View Full Version : This things are ok or not?
Its a long story.. any way Im a bit confused, don´t know if they are good or bad nither know where they came from any way I noticed that this files are on sturtup, and my machines are working strange...
also I deleted them and came again
I'v windows 2000 prof
with a logon value
cript32.dll
cryptnet.dll
cscdll.dll
logonDLL.dll
sclgntfy.dll
WINotify.dll
wzcdlg.dll
also on some found crypt32chain but found somthig like x2f dont remember and t tried to fix it with a tool but my machine seas some like local domine is not present...
the thing is this was not before...and the other thing is that almost all the machines have this on my lan so think is going to be a big problem...
some sed that some ISP are sending this to kow what you do so they can send you information any way ... what do you think...
tnks for your help and forgive my english, I hope you understeend what I sey.
Sorry think is at the wrong place ..
Its a long story.. any way Im a bit confused, don´t know if they are good or bad nither know where they came from any way I noticed that this files are on sturtup, and my machines are working strange...
also I deleted them and came again
Hello and welcome to the forum, your english is fine. :)
When you say your computers are 'working strange' please give details, thanks.
Can we see a log.
Open SpyBot, check for and get any updates available.
Close all browsers, check for problems and fix everything found in red
Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.
You didn't say if you were running Spybot-S&D so just in case:
Version 1.4 :Systems Supported (http://www.safer-networking.org/en/spybotsd/index.html)
Note: Windows 2000 Some functions need administrator rights
Spybot-S&D Version 1.4 Download (http://www.spybot.info/en/download/index.html)
Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)
Tutorial (http://www.spybot.info/en/tutorial/index.html)
Regards. :)
Sould I Update to 1.4?
any way this is the report,I did not find some options to uncheck my be on 1.4 or just did´t understeend if you need I will install 1.4 also I have to sey that when I installed spybot 1.4 all those entris wen on my tools system sturt
I meen the one at the top of this treed but I have deep freeze so it was frozen so did resturt and they went gone its confusing to explaing for me sorry....this is to see for everyone if its any changes from 1.3 to 1.4...
details are sometimes they dont sturt just in before finish surt you can see all blue only with mouse pointer and does not respond so i have to resturt, I´d make a hdd revision and was fine, also it's a new disk.
--- Search result list ---
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\LSP.sbi
2006-01-27 Includes\Cookies.sbi
2006-01-27 Includes\Dialer.sbi
2006-01-27 Includes\Hijackers.sbi
2006-01-27 Includes\Keyloggers.sbi
2006-01-27 Includes\Malware.sbi
2006-01-27 Includes\Revision.sbi
2006-01-27 Includes\Security.sbi
2006-01-27 Includes\Spybots.sbi
2006-01-27 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2006-01-27 Includes\PUPS.sbi
--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP1: Revisión de Windows 2000 - KB883939
/ Outlook Express 6 / SP1: Revisión de Windows 2000 - KB897715
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB329115
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB842773
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB890046
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB894320
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB896358
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB896422
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB901214
/ Windows 2000 / SP5: Paquete acumulativo de actualizaciones para Windows 2000 SP4
/ Windows Media Player: Revisión del Reproductor de Windows Media [consulte Q828026 para obtener más información]
/ Windows Media Player / SP0: Revisión del Reproductor de Windows Media [consulte Q828026 para obtener más información]
/ Windows Media Player 9 / SP0: Revisión del Reproductor de Windows Media 9 [Para más información, consulte KB885492]
--- Startup entries list ---
Located: HK_LM:Run, DAEMON Tools-1033
command: "D:\instalaciones\programas\daemontools\daemon.exe" -lang 1033
file: D:\instalaciones\programas\daemontools\daemon.exe
size: 73728
MD5: 05f19ee0628a18bf79c377bf7ee9403d
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111888
MD5: 869697fd0b75de3cb54c17ccfc4e4f1c
Located: HK_CU:Run, internat.exe
command: internat.exe
file: C:\WINDOWS\system32\internat.exe
size: 20752
MD5: f85a35fd8b47cff695561c5df574bd31
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: ACROIEHELPER.OCX
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 26/07/2005 09:43:50 p.m.
Date (last access): 02/02/2006
Date (last write): 16/04/2001 03:39:02 p.m.
Filesize: 37808
Attributes: archive
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: D:\instalaciones\programas\spybot13\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 12/05/2004 01:03:00 a.m.
Date (last access): 02/02/2006
Date (last write): 12/05/2004 01:03:00 a.m.
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
Yahoo! Chat (Yahoo! Chat)
DPF name: Yahoo! Chat
CLSID name:
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM32\Macromed\Director\
Long name: SwDir.dll
Short name: SWDIR.DLL
Date (created): 25/07/2005 09:48:10 p.m.
Date (last access): 02/02/2006
Date (last write): 19/05/2005 02:58:34 p.m.
Filesize: 54488
Attributes: archive
MD5: 2B75B8197F3BCBB199EAA3AFE3FB3CA3
CRC32: ED72FE89
Version: 0.10.0.1
{2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing)
DPF name:
CLSID name: Yahoo! Audio Conferencing
description: Yahoo Audio Conferencing
classification: Legitimate
known filename: YACSCOM.DLL
info link:
info source: Patrick M. Kolla
Path: C:\ARCHIV~1\Yahoo!\MESSEN~1\
Long name: yacscom.dll
Short name:
Date (created): 26/07/2005 11:52:02 p.m.
Date (last access): 02/02/2006
Date (last write): 06/08/2004 02:58:46 p.m.
Filesize: 233472
Attributes: archive
MD5: CA589915BF9D36ABD1256D490FDE5F48
CRC32: FC5260C3
Version: 0.1.0.0
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 07/11/2004 03:29:46 p.m.
Date (last access): 02/02/2006
Date (last write): 07/11/2004 03:29:46 p.m.
Filesize: 173168
Attributes: archive
MD5: 4C0658E518FA9D08E884DB717A7087AE
CRC32: FFDA1549
Version: 7.212.0.11
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 17/03/2005 02:48:34 p.m.
Date (last access): 02/02/2006
Date (last write): 17/03/2005 02:48:34 p.m.
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 0.1.0.0
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name: FLASH.OCX
Date (created): 09/06/2004 03:59:26 p.m.
Date (last access): 02/02/2006
Date (last write): 09/06/2004 03:59:26 p.m.
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0
--- Process list ---
Spybot - Search && Destroy process list report, 02/02/2006 11:46:22 a.m.
PID: 0 ( 0) [System]
PID: 8 ( 0) System
PID: 176 ( 8) \SystemRoot\System32\smss.exe
PID: 204 ( 176) csrss.exe
PID: 220 ( 176) \??\C:\WINDOWS\system32\winlogon.exe
PID: 252 ( 220) C:\WINDOWS\system32\services.exe
PID: 264 ( 220) C:\WINDOWS\system32\lsass.exe
PID: 300 (1172) C:\Archivos de programa\Internet Explorer\iexplore.exe
PID: 376 ( 252) C:\Archivos de programa\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
PID: 468 ( 252) C:\WINDOWS\system32\svchost.exe
PID: 480 ( 704) C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
PID: 496 ( 252) C:\WINDOWS\system32\spoolsv.exe
PID: 528 ( 252) C:\WINDOWS\System32\svchost.exe
PID: 556 ( 252) C:\WINDOWS\System32\nvsvc32.exe
PID: 572 ( 252) C:\Archivos de programa\Parental Filter\ParentalFilter.exe
PID: 668 ( 252) C:\WINDOWS\system32\regsvc.exe
PID: 692 ( 252) C:\WINDOWS\system32\MSTask.exe
PID: 704 ( 576) C:\WINDOWS\Explorer.EXE
PID: 716 ( 252) C:\WINDOWS\System32\WBEM\WinMgmt.exe
PID: 760 ( 252) C:\Archivos de programa\RealVNC\WinVNC\WinVNC.exe
PID: 772 ( 252) C:\WINDOWS\system32\svchost.exe
PID: 912 ( 252) C:\WINDOWS\System32\svchost.exe
PID: 988 ( 704) C:\WINDOWS\system32\internat.exe
PID: 1000 ( 704) D:\instalaciones\programas\daemontools\daemon.exe
PID: 1124 ( 376) C:\Archivos de programa\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
PID: 1172 ( 704) D:\instalaciones\programas\spybot13\SpybotSD.exe
--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 02/02/2006 11:46:22 a.m.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://home.microsoft.com/intl/es/access/allinone.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.kpponet.mine.nu/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://www.kpponet.mine.nu
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{118E0FA8-2423-4BC6-9C7D-674FB9AED709}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{118E0FA8-2423-4BC6-9C7D-674FB9AED709}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44713777-91CD-47AC-8013-83E132D4F4D9}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44713777-91CD-47AC-8013-83E132D4F4D9}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8377A437-3A01-42D7-BE76-44A387E931E4}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8377A437-3A01-42D7-BE76-44A387E931E4}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Just uninstalled 1.3 download and installed 1.4 updated inmunizated etc
and guest what hapend, things have changed a lot, or 1.3 did not find this or 1.4 is caming whith some staf or dont know any more anything .. you tell me...
tanks for your help..
here is the log...
--- Search result list ---
--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP1: Revisión de Windows 2000 - KB883939
/ Outlook Express 6 / SP1: Revisión de Windows 2000 - KB897715
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB329115
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB842773
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB890046
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB894320
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB896358
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB896422
/ Windows 2000 / SP5: Revisión de Windows 2000 - KB901214
/ Windows 2000 / SP5: Paquete acumulativo de actualizaciones para Windows 2000 SP4
/ Windows Media Player: Revisión del Reproductor de Windows Media [consulte Q828026 para obtener más información]
/ Windows Media Player / SP0: Revisión del Reproductor de Windows Media [consulte Q828026 para obtener más información]
/ Windows Media Player 9 / SP0: Revisión del Reproductor de Windows Media 9 [Para más información, consulte KB885492]
--- Startup entries list ---
Located: HK_LM:Run, DAEMON Tools-1033
command: "D:\instalaciones\programas\daemontools\daemon.exe" -lang 1033
file: D:\instalaciones\programas\daemontools\daemon.exe
size: 73728
MD5: 05f19ee0628a18bf79c377bf7ee9403d
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111888
MD5: 869697fd0b75de3cb54c17ccfc4e4f1c
Located: HK_CU:Run, internat.exe
command: internat.exe
file: C:\WINDOWS\system32\internat.exe
size: 20752
MD5: f85a35fd8b47cff695561c5df574bd31
Located: HK_CU:Run, msnmsgr
command: "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
file: C:\Archivos de programa\MSN Messenger\msnmsgr.exe
size: 6856704
MD5: 79ac63592f9b6750f2026a2520c11bee
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, DfLogon
command: LogonDll.dll
file: LogonDll.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 26/07/2005 09:43:50 p.m.
Date (last access): 02/02/2006
Date (last write): 16/04/2001 03:39:02 p.m.
Filesize: 37808
Attributes: archive
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\ARCHIV~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 02/02/2006 03:40:30 p.m.
Date (last access): 02/02/2006
Date (last write): 31/05/2005 01:04:00 a.m.
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
Yahoo! Chat (Yahoo! Chat)
DPF name: Yahoo! Chat
CLSID name:
Installer:
Codebase: http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 01/07/2005 02:43:00 p.m.
Date (last access): 02/02/2006
Date (last write): 01/07/2005 02:43:00 p.m.
Filesize: 729088
Attributes: archive
MD5: 8DC015FB6181B3CF5F10BCC1FB0F9A09
CRC32: 0D11687F
Version: 5.0.67.0
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM32\Macromed\Director\
Long name: SwDir.dll
Short name: SWDIR.DLL
Date (created): 25/07/2005 09:48:10 p.m.
Date (last access): 02/02/2006
Date (last write): 19/05/2005 02:58:34 p.m.
Filesize: 54488
Attributes: archive
MD5: 2B75B8197F3BCBB199EAA3AFE3FB3CA3
CRC32: ED72FE89
Version: 10.1.0.11
{2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing)
DPF name:
CLSID name: Yahoo! Audio Conferencing
Installer: C:\WINDOWS\Downloaded Program Files\yacscom.inf
Codebase: http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
description: Yahoo Audio Conferencing
classification: Legitimate
known filename: YACSCOM.DLL
info link:
info source: Patrick M. Kolla
Path: C:\ARCHIV~1\Yahoo!\MESSEN~1\
Long name: yacscom.dll
Short name:
Date (created): 26/07/2005 11:52:02 p.m.
Date (last access): 02/02/2006
Date (last write): 06/08/2004 02:58:46 p.m.
Filesize: 233472
Attributes: archive
MD5: CA589915BF9D36ABD1256D490FDE5F48
CRC32: FC5260C3
Version: 1.0.0.45
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINDOWS\Downloaded Program Files\yinst.inf
Codebase: http://download.yahoo.com/dl/yinst/yinst_current.cab
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 07/11/2004 03:29:46 p.m.
Date (last access): 02/02/2006
Date (last write): 07/11/2004 03:29:46 p.m.
Filesize: 173168
Attributes: archive
MD5: 4C0658E518FA9D08E884DB717A7087AE
CRC32: FFDA1549
Version: 2004.11.7.1
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/msnmessengersetupdownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 17/03/2005 02:48:34 p.m.
Date (last access): 02/02/2006
Date (last write): 17/03/2005 02:48:34 p.m.
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 1.0.0.2
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name: FLASH.OCX
Date (created): 09/06/2004 03:59:26 p.m.
Date (last access): 02/02/2006
Date (last write): 09/06/2004 03:59:26 p.m.
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 7.0.19.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 176 ( 8) \SystemRoot\System32\smss.exe
PID: 200 ( 176) \??\C:\WINDOWS\system32\csrss.exe
PID: 220 ( 176) \??\C:\WINDOWS\system32\winlogon.exe
PID: 252 ( 220) C:\WINDOWS\system32\services.exe
size: 92944
MD5: AD30F8B76A772A28CFBE3297398C0290
PID: 264 ( 220) C:\WINDOWS\system32\lsass.exe
size: 37648
MD5: 115CE9122AFF1D17BBB97DA51BC64DF0
PID: 376 ( 252) C:\Archivos de programa\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
size: 305600
MD5: 09D55AD69D696218524B21F03194BE73
PID: 468 ( 252) C:\WINDOWS\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 496 ( 252) C:\WINDOWS\system32\spoolsv.exe
size: 48400
MD5: 1F124B89AA469671821115A39C0FBD27
PID: 528 ( 252) C:\WINDOWS\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 556 ( 252) C:\WINDOWS\System32\nvsvc32.exe
size: 69632
MD5: 26712CF8BE48BC767854927435C0B6A9
PID: 576 ( 252) C:\Archivos de programa\Parental Filter\ParentalFilter.exe
size: 245248
MD5: 83C4A02BE525167A58EA9C1872D4939C
PID: 716 ( 252) C:\WINDOWS\system32\regsvc.exe
size: 68368
MD5: 499507036FBD4F0A225B742BC107F675
PID: 732 ( 252) C:\WINDOWS\system32\MSTask.exe
size: 123152
MD5: 12271E6CE3AD715B47C37862BAE1F225
PID: 756 ( 252) C:\WINDOWS\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 881B54A3CB9822C6FBA9FA56B49A6030
PID: 808 ( 252) C:\Archivos de programa\RealVNC\WinVNC\WinVNC.exe
size: 335872
MD5: B84873B030E66DDF3964A31793BB4211
PID: 820 ( 252) C:\WINDOWS\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 904 ( 252) C:\WINDOWS\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 1012 ( 952) C:\WINDOWS\Explorer.EXE
size: 244496
MD5: 14586805C83DDB7DB7C25A57DD40CD67
PID: 1108 (1012) D:\instalaciones\programas\daemontools\daemon.exe
size: 73728
MD5: 05F19EE0628A18BF79C377BF7EE9403D
PID: 1128 (1012) C:\WINDOWS\system32\internat.exe
size: 20752
MD5: F85A35FD8B47CFF695561C5DF574BD31
PID: 1136 (1012) C:\Archivos de programa\MSN Messenger\msnmsgr.exe
size: 6856704
MD5: 79AC63592F9B6750F2026A2520C11BEE
PID: 1192 ( 376) C:\Archivos de programa\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
size: 352660
MD5: 5ADB6D0F34DDD73DAB315F8A89B8EB79
PID: 1088 (1012) C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 960 (1088) C:\Archivos de programa\Internet Explorer\iexplore.exe
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 8 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 02/02/2006 03:49:18 p.m.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
http://www.kpponet.mine.nu
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.kpponet.mine.nu
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.kpponet.mine.nu
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.kpponet.mine.nu
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://www.kpponet.mine.nu
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{118E0FA8-2423-4BC6-9C7D-674FB9AED709}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{118E0FA8-2423-4BC6-9C7D-674FB9AED709}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44713777-91CD-47AC-8013-83E132D4F4D9}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44713777-91CD-47AC-8013-83E132D4F4D9}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8377A437-3A01-42D7-BE76-44A387E931E4}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8377A437-3A01-42D7-BE76-44A387E931E4}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
elkpp: The following entries are normal with Windows 2000 and also display in System Startup with Spybot 1.4 as you've already discovered.
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
The only entry I don't have on my own Windows 2000 SP4 PC is this one, which is apparently added by Deep Freeze as mentioned in the forum link below:
Located: WinLogon, DfLogon
command: LogonDll.dll
file: LogonDll.dll
http://www.wilderssecurity.com/showthread.php?t=84072
Since you've mentioned you have Deep Freeze, none of these are a likely problem. However, if you are still having any real problems you should describe them so that Tashi can have a true Malware Helper take a look.
Just make an online scan whith panda and found to many spayware cookies but the thing is that now deep freeze is disabled and my uninstall it and its got something that get to video to get black for a second a cople of times untill the machine dont respond any more and also why they dont were whith spyboyt 1.3 I think they are process for xp not for 2000 I have 2000 for at least 4 years and never have seen them before Im telling you they came whith 1.4 or may be there allways but never been used and less at sturt
I will atach an image
LonnyRJones
2006-02-03, 01:32
Hi elkpp
Please re-enable those items close SpyBot and restart your PC
But By the way coud someone tell me what are they for or from or wat for or watever... I will really like to kow
thanks......
If you tell me that they are from spybot 1.4 new tecnology to catch everything befor all or something like that I will be match hapier
thanks.... of corse if it´s true
I did what you sed and when I restart it go to BSD and keep restuting
they are 3 machines and counting.....
I NEED AN ANSWER FAST AND GOOD PLEASE , IM VERY UPSET SORRY:mad: :mad: :mad: :mad: :mad:
LonnyRJones
2006-02-03, 03:06
Try uninstalling Deep Freeze temporaraly
All the others are what microsoft windows puts there as Bitman pointed out
How can I uninstall Feep freeze if it does not finish sturt prosess and cams BSD the blue screen and resturt agang all the time by the way deep freeze is at twaked state (no freezing) I disabled when installed spybot 1.4
All right elkpp, STOP until you understand what these entries mean.
The general description of these entries displayed by Spybot 1.4 is found in the Microspoft MSDN Library here:
http://msdn.microsoft.com/library/en-us/secauthn/security/winlogon_notification_packages.asp
Winlogon Notification Packages
Winlogon notification packages are DLLs that receive and handle events generated by Winlogon. You can implement such a notification package to monitor and respond to Winlogon events. This is useful for applications that need to perform additional processing during logon or logoff, or maintain state information that must be updated when Winlogon events occur.
For more information about Winlogon and GINAs, see Winlogon and GINA.
Windows NT and Windows Me/98/95: Winlogon notification packages are not supported.
Note the last line, these entries have existed in Windows 2000 and XP, but not earlier versions of Windows. They were NOT added by Spybot S&D 1.4, it simply was the first version that started to display them.
The description of how the specific registry entries are created is:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/registry_entries.asp
Registry Entries
In order for your package to receive event notifications from Winlogon, you must provide the name of the package, the names of the event handler functions in the package, the DLL responsible for implementing the package, and information about whether the DLL supports asynchronous events and impersonation.
You should create the notification package registry key as a subkey of
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
The name of the key is usually the same as the name of the DLL; however, this is not mandatory. The name chosen for your package must not conflict with the names of other installed notification packages.
Now for what is happening.
A couple posts ago you mentioned this:
...but the thing is that now deep freeze is disabled and my uninstall it and its got something that get to video to get black for a second a cople of times untill the machine dont respond any more ...
Unfortunately, since you must have already disabled the entry related to Deep Freeze, when you uninstalled Deep Freeze, this entry was still in the PC.
Located: WinLogon, DfLogon
command: LogonDll.dll
file: LogonDll.dll
When you re-enabled this entry, the command attempted to execute during system login, which is what this entry does, so the PC is failing due to the missing LogonDll.dll file that you removed when you uninstalled Deep Freeze.
What I'd suggest is to attempt to start the system in Safe Mode by pressing 'F8' before the OS starts and selecting the 'Safe Mode' entry. If that works, try to log in and start Spybot S&D, then uncheck ONLY the DFLogon entry related to Deep Freeze in Tools > System Startup. Then try rebooting and logging in normally.
If this doesn't work, possibly Lonny has some ideas based on his history with Malware that affect these WinLogon Startup entries.
Bitman
LonnyRJones
2006-02-03, 03:46
Also Did you by chance delete these files at the time you disabled them?
cript32.dll
cryptnet.dll
cscdll.dll
sclgntfy.dll
WINotify.dll
wzcdlg.dll
Unfortunatly I only desabled never uninstalled DF tanks for your explanations any way I steel have one machine which is allmost same to the last 2 ones that dont sturt any more so if I get luky maybe hope i can ghost it and get back my machines
thanks .....and we`ll see
no just disabled at spybot then reabled and an extrange thing hapend when I chequed up on spybot sead can`t make this entry so I did not worry at the time becouse that was allready at regedit I chequed up and they where there then I closed and resturted but never made it
ok tanks for your help and answers and sorry about been upset any way just sed that it´s done I ghosted 2 of 3 machines, and now they are back..
the other is steel out of work but it´s diferent an way I will format it...
thanks.