Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My HJT Log


  • Please log in to reply
30 replies to this topic

#1 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 15 October 2007 - 09:54 PM

Hi, in the past i know Hijack this has bee very helpful. But lately ive been having a lot of problems. Some specific things that are unusual for my computer is that my wireless internet connection constantly disconnects. I then have to restart my computer to get my connection back. Sometimes also cannot open folders up such as my documents, my computer etc. in that case i also have to restart my computer. I also can no longer open or control my volume (on my computer) for example i even have a volume control button and mute on my keyboard. Yet nothing happens now when I use those. I am also gettig an extreme amount of pop ups which for me that is very unusual. And the most annoying problem is randomly my computer will just start running at EXTREMELY slow rates. This all has been happening for awhile. I fixed it with Hijackthis but it slowly got worse again. I think mabye something got by the first time. Anyways i would really appreciiate if you guys could take a look at my log. Either way Thanks for your time



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:04 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1152943990\ee\AOLSoftware.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152943990\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163654940968
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ader_v10_en.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...800/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6978 bytes

    Advertisements

Register to Remove


#2 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 19 October 2007 - 07:40 PM

Howdy mike19687,

No infection or anything outright amiss showing here. When I see statements like this I cringe a little:

I fixed it with Hijackthis


As HijackThis is a specialty malware diagnostic and repair tool it is not considered to use for "fix" usually. What all did you fix with it?

Post back on that and let's take an additional look here. Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.

#3 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 20 October 2007 - 04:51 PM

Oh sorry lol what i ment by i "fixed" it was that I used a site similar to this and they told me what to do. But I know my computer does have a problem but from what i recall i posted something almost 2 months ago probably and they said my log was clean also, but then locked my topic and didnt so much help. Anyways thanks and here is my log

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Steam" = ""C:\Program Files\Valve\Steam\Steam.exe" -silent" ["Valve Corporation"]
"DW4" = ""C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"" ["The Weather Channel Interactive"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"NBJ" = ""C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"HostManager" = "C:\Program Files\Common Files\AOL\1152943990\ee\AOLSoftware.exe" ["America Online, Inc."]
"Windows Media Connect 2" = ""C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"itype" = ""C:\Program Files\Microsoft IntelliType Pro\itype.exe"" [MS]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\ipoint.exe"" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"(Default)" = (unknown data type)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcpltp.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
<<!>> wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\Figher Jet.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Michael Rendon\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Michael Rendon" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"McAfee.com Scan for Viruses - My Computer (D9J4V191-Michael Rendon)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" [file not found]
"User_Feed_Synchronization-{0B07D1DA-5A61-4854-BE9D-D73CF9DE28BA}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-10-20 18:43:51)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 159 seconds, including 9 seconds for message boxes)

#4 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 21 October 2007 - 09:47 AM

Almost clean here, but you have a registry startup that although perhaps innocent, Silent Runners is not able to interpret.

Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Post back the C:\ComboFix.txt please.

#5 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 21 October 2007 - 01:04 PM

Thanks, heres that log

ComboFix 07-10-20.6 - Michael Rendon 2007-10-21 14:48:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -4:00]
Running from: C:\Documents and Settings\Michael Rendon\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pack.epk
C:\WINDOWS\system32\bzxaxu.dat
c:\WINDOWS\system32\bzxaxu.dat
C:\WINDOWS\system32\bzxaxu.exe
c:\windows\system32\bzxaxu.exe
c:\WINDOWS\system32\bzxaxu_nav.dat
C:\WINDOWS\system32\bzxaxu_nav.dat
c:\WINDOWS\system32\bzxaxu_navps.dat
C:\WINDOWS\system32\bzxaxu_navps.dat
C:\WINDOWS\system32\nvs2.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-17 18:16 <DIR> d-------- C:\Program Files\iTunes
2007-10-17 18:13 <DIR> d-------- C:\Program Files\QuickTime
2007-10-17 18:11 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-17 18:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-17 18:10 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-17 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-11 18:12 <DIR> d-------- C:\Program Files\Viewpoint
2007-10-11 18:02 <DIR> d-------- C:\Program Files\AIM6
2007-10-09 18:01 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 21:58 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-17 22:16 --------- d-----w C:\Program Files\iPod
2007-10-17 03:16 --------- d-----w C:\Documents and Settings\Michael Rendon\Application Data\AdobeUM
2007-10-12 16:37 --------- d-----w C:\Documents and Settings\Michael Rendon\Application Data\Viewpoint
2007-10-11 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-11 01:06 --------- d-----w C:\Documents and Settings\Michael Rendon\Application Data\Azureus
2007-10-02 00:35 --------- d--h--w C:\Documents and Settings\Michael Rendon\Application Data\Move Networks
2007-09-16 01:48 --------- d-----w C:\Program Files\McGraw-Hill's SAT I Review
2007-09-12 00:21 --------- d-----w C:\Documents and Settings\Michael Rendon\Application Data\acccore
2007-09-11 23:19 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-09-11 23:18 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-09-06 01:57 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-09-06 01:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 01:54 --------- d-----w C:\Documents and Settings\Michael Rendon\Application Data\SUPERAntiSpyware.com
2007-09-06 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-31 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-08-13 01:51 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2006-10-21 03:39 49 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb41.dat
2006-10-21 03:39 337 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb1942.dat
2006-10-21 03:27 13,046 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb6131.dat
2006-10-21 03:27 0 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb1424.dat
2006-10-21 01:57 179,200 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb7487.dat
2006-10-19 00:44 9,216 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb7517.dat
2006-10-19 00:44 0 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb8614.dat
2006-10-19 00:44 0 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb7741.dat
2006-10-19 00:44 0 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb7190.dat
2006-10-19 00:44 0 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb4864.dat
2006-10-19 00:44 0 ----a-w C:\Documents and Settings\Michael Rendon\Application Data\internaldb4562.dat
2006-05-17 06:20 17 ----a-w C:\Program Files\d.bat
2006-03-19 20:58:37 56 --sh--r C:\WINDOWS\system32\4B22DF3795.sys
2006-03-19 20:58:42 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1152943990\ee\AOLSoftware.exe" [2006-05-09 20:24]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2005-10-06 19:12]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 21:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 19:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Steam"="C:\Program Files\Valve\Steam\Steam.exe" [2007-10-10 11:29]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 09:30]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 17:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-21 08:58:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R2 SVKP;SVKP;\??\C:\WINDOWS\system32\SVKP.sys
R3 LinksysFVNETusbl(AR)®;Linksys FVNETusbl(AR)® Service for Instant Wireless USB Network Adapter ver.2.6;C:\WINDOWS\system32\DRIVERS\vnetusbl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-17 22:11:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-19 22:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D9J4V191-Michael Rendon).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2007-10-21 18:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{0B07D1DA-5A61-4854-BE9D-D73CF9DE28BA}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 14:51:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 14:52:41
C:\ComboFix-quarantined-files.txt ... 2007-07-22 21:29
C:\ComboFix2.txt ... 2007-07-22 21:29
C:\ComboFix3.txt ... 2007-07-11 22:18
.
--- E O F ---

#6 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 21 October 2007 - 01:34 PM

That flushed it out - a Navipromo infection. Let's follow up with that now. The Silent Runners log also shows you have an orphaned task, so when you get a chance go to Control Panel - Scheduled Tasks, and delete that "McAfee.com Scan for Viruses...".


Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.



Then go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".


Post back that log along with a new Silent Runners log please.

#7 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 25 October 2007 - 09:15 AM

Ok i did all that i just hope that i saved the log the right way Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to scan your PC for viruses and other malware for free Warning: if you have installed Kaspersky Online Scanner Pro, please manually uninstall it using "Add/Remove Programs" before installing this version! Otherwise this version will not function correctly. Benefits: Kaspersky Anti-Virus exceptional detection rates and thorough scanning Hourly AV database updates available each time the Online Scanner is launched Heuristic analysis to detect unknown viruses Simple installation (just click on a link) Requirements and limitations: When using this service for the first time, you have to run with Administrator privileges in order to install the product. Also, you will need to download and install files about 400 KB in size followed by 9 MB of virus definitions. However, if you use the Online Scanner again, you will only need to download the files that have been updated since your last scan. The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 6.0 or higher. We cannot guarantee that the Online Scanner will function correctly if you are using any other browser or any Internet Explorer extensions (such as AvantBrowser). If you use a different browser, you can use the Kaspersky File Scanner to scan individual files. The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so it cannot detect malicious code located in these areas. Please note: The free Kaspersky Online Scanner does not protect against malicious code, and cannot prevent future infections. It only detects malware that has already penetrated your computer. We strongly recommend that you install a full antivirus solution to protect your system. Privacy statement: The Kaspersky Online Scanner will collect information about the malicious programs found on your computer during the scanning process. The information will be sent to the Kaspersky Virus Lab for statistical purposes. No personal information about you or specific information about your system will be collected or transmitted to Kaspersky Lab. Select: All, None, Suspicious Selected objects: 0 Scan settings: Here you can configure the scanning process. Scan using the following antivirus database: standard - detect viruses, worms, Trojans, rootkits extended - protect your computer from Spyware, adware, dialers and potentially dangerous software such as remote access utilities, prank programs and jokes. We do not recommend this option to beginners or inexperienced users. Scan options: Scan Archives - scan files inside archives Note: affects all targets except 'A File...' scan target. Scan Mail Bases - scan e-mails/attachments inside mail base files Note: affects all targets except 'My Email' and 'A File...' scan targets. Initialize Kaspersky Online Scanner (downloading and installing Kaspersky Online Scanner ActiveX from the server into your computer) Update Kaspersky Anti-Virus Databases [100%]: (downloading and installing the latest Kaspersky Anti-Virus Databases) Please wait to update the virus definitions... Downloading remote file: master.xml Downloading remote file: kavset.xml Downloading remote file: soft.xml Downloading remote file: updcfg.xml Downloading remote file: kernel.avc Downloading remote file: krnunp.avc Downloading remote file: krnexe.avc Downloading remote file: krnmacro.avc Downloading remote file: krnjava.avc Downloading remote file: krndos.avc Downloading remote file: krn001.avc Downloading remote file: krn002.avc Downloading remote file: krn003.avc Downloading remote file: krn004.avc Downloading remote file: krn005.avc Downloading remote file: krnexe32.avc Downloading remote file: krnengn.avc Downloading remote file: smart.avc Downloading remote file: ocr.avc Downloading remote file: chuka.avc Downloading remote file: fa001.avc Downloading remote file: base001c.avc Downloading remote file: base002c.avc Downloading remote file: base003c.avc Downloading remote file: base004c.avc Downloading remote file: base005c.avc Downloading remote file: base006c.avc Downloading remote file: base007c.avc Downloading remote file: base008c.avc Downloading remote file: base009c.avc Downloading remote file: base010c.avc Downloading remote file: base011c.avc Downloading remote file: base012c.avc Downloading remote file: base013c.avc Downloading remote file: base014c.avc Downloading remote file: base015c.avc Downloading remote file: base016c.avc Downloading remote file: base017c.avc Downloading remote file: base018c.avc Downloading remote file: base019c.avc Downloading remote file: base020c.avc Downloading remote file: base021c.avc Downloading remote file: base022c.avc Downloading remote file: base023c.avc Downloading remote file: base024c.avc Downloading remote file: base025c.avc Downloading remote file: base026c.avc Downloading remote file: base027c.avc Downloading remote file: base028c.avc Downloading remote file: base029c.avc Downloading remote file: base030c.avc Downloading remote file: base031c.avc Downloading remote file: base032c.avc Downloading remote file: base033c.avc Downloading remote file: base034c.avc Downloading remote file: base035c.avc Downloading remote file: base036c.avc Downloading remote file: base037c.avc Downloading remote file: base038c.avc Downloading remote file: base039c.avc Downloading remote file: base040c.avc Downloading remote file: base041c.avc Downloading remote file: base042c.avc Downloading remote file: base043c.avc Downloading remote file: base044c.avc Downloading remote file: base045c.avc Downloading remote file: base046c.avc Downloading remote file: base047c.avc Downloading remote file: base048c.avc Downloading remote file: base049c.avc Downloading remote file: base050c.avc Downloading remote file: base051c.avc Downloading remote file: base052c.avc Downloading remote file: base053c.avc Downloading remote file: base054c.avc Downloading remote file: dailyc.avc Downloading remote file: ext001c.avc Downloading remote file: ext002c.avc Downloading remote file: ext003c.avc Downloading remote file: ext004c.avc Downloading remote file: ext005c.avc Downloading remote file: daily-ec.avc Downloading remote file: base001.avc Downloading remote file: base002.avc Downloading remote file: base003.avc Downloading remote file: base004.avc Downloading remote file: base005.avc Downloading remote file: base006.avc Downloading remote file: base007.avc Downloading remote file: base008.avc Downloading remote file: base009.avc Downloading remote file: base010.avc Downloading remote file: base011.avc Downloading remote file: base012.avc Downloading remote file: base013.avc Downloading remote file: base014.avc Downloading remote file: base015.avc Downloading remote file: base016.avc Downloading remote file: base017.avc Downloading remote file: base018.avc Downloading remote file: base019.avc Downloading remote file: base020.avc Downloading remote file: base021.avc Downloading remote file: base022.avc Downloading remote file: base023.avc Downloading remote file: base024.avc Downloading remote file: base025.avc Downloading remote file: base026.avc Downloading remote file: base027.avc Downloading remote file: base028.avc Downloading remote file: base029.avc Downloading remote file: base030.avc Downloading remote file: base031.avc Downloading remote file: base032.avc Downloading remote file: base033.avc Downloading remote file: base034.avc Downloading remote file: base035.avc Downloading remote file: base036.avc Downloading remote file: base037.avc Downloading remote file: base038.avc Downloading remote file: base039.avc Downloading remote file: base040.avc Downloading remote file: base041.avc Downloading remote file: base042.avc Downloading remote file: base043.avc Downloading remote file: base044.avc Downloading remote file: base045.avc Downloading remote file: base046.avc Downloading remote file: base047.avc Downloading remote file: base048.avc Downloading remote file: base049.avc Downloading remote file: base050.avc Downloading remote file: base051.avc Downloading remote file: base052.avc Downloading remote file: base053.avc Downloading remote file: base054.avc Downloading remote file: base055.avc Downloading remote file: base056.avc Downloading remote file: base057.avc Downloading remote file: base058.avc Downloading remote file: base059.avc Downloading remote file: base060.avc Downloading remote file: base061.avc Downloading remote file: base062.avc Downloading remote file: base063.avc Downloading remote file: base064.avc Downloading remote file: base065.avc Downloading remote file: base066.avc Downloading remote file: base067.avc Downloading remote file: base068.avc Downloading remote file: base069.avc Downloading remote file: base070.avc Downloading remote file: base071.avc Downloading remote file: base072.avc Downloading remote file: base073.avc Downloading remote file: base074.avc Downloading remote file: base075.avc Downloading remote file: base076.avc Downloading remote file: base077.avc Downloading remote file: base078.avc Downloading remote file: base079.avc Downloading remote file: base080.avc Downloading remote file: base081.avc Downloading remote file: base082.avc Downloading remote file: base083.avc Downloading remote file: base084.avc Downloading remote file: base085.avc Downloading remote file: base086.avc Downloading remote file: base087.avc Downloading remote file: base088.avc Downloading remote file: base089.avc Downloading remote file: base090.avc Downloading remote file: base091.avc Downloading remote file: base092.avc Downloading remote file: base093.avc Downloading remote file: base094.avc Downloading remote file: base095.avc Downloading remote file: base096.avc Downloading remote file: base097.avc Downloading remote file: base098.avc Downloading remote file: base099.avc Downloading remote file: base100.avc Downloading remote file: base101.avc Downloading remote file: base102.avc Downloading remote file: base103.avc Downloading remote file: base104.avc Downloading remote file: base105.avc Downloading remote file: base106.avc Downloading remote file: base107.avc Downloading remote file: base108.avc Downloading remote file: base109.avc Downloading remote file: base110.avc Downloading remote file: base111.avc Downloading remote file: base112.avc Downloading remote file: base113.avc Downloading remote file: base114.avc Downloading remote file: base115.avc Downloading remote file: base116.avc Downloading remote file: base117.avc Downloading remote file: base118.avc Downloading remote file: base119.avc Downloading remote file: base120.avc Downloading remote file: base121.avc Downloading remote file: base122.avc Downloading remote file: base123.avc Downloading remote file: base124.avc Downloading remote file: base125.avc Downloading remote file: base126.avc Downloading remote file: base127.avc Downloading remote file: base128.avc Downloading remote file: base129.avc Downloading remote file: base130.avc Downloading remote file: base131.avc Downloading remote file: base132.avc Downloading remote file: base133.avc Downloading remote file: base134.avc Downloading remote file: base135.avc Downloading remote file: base136.avc Downloading remote file: base137.avc Downloading remote file: base138.avc Downloading remote file: base139.avc Downloading remote file: base140.avc Downloading remote file: base141.avc Downloading remote file: base142.avc Downloading remote file: base143.avc Downloading remote file: base144.avc Downloading remote file: base145.avc Downloading remote file: base146.avc Downloading remote file: base147.avc Downloading remote file: base148.avc Downloading remote file: base149.avc Downloading remote file: base150.avc Downloading remote file: base151.avc Downloading remote file: base152.avc Downloading remote file: base153.avc Downloading remote file: base154.avc Downloading remote file: base999.avc Downloading remote file: unp000.avc Downloading remote file: unp001.avc Downloading remote file: unp002.avc Downloading remote file: unp003.avc Downloading remote file: unp004.avc Downloading remote file: unp005.avc Downloading remote file: unp006.avc Downloading remote file: unp007.avc Downloading remote file: unp008.avc Downloading remote file: unp009.avc Downloading remote file: unp010.avc Downloading remote file: unp011.avc Downloading remote file: unp012.avc Downloading remote file: unp013.avc Downloading remote file: unp014.avc Downloading remote file: unp015.avc Downloading remote file: unp016.avc Downloading remote file: unp017.avc Downloading remote file: unp018.avc Downloading remote file: unp019.avc Downloading remote file: unp020.avc Downloading remote file: unp021.avc Downloading remote file: unp022.avc Downloading remote file: unp023.avc Downloading remote file: unp024.avc Downloading remote file: unp025.avc Downloading remote file: unp026.avc Downloading remote file: unp027.avc Downloading remote file: unp028.avc Downloading remote file: unp029.avc Downloading remote file: unp030.avc Downloading remote file: unp031.avc Downloading remote file: unp032.avc Downloading remote file: unp033.avc Downloading remote file: unp034.avc Downloading remote file: unp035.avc Downloading remote file: unp036.avc Downloading remote file: unp037.avc Downloading remote file: unp038.avc Downloading remote file: unp039.avc Downloading remote file: daily.avc Downloading remote file: daily-ex.avc Downloading remote file: urgent.avc Downloading remote file: mail.avc Downloading remote file: ext001.avc Downloading remote file: ext002.avc Downloading remote file: ext003.avc Downloading remote file: ext004.avc Downloading remote file: ext005.avc Downloading remote file: ext006.avc Downloading remote file: ext007.avc Downloading remote file: ext008.avc Downloading remote file: ext009.avc Downloading remote file: ext999.avc Downloading remote file: gen001.avc Downloading remote file: gen002.avc Downloading remote file: gen003.avc Downloading remote file: gen004.avc Downloading remote file: gen005.avc Downloading remote file: gen999.avc Downloading remote file: ca.avc Downloading remote file: fa.avc Downloading remote file: eicar.avc Downloading remote file: verdicts.ini Downloading remote file: engine.dt Downloading remote file: engine.cfg Downloading remote file: avcmhk5.mhk Downloading remote file: black.lst Downloading remote file: avp.set Downloading remote file: avp_ext.set Downloading remote file: avp_x.set Downloading remote file: avp.vnd Downloading remote file: avp.klb Downloading remote file: soft.ver Update finished. Ready to scan. Next Please select a target to scan: You can configure the scanning process by pressing "Scan Settings" button. Critical Areas scan critical areas of your hard disks specified in %windir% and %tmp% system variables Memory scan disk modules of running processes My Computer scan all your hard and mapped disks My Email scan all your hard and mapped disks only for the following extensions: *.PST; *.MSG; *.OST; *.MDB; *.DBX; *.EML; *.MBS Folders... scan selected folders A File... scan a one file Warning: The Kaspersky Online Scanner may not run successfully while any other Anti-Virus software is running. If you have Anti-Virus software installed, please disable your AV protection before running the Kaspersky Online Scanner. Selected target: My Computer Source: C:\; D:\; E:\; F:\; H:\; Report is empty. Please note: The free Kaspersky Online Scanner does not provide comprehensive protection and cannot prevent future infections. It only detects malware that has already penetrated your storage devices. We strongly recommend that you use a fully-functional antivirus solution to protect your computer at all times. Please wait, this process may take a long time depending on the selected target. If you want to continue browsing, open a new window. Scan Progress [99%]: Total number of scanned objects:144864 Number of viruses found:5 Number of infected objects:54 Number of suspicious objects:0 Duration of the scan process:02:14:09 Stop Scan Get a Free Trial Buy Kaspersky Anti-Virus Help Virus Encyclopedia Kaspersky Lab Product Info You have Kaspersky Online Scanner version 5.0.98.0 installed. The current anti-virus database was released on Thursday, October 25, 2007 and contains 444202 records. System Info Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)Please wait while the Kaspersky Online Scanner is initializing and updating... Copyright © Kaspersky Lab 1997 - 2007 Portions Copyright © Lan Crypto

#8 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 25 October 2007 - 01:09 PM

Darn, but no, not quite the right one. See the Kaspersky log this person did so you will know what we want to see back here.

#9 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 26 October 2007 - 10:29 PM

hmm thats really weird. Last time there wasnt a save as option but this time there was, well anyways here my log ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, October 27, 2007 12:27:07 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 27/10/2007 Kaspersky Anti-Virus database records: 446884 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ H:\ Scan Statistics: Total number of scanned objects: 140709 Number of viruses found: 5 Number of infected objects: 34 Number of suspicious objects: 0 Duration of the scan process: 02:27:00 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40000\46D59751.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40001\46D59773.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40002\46D6C9E7.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40003\46D6C9F5.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40004\46D6E0D1.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40005\46D6E0E2.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40006\46D6E510.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40007\46D6E51F.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40008\46D713DA.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC40009\46D713F4.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine42C0000.VBN/d3ddlv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine42C0000.VBN ZIP: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine42C0000.VBN CryptZ: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine42C0001.VBN/d3ddlv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine42C0001.VBN ZIP: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine42C0001.VBN CryptZ: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine9B40000\4FB454CB.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine9B40001\4FB454DB.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBF80000\4FF97B89.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBF80001\4FF97B9A.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBF80002\4FF98F68.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBF80003\4FF98FAC.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Michael Rendon\Application Data\acccore\nss\cert8.db Object is locked skipped C:\Documents and Settings\Michael Rendon\Application Data\acccore\nss\key3.db Object is locked skipped C:\Documents and Settings\Michael Rendon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped C:\Documents and Settings\Michael Rendon\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Application Data\AOL OCP\AIM\Storage\data\l9mike90\localStorage\common.cls Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\History\History.IE5\MSHist012007102620071027\index.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Temp\~DF3CC.tmp Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Temp\~DF3D9.tmp Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Michael Rendon\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped C:\Documents and Settings\Michael Rendon\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Michael Rendon\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT607NAV~.TMP Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT853NAV~.TMP Object is locked skipped C:\QooBox\Quarantine\C\DOCUME~1\MICHAE~1\APPLIC~1\tmp32.tmp.exe.vir Infected: Trojan.Win32.Pakes skipped C:\QooBox\Quarantine\C\DOCUME~1\MICHAE~1\APPLIC~1\tmp42F.tmp.exe.vir Infected: Trojan.Win32.Pakes skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ssqrsro.dll.vir Infected: Trojan-Downloader.Win32.ConHook.fh skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155705.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155705.exe/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155705.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155706.exe/EXE-file/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155706.exe/EXE-file/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155706.exe/EXE-file Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155706.exe Embedded EXE: infected - 3 skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155706.exe UPX: infected - 3 skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP463\A0155706.exe PE_Patch.UPX: infected - 3 skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{F6340A55-44BF-4F58-8212-1E32711DEE73}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\change.log Object is locked skipped Scan process completed.

#10 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 27 October 2007 - 04:57 PM

Mostly normally locked system functions, things removed by Norton which you need to clear from the Norton Quarantine, some items we removed using ComboFix in that Qoobox quarantine and some System Restore infection held harmless unless a Restore is done. Not sure I like the PE Patch identification of one of those, so let's check against that with your AV here. Just to be sure no file infectors are around. Empty the Norton Quarantine, and delete this entire folder: C:\Qoobox Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply. You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer. When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK. The open and update Norton, and reboot into Safe Mode, and run a complete scan with Norton. I am not familiar with it's uses, but if there is a means to save a logfile of the scan please do so, to post that back here. Then reboot to normal mode and post back an update on what Norton might have located (if anything).

    Advertisements

Register to Remove


#11 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 28 October 2007 - 09:56 PM

Ok i deleted that folder, but im not sure if i deleted the quarintined stuff because i dont know were it is located. And i ran the scan and for the first time ever it did not come up with anything

#12 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 29 October 2007 - 04:23 AM

Sounds like things are cleaned. If no issues at this time you can delete the files/folders we used. To undo some changes ComboFix made and remove it's files/folders go to Start - Run, type the following and pres Enter:

ComboFix /u


Then reset your System Restore points. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

#13 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 29 October 2007 - 06:40 PM

This may sound silly and it really doesnt matter to me but there is something that hasnt gone back to normal. I dont know if you are familiar with myspace but but what ever program they use to play music (when i right click the music box it says adobe flash player 9) it doesnt play for anymore. Im just not sure what caused that and it stopped playing when all the problems started

#14 Jintan

Jintan

    Advanced Member

  • Visiting Fellow
  • PipPipPipPip
  • 791 posts

Posted 29 October 2007 - 08:23 PM

See if reinstalling Flash Player will resolve that one. Follow the steps here to do the uninstall, then at that same website under Downloads select the Flash Player option and download and reinstall Flash Player. Let me know how you did on this if you would.

#15 mike19687

mike19687

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 30 October 2007 - 07:12 PM

I did all that but no, still doesn't work.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users