
C:\WINDOWS\system32\svchost.exe  
C:\WINDOWS\system32\ZoneLabs\vsmon.exe  
C:\WINDOWS\Explorer.EXE  
C:\Program Files\Eset\nod32krn.exe  
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS  
C:\Program Files\Spyware Doctor\sdhelp.exe  
C:\WINDOWS\System32\alg.exe  
C:\WINDOWS\system32\ctfmon.exe  
C:\Program Files\HJT\analyse.exe

 
This indicates that PRISMXL.SYS is still running.  
 
If you go to START>RUN and type in  services.msc and this select OK, does PRISMXL.SYS show in the list of services that are on your system.  And does it show as disabled?
 
If it does not show up as disabled, double click on it.  Then select Disabled from the "Startup type".  Confirm the change.  Then reboot.  It should now be disabled and not even load in memory.
« Last Edit: Jan 13th, 2007, 10:56am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register