Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91603 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

my log


  • Please log in to reply
83 replies to this topic

#61 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 April 2007 - 02:32 PM

reinstall avg and scan (before going online)
then try to change that setting on the network setting,
that i couldn't earlier (the windows firewall)

Yes, good start :thumbup:

i also have concerns about malware, that you
feel is still hiding in this machine.. and if you have
any suggestions on how to find and eliminate that
please let me know.


OK, let's try this. If things are running pretty well then give us a fresh HJT log and we'll review that to start. I'll go back over the scans we ran earlier when I get a chance later. I will probably advise a couple more scans also. We can look at it as a "do over". See if we can get it this time before any updates. Sound OK?

Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

    Advertisements

Register to Remove


#62 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 04 April 2007 - 06:34 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:27:51 PM, on 4/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Andrew Horsfall\Desktop\help files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomcoyote.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~2\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#63 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 05 April 2007 - 06:25 AM

The computer seems to boot and run fine, although i disconnected from the internet as soon as my log was posted. I still can not enable the windows firewall, will a winsock repair help that? (the error message says something about ICS service not being available) I really don't want to hook up to the net much until I get this working properly. (firewall) AVG did update while i was posting my HJT log, and once offline I ran another scan which came clean.

#64 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 05 April 2007 - 08:30 AM

I wonder if you can't enable the firewall because of that 06 entry. I can't remember if I asked you this along the way or not but was that set by you or the user, or is this a work PC? If not I would fix that with HJT and try turning on the firewall again. That policy can be reset later if needed.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then close all windows except this one and press Fix checked.

Let's get a Kaspersky scan and log now and go from there.

Using Internet Explorer, click on Kaspersky Online Scanner * You will be prompted to install an ActiveX component from Kaspersky, Click 'Yes'.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save as Text' button:
* Save the file to your desktop.
Please post the Kaspersky report and a new HijackThis log. Also let me know how you made out with the firewall.

Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#65 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 05 April 2007 - 10:23 AM

the pc is not a work pc, and i'm just helping my friend, who recently bought it from another guy... so i'll reset that. what about winsock repair? i have read a lot about using that if the firewall won't run. what is that "control panel" anyways?

#66 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 05 April 2007 - 11:02 AM

Winsock fix is for fixing broken internet connections. I don't believe it will do anything to fix the firewall problem at this point. I could be wrong certainly but clearing Malware at this point is more of a priority. That 06 is a restriction placed to stop changes from being made to a PC. Could be by a computer admin. or by certain programs. Go ahead and fix it and see if we can get a Kaspersky log.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#67 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 05 April 2007 - 12:36 PM

ok, went home for lunch quick and spent a few mins,, fixed the 06 line with HJT, no problem, then i worked on the firewall, and traced the dependencies thru the services tree, and ended up having to enable and start the "telephony" service, along with a couple others,, then the firewall/ics service would start!! i was so excited!! so i left it on the kaspersky scan,, things seem to be working good so far.. when i opened IE6, it spent a few mins detecting proxy settings.. then went to the MS IE6 page! so now, i think i'm gaining, and will post results of the kaspersky scan after work. :-)

#68 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 05 April 2007 - 03:32 PM

here is the scan results let me know what you think , i see some stuff, but dont' know what to do! ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, April 05, 2007 5:28:59 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 5/04/2007 Kaspersky Anti-Virus database records: 291972 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 55596 Number of viruses found: 2 Number of infected objects: 1 / 0 Number of suspicious objects: 2 Duration of the scan process: 01:01:55 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f089bd22bcf453ccf810126980056fe_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3905f0a0a26ca29aa4901d5c45e85501_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4ad2a42c17daf75b38f2e4a7d6d6e4a1_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\569dd682d9ab39adb7a62975b2256a79_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\684022895e042d95da3395278522a327_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68b5a73dac7cc6e14f1e263f43a263fc_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cd41c6f0419848b802e6ad96fea065d_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7224bcd4e9c279dc8a90ccaf4b9e671_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f96db401122ef1904f57836808d8dd71_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/VXH8JKDQ6.EXE Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Andrew Horsfall\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\DoctorWeb\Quarantine\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\History\History.IE5\MSHist012007040520070406\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\ntuser.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Andrew Horsfall\UserData\index.dat Object is locked skipped C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\change.log Object is locked skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped Scan process completed.

#69 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 05 April 2007 - 06:56 PM

Ad-Aware SE Build 1.06r1 Logfile Created on:Thursday, April 05, 2007 6:19:46 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R163 26.03.2007 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):8 total references MRU List(TAC index:0):15 total references Tracking Cookie(TAC index:3):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 4-5-2007 6:19:46 PM - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Documents and Settings\Andrew Horsfall\Application Data\microsoft\office\recent Description : list of recently opened documents using microsoft office MRU List Object Recognized! Location: : C:\Documents and Settings\Andrew Horsfall\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\frontpage\explorer\frontpage explorer\recent file list Description : list of recently used files in microsoft frontpage MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\frontpage\explorer\frontpage explorer\recent web list Description : list of recently used webs in microsoft frontpage MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\microsoft management console\recent file list Description : list of recent snap-ins used in the microsoft management console MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\search assistant\acmru Description : list of recent search terms used with the search assistant MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\windows\currentversion\applets\wordpad\recent file list Description : list of recent files opened using wordpad MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 572 ThreadCreationTime : 4-5-2007 6:11:57 PM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 620 ThreadCreationTime : 4-5-2007 6:11:58 PM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 644 ThreadCreationTime : 4-5-2007 6:11:58 PM BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 688 ThreadCreationTime : 4-5-2007 6:11:58 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 700 ThreadCreationTime : 4-5-2007 6:11:58 PM BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 872 ThreadCreationTime : 4-5-2007 6:11:59 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 972 ThreadCreationTime : 4-5-2007 6:11:59 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1160 ThreadCreationTime : 4-5-2007 6:12:00 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1172 ThreadCreationTime : 4-5-2007 6:12:01 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [lexbces.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1324 ThreadCreationTime : 4-5-2007 6:12:02 PM BasePriority : Normal FileVersion : 9.47 ProductVersion : 9.47 ProductName : MarkVision for Windows (32 bit) CompanyName : Lexmark International, Inc. FileDescription : LexBce Service InternalName : LexBce Service LegalCopyright : © 1993 - 2004 Lexmark International, Inc. OriginalFilename : LexBceS.exe #:11 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1340 ThreadCreationTime : 4-5-2007 6:12:02 PM BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:12 [lexpps.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1356 ThreadCreationTime : 4-5-2007 6:12:02 PM BasePriority : Normal FileVersion : 9.47 ProductVersion : 9.47 ProductName : MarkVision for Windows (32 bit) CompanyName : Lexmark International, Inc. FileDescription : LEXPPS.EXE InternalName : LEXPPS LegalCopyright : © 1993 - 2004 Lexmark International, Inc. OriginalFilename : LEXPPS.EXE Comments : MarkVision for Windows '95 New P2P Server (32-bit) #:13 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1632 ThreadCreationTime : 4-5-2007 6:12:05 PM BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE #:14 [qttask.exe] FilePath : C:\Program Files\QuickTime\ ProcessID : 1716 ThreadCreationTime : 4-5-2007 6:12:07 PM BasePriority : Normal FileVersion : 6.5.1 ProductVersion : QuickTime 6.5.1 ProductName : QuickTime CompanyName : Apple Computer, Inc. InternalName : QuickTime Task LegalCopyright : © Apple Computer, Inc. 2001-2004 OriginalFilename : QTTask.exe #:15 [jusched.exe] FilePath : C:\Program Files\Java\jre1.6.0\bin\ ProcessID : 1724 ThreadCreationTime : 4-5-2007 6:12:07 PM BasePriority : Normal #:16 [lxczbmgr.exe] FilePath : C:\Program Files\Lexmark 1200 Series\ ProcessID : 1732 ThreadCreationTime : 4-5-2007 6:12:07 PM BasePriority : Normal FileVersion : 0.1.1.1 ProductVersion : 0.1.1.1 ProductName : Button Manager Executable CompanyName : Lexmark International, Inc. FileDescription : Lexmark 1200 Series Button Manager InternalName : lxczbmgr.exe LegalCopyright : © 2006 Lexmark International, Inc. OriginalFilename : lxczbmgr.exe #:17 [avgcc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 1744 ThreadCreationTime : 4-5-2007 6:12:07 PM BasePriority : Normal FileVersion : 7.5.0.438 ProductVersion : 7.5.0.438 ProductName : AVG Anti-Virus system CompanyName : GRISOFT, s.r.o. FileDescription : AVG Control Center InternalName : AvgCC LegalCopyright : Copyright © 2007 GRISOFT, s.r.o. OriginalFilename : AvgCC.EXE #:18 [hkcmd.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1764 ThreadCreationTime : 4-5-2007 6:12:07 PM BasePriority : Normal FileVersion : 3,0,0,2104 ProductVersion : 7,0,0,2104 ProductName : Intel® Common User Interface CompanyName : Intel Corporation FileDescription : hkcmd Module InternalName : HKCMD LegalCopyright : Copyright 1999-2003, Intel Corporation OriginalFilename : HKCMD.EXE #:19 [lxczbmon.exe] FilePath : C:\Program Files\Lexmark 1200 Series\ ProcessID : 1792 ThreadCreationTime : 4-5-2007 6:12:08 PM BasePriority : Normal FileVersion : 0.1.1.1 ProductVersion : 0.1.1.1 ProductName : Button Monitor Executable CompanyName : Lexmark International, Inc. FileDescription : Lexmark 1200 Series Button Monitor InternalName : lxczbmon.exe LegalCopyright : © 2006 Lexmark International, Inc. OriginalFilename : lxczbmon.exe #:20 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 556 ThreadCreationTime : 4-5-2007 6:12:38 PM BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:21 [avgamsvr.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 568 ThreadCreationTime : 4-5-2007 6:12:38 PM BasePriority : Normal FileVersion : 7.5.0.445 ProductVersion : 7.5.0.445 ProductName : AVG Anti-Virus system CompanyName : GRISOFT, s.r.o. FileDescription : AVG Alert Manager InternalName : avgamsvr LegalCopyright : Copyright © 2007 GRISOFT, s.r.o. OriginalFilename : avgamsvr.EXE #:22 [avgupsvc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 588 ThreadCreationTime : 4-5-2007 6:12:38 PM BasePriority : Normal FileVersion : 7.5.0.420 ProductVersion : 7.5.0.420 ProductName : AVG 7.5 Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Update Service InternalName : avgupsvc LegalCopyright : Copyright © 2006 GRISOFT, s.r.o. OriginalFilename : avgupdsvc.EXE #:23 [avgemc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 600 ThreadCreationTime : 4-5-2007 6:12:39 PM BasePriority : Normal FileVersion : 7.5.0.442 ProductVersion : 7.5.0.442 ProductName : AVG Anti-Virus system CompanyName : GRISOFT, s.r.o. FileDescription : AVG E-Mail Scanner InternalName : avgemc LegalCopyright : Copyright © 2007 GRISOFT, s.r.o. OriginalFilename : avgemc.exe #:24 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 920 ThreadCreationTime : 4-5-2007 6:12:39 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:25 [jucheck.exe] FilePath : C:\Program Files\Java\jre1.6.0\bin\ ProcessID : 3200 ThreadCreationTime : 4-5-2007 6:17:08 PM BasePriority : Normal FileVersion : 6.0.0.105 ProductVersion : 6.0.0.105 ProductName : Java™ Platform SE 6 CompanyName : Sun Microsystems, Inc. FileDescription : Java™ Update Checker InternalName : Java™ Update Checker LegalCopyright : Copyright © 2004 OriginalFilename : jucheck.exe #:26 [ad-aware.exe] FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 3564 ThreadCreationTime : 4-5-2007 10:19:27 PM BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 15 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText Alexa Object Recognized! Type : RegValue Data : TAC Rating : 5 Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-21-2587760716-676309004-189216933-1006\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 8 Objects found so far: 23 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 23 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : andrew horsfall@microsoftwlmessengermkt.112.2o7[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:5 Value : Cookie:andrew horsfall@microsoftwlmessengermkt.112.2o7.net/ Expires : 3-30-2012 11:49:16 AM LastSync : Hits:5 UseCount : 0 Hits : 5 Tracking Cookie Object Recognized! Type : IECache Entry Data : andrew horsfall@atdmt[2].txt TAC Rating : 3 Category : Data Miner Comment : Hits:2 Value : Cookie:andrew horsfall@atdmt.com/ Expires : 3-29-2012 8:00:00 PM LastSync : Hits:2 UseCount : 0 Hits : 2 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 25 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 25 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 25 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 25 6:33:03 PM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:13:17.500 Objects scanned:151245 Objects identified:10 Objects ignored:0 New critical objects:10

#70 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 06 April 2007 - 06:00 AM

Incident Status Location Adware:adware/ist.istbar Not disinfected c:\windows\system32\appsys.exe Spyware:spyware/whazit Not disinfected c:\windows\system32\kyf.dat Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico Dialer:dialer.bew Not disinfected c:\windows\system32\search.html Adware:adware/admess Not disinfected c:\windows\system32\TCPService2.exe Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf Adware:adware/delfinmedia Not disinfected c:\keys.ini Adware:adware/wintools Not disinfected C:\Documents and Settings\Andrew Horsfall\Favorites\Search the Web for Everything in One Click!.url Adware:adware/ncase Not disinfected c:\windows\didduid.ini Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat Adware:adware/sidesearch Not disinfected c:\program files\Lycos Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay Adware:adware/savenow Not disinfected c:\program files\VVSN Adware:adware/statblaster Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{00A6FAF1-072E-44cf-8957-5838F569A31D} Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D} Spyware:spyware/apropos Not disinfected Windows Registry Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Adware:adware/dyfuca Not disinfected Windows Registry Adware:adware/blazefind Not disinfected Windows Registry Adware:adware/mediatickets Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew Horsfall\Desktop\SDFix.exe[SDFix\apps\Process.exe] Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Andrew Horsfall\DoctorWeb\Quarantine\f3PSSavr.scr Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew Horsfall\DoctorWeb\Quarantine\Process.exe Adware:Adware/Startpage.MC Not disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\mswsc10.dll

    Advertisements

Register to Remove


#71 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 April 2007 - 09:45 AM

Let's go back and run a couple tools we have run before the repair install.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.

http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file.
Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon,
    some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode

---------------------------------------------------------------

You will need to run this with Internet Explorer.
Run Panda's ActiveScan from here and perform a full system scan.
  • Once you are on the Panda site click the "Scan your PC" button
  • A new window will open...click the big "Check Now" button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
  • If you are on a slow connection it will take about 15 minuites for the scanner to load.
  • Click on "Local Disks" to start the scan
  • Once scan is done, click "see report" then "save report"
  • Save the log someplace you can find
  • Reboot
  • Post the Panda scan results in your next reply, along with the AVG log and a new HJT log.
Thanks,
Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#72 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 06 April 2007 - 05:09 PM

ok,
had some issues in safe mode, with AVG, but i did
get the avg spyware to run, and it found 3
cookies.. and said it deleted them, but it froze up
after that and i couldn't get a log.

i then went back online to panda, and did that,
and ran a hjt, and an adaware, of which reports
follow.
let me know what to do next! thanks!


Logfile of HijackThis v1.99.1
Scan saved at 7:07:05 PM, on 4/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\Documents and Settings\Andrew Horsfall\Desktop\help files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomcoyote.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~2\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#73 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 06 April 2007 - 05:10 PM

and here is the panda scan: Incident Status Location Adware:adware/securityerror Not disinfected c:\windows\system32\ts.ico Adware:adware/clickalchemy Not disinfected c:\windows\alchem.ini Adware:adware/delfinmedia Not disinfected c:\program files\common files\Dpi Adware:adware/ncase Not disinfected c:\windows\system32\FLEOK Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Andrew Horsfall\Application Data\Lycos Adware:adware/wintools Not disinfected Windows Registry Adware:adware/statblaster Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{00A6FAF1-072E-44cf-8957-5838F569A31D} Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D} Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76} Adware:adware/savenow Not disinfected Windows Registry Spyware:spyware/apropos Not disinfected Windows Registry Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Adware:adware/dyfuca Not disinfected Windows Registry Adware:adware/ist.istbar Not disinfected Windows Registry Adware:adware/blazefind Not disinfected Windows Registry Adware:adware/mediatickets Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew Horsfall\Desktop\SDFix.exe[SDFix\apps\Process.exe] Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Andrew Horsfall\DoctorWeb\Quarantine\f3PSSavr.scr Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andrew Horsfall\DoctorWeb\Quarantine\Process.exe

#74 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 06 April 2007 - 05:12 PM

and here is an adaware scan result: Ad-Aware SE Build 1.06r1 Logfile Created on:Friday, April 06, 2007 5:50:07 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R163 26.03.2007 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):6 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Search for low-risk threats Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 4-6-2007 5:50:07 PM - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Documents and Settings\Administrator.JARE\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-500\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-2587760716-676309004-189216933-500\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 160 ThreadCreationTime : 4-6-2007 9:32:46 PM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 208 ThreadCreationTime : 4-6-2007 9:32:56 PM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 232 ThreadCreationTime : 4-6-2007 9:32:58 PM BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 276 ThreadCreationTime : 4-6-2007 9:33:03 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 288 ThreadCreationTime : 4-6-2007 9:33:03 PM BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 456 ThreadCreationTime : 4-6-2007 9:33:07 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 480 ThreadCreationTime : 4-6-2007 9:33:07 PM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 712 ThreadCreationTime : 4-6-2007 9:33:45 PM BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE #:9 [avgas.exe] FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\ ProcessID : 1072 ThreadCreationTime : 4-6-2007 9:37:20 PM BasePriority : Normal FileVersion : 7, 5, 0, 50 ProductVersion : 7, 5, 0, 50 ProductName : AVG Anti-Spyware CompanyName : Anti-Malware Development a.s. FileDescription : AVG Anti-Spyware InternalName : AVG Anti-Spyware LegalCopyright : Copyright © 2006 Anti-Malware Development a.s. OriginalFilename : avgas.exe #:10 [ad-aware.exe] FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 1380 ThreadCreationTime : 4-6-2007 9:49:21 PM BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 6 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 6 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 6 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 6 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 6 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 6 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 6 6:05:58 PM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:15:51.360 Objects scanned:127924 Objects identified:0 Objects ignored:0 New critical objects:0

#75 sdutcher

sdutcher

    Authentic Member

  • Authentic Member
  • PipPip
  • 101 posts

Posted 06 April 2007 - 09:23 PM

kasperky 11pm ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, April 06, 2007 11:21:48 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 7/04/2007 Kaspersky Anti-Virus database records: 292220 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 59266 Number of viruses found: 2 Number of infected objects: 2 / 0 Number of suspicious objects: 2 Duration of the scan process: 01:07:34 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f089bd22bcf453ccf810126980056fe_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3905f0a0a26ca29aa4901d5c45e85501_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4ad2a42c17daf75b38f2e4a7d6d6e4a1_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\569dd682d9ab39adb7a62975b2256a79_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\684022895e042d95da3395278522a327_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68b5a73dac7cc6e14f1e263f43a263fc_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cd41c6f0419848b802e6ad96fea065d_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7224bcd4e9c279dc8a90ccaf4b9e671_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f96db401122ef1904f57836808d8dd71_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/VXH8JKDQ6.EXE Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Andrew Horsfall\.housecall6.6\Quarantine\f3PSSavr.scr.bac_a03140 Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\Andrew Horsfall\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\History\History.IE5\MSHist012007040620070407\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\ntuser.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Andrew Horsfall\UserData\index.dat Object is locked skipped C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0004511.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\change.log Object is locked skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped Scan process completed.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users