-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 9:01:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 699912
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 13882
Number of viruses found: 1
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:59:30
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\server-pc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\server-pc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\server-pc\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003865.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003866.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003867.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003868.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5620BDC1-5EAB-470A-A8BD-2E74F9101235}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file01 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file02 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file03 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file04 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe Inno: infected - 4 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\change.log Object is locked skipped
Scan process completed.
the scan above seems to indicate that the problem is with u-serve ftp client which i uninstalled and deleted all files from that program then re-ran the scan and got the result above.
my hijacthis log is
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:01, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
--
End of file - 1801 bytes
well, just disabled system restore and now no threats detected. also locked objects from previous scans have disappeared. seems as though i must of misread logs lol