Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Eula Files In A Directory That Renames Itself On My Computer


  • Please log in to reply
10 replies to this topic

#1 Nalyn

Nalyn

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 11 March 2007 - 12:58 AM

Hi there.

We've just closed my previous topic, believing my computer to be clean, however, I stumbled on a directory with lots of files, most of them End User License Agreements. When I closed and then tried to reopen the directory, which was named C:\63114ca763ff45a007069190\ , WORD displayed a message that it couldn't open it, and that it was possibly corrupt. A Search of C: gave two shortcuts by that name, but when I tried to open them, a message displayed that the file had been moved or renamed. I remembered that many of the files in the directory were EULAs, so I did a search for EULAs in C: and got hundreds of files as matches. I opened several of these, to find they were in all sorts of languages. I recognized German and Russian and Arabic.

I would appreciate help in sorting this one out. Thanks.

Nalyn

BC AdBot (Login to Remove)

 


#2 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 11 March 2007 - 03:26 PM

I'm posting a Hijackthis log below. Also, I didn't mention there were many dll files in the directory, besides the EULA files. I think I recall one of the names: WAS.dll.

Also, one of the files that came up through a C: search for EULA files went to a webpage at C:\Windows\Service Pack Files\i386\neweula.htm. In the box below the web address it read "out of box experience."

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:16 PM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Photomax Digital Developer\DDStub.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ZoneLabs\avsys\Monitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic 7\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DigitalDeveloper] C:\Program Files\Photomax Digital Developer\DDStub.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171005507397
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Nalyn

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 22 March 2007 - 11:32 AM

Hi Nalyn,

Our apologies for the delay--we are really swamped lately. If you still require help, please post a new fresh log so I can see if anything has changed. Also please describe anything you may have done since your last post to change the situation and if you have any symptoms.
And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#4 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 22 March 2007 - 04:52 PM

Hi there! Not a problem about the delay, I'm just sorry for the reason for it - so many people having problems like mine. Anyway, yes, things have changed since I posted. I've provided a new HJT log below. My System Mechanic program is prompting me to do a Registry clean up, but I refrained for now, just in case you might need to see something it would delete.

I removed one registry key item after noticing the address 4.2.2.2 coming up as blocked by Zone Alarm and then spotting that address in 017 of the HJT log. The key was: 017-HKLM\System\CS2\Services\Tcpip\..\{755Bf88C-460B-4D04-826A-A67BCE20A9CE}: NameServer=4.2.2.2,4.2.2.3

I've also provided the list of locked files the Kaspersky online scanner passed over but identified. I'm afraid I deleted all the Temp files listed in that report, using KillBox in Safe Mode with System Restore off. I turned System Restore off, then realized I might want to be able to restore the files if things didn't work well afterwards, so I turned it back on just before deleting, only I didn't realize (makes sense now) you can't turn System Restore on in Safe Mode. It only looked like it was turned back on. Ouch. I'm not sure how much damage I did. I'm still able to connect, not having runtime errors or anything, but my Zone Alarm firewall didn't want to install an update because it couldn't find a temporary Internet Errors file. I got around that online and was able to update my firewall. I need to learn how to move it up in the start up list, meanwhile I leave the internet cable unplugged until it shows up.

I installed Primary Response Safe Connect and it found some malware, although some of what it deleted were Spy Doctor files. I'd downloaded Spy Doctor at about the same time. The Primary Response log is below.

Spy Eraser found spyware, but besides the registry keys, which I did delete, I was unable to find the files it gave, even in hidden files. The is a program you must purchase in order to delete or quarantine anything, and I haven't purchased it. Report below.

Kaspersky online scanner came up clean, however I got a huge list of files it skipped as they were locked. List posted below.

My computer is having the following symptoms:
Sporadically (and for no apparent reason) surging CPU usage (from 5% to 100%).
Sometimes freezes on start up.
Seems to be scanning or something like that when the usage is high.
There seems to be an odd, duplicating thing going on. When the CPU usage is high, I tend to go to Task Manager to kill or status things. Quite often, the programs that are stalling show twice. When I End Task on one of the duplicate entries in Task Manager, both will die.

My computer's history: It started as my connection to a remote desktop I logged onto in order to work from my home. I was given the computer when I left employment with the company, and the account I worked from was given Administrator status on my local machine. Since then, I've been able to learn how to reset the password in the Administrator account so I could get into it and maintain it. I'm operating now from that account. There was a third account, in another variation of my name (which for some reason had Administrator status and no password) which I have turned into a Limited Account for my 5-year-old daughter. My previous account still has Administrator status and is used occasionally by my husband. Kill Box found 12 accounts when I used it to clean temporary files. I deleted one which I recognized as unnecessary, but I'm not sure what else to delete. They are named things like "Local User," "Power User," and BackUp User." I'd like to get rid of whatever is unneeded. If you can't help, perhaps you might direct me where I could look to learn this information?

Thanks in advance for your help.

Nalyn




Spy Eraser Log:

Start Date:March 17, 2007 at 04:02:34 PM

End Date:March 17, 2007 at 04:07:12 PM

Total Time:4 Mins 38 Secs

Detected Threats

UltraVNC
Details: UltraVNC is a Remote Control Software which allows a remote attacker to have unauthorized access to the compromised system. It provides the author of the Trojan with remote administration of wounded machines.
Status:No Action taken
Remote Control Software-Remote Control Software

Infected registry keys/values detected
hkey_local_machine\software\orl\winvnc3\\

RealVNC
Details: "RealVNC (Virtual Network Computing)" is a software tool that enables a computer to view and interact with any other computers or mobile devices on the Internet.
Status:No Action taken
Remote Control Software-Remote Control Software

Infected registry keys/values detected
hkey_local_machine\software\orl\\

AdultLinks.QBar
Details: AdultLinks QaBar combines links to porn and other sites to the Internet Explorer Favorite menu.It is also known as adware that shows what third-party is advertising on his computer. Ads could of various forms like, pop-ups, pop-unders, banners, or links embedded within web pages or parts of the Windows interface. Adware also helps in keeping track of browsing habits so that a record could be kept with the user.
Status:No Action taken
Browser Plugin-Browser Plugin

Infected files detected
c:\windows\downloaded program files\conflict.1\avsniffdlgs.dll
c:\windows\downloaded program files\conflict.1\axxpee.dll
c:\windows\downloaded program files\conflict.1\ecmldr32.dll
c:\windows\downloaded program files\conflict.1\navapi.vxd
c:\windows\downloaded program files\conflict.1\navapi32.dll
Infected directories detected
c:\windows\downloaded program files\conflict.1

DoubleClick
Details: "DoubleClick" is a network that is very popular. It works in the area of serving advertisement. It uses spyware cookies to target advertising.
Status:No Action taken
Cookie-Cookie

Infected Cookies
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt

Hitbox.com
Details: "Hitbox.com" is a type of cookies that stores information about user’s interaction with particular website. These cookies can be misused and exploited. If a website can access a cookie that has been placed on user’s PC. Cookies may present security and privacy risk. The information that is gained about you and your browsing behavior, could be used to analyze behavior of user for marketing purposes.
Status:No Action taken
Cookie-Cookie

Infected Cookies
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt

QuestionMarket.com
Details: Questionmarket.com is a Web site which examines carefully or looks comprehensively.
Status:No Action taken
Cookie-Cookie

Infected Cookies
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt


Primary Response Safe Connect Log:

_IU14D2N.TMP
Processes Terminated:
_iu14D2N.tmp
regsvr32.exe
svcntaux.exe
Files Deleted:
_iu14D2N.tmp
FILTERLSP.DLL
PCTLSP.DLL
All Registry Keys Deleted:
hkey_local-machine\software\microsoft\windows\currentversion\shareddlls\c.\windows\system32\msvcp71.dll
hkey_local-machine\software\microsoft\windows\currentversion\shareddlls\c.\windows\system32\msvcr71.dll

SDTRAYAPP.EXE
File Deleted:
SDTrayApp.exe
All Registry Keys Deleted:
hkey_local-machine\software\microsoft\windows\currentversion\run\sdtray
hkey_local-machine\software\licenses
hkey_local-machine\software\classes\clsid\{6802e635-cb18-f544-790d700bac51e508}
Failed to Terminate Processes:
SDTrayApp.exe

SWDSVC.EXE
Processes Terminated:
swdsvc.exe
MsMpEng.exe
spoolsv.exe
spoolsv.exe
spoolsv.exe
Update.exe
SDTrayApp.exe
Files Deleted:
swdsvc.exe
DFC5A2B2.TMP
DFC5A2B2.TMP
FilterLSP.dll
PCTLsp.dll
todg6.ocx
tdbg6.ocx
All Registry Keys Deleted:
hkey_local-machine\software\licenses
hkey_local-machine\software\classes\clsid\{6802e635-cb18-f544-790d-700bac51e508}

SH.DLL
File Deleted:SH.dll
(Known Malware)




KASPERSKY ONLINE SCANNER REPORT
Monday, March 19, 2007 6:28:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/03/2007
Kaspersky Anti-Virus database records: 283413
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 33819
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:09:59

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\fb_2368.lck Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4D7A.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4F0B.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9F67.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\iolo\ioloDB.fdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d953eda3e26304d35e06e3f99844845b_a15e121a-185c-4742-a7d7-62e733f1af8c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_boot.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_graph.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_malware.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_node.log Object is locked skipped
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\log\SanaAgent_removed.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6A51D186-3AAD-4C0C-BADA-E27C8796334A}\RP27\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\$NtUninstallKB833998$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833998$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BAINDT003.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT03ce6.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03ce9.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 12:28:57 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Photomax Digital Developer\DDStub.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic 7\SystemGuardAlerter.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\Monitor.exe
C:\Program Files\iolo\System Mechanic 7\SysMech7.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [DigitalDeveloper] "C:\Program Files\Photomax Digital Developer\DDStub.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SanaSafeConnect] "C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171005507397
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SanaSafeConnectAgent - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe" SanaSafeConnectAgent (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 22 March 2007 - 05:19 PM

I forgot to mention two other symptoms my computer is having. It is running at moderate speed, although sometimes slows to a crawl. Also, it is incessantly sending out packets (blocked by Zone Alarm) to both my former company's website and to a website called station6k.dscga.com.

Nalyn

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 22 March 2007 - 10:41 PM

OK, Nalyn, I don't see anything being detected that is proven malware, a few that were iffy and I'll get into those more in a bit.

The symptoms you describe could be caused by many things, a malware infection being only one of them. I've reviewed your other thread, and you seem to have eliminated what malware there was that was running. You may find some leftover files from former infections--like those EULA's may have been--but files must be be running to affect you. What we look for in these logs are malware files that are running that you didn't start yourself. The others that aren't running just take up space and of course it is nice to delete them too, but they aren't causing problems.

I think most of your problems are from having a machine that was configured to be a work computer and getting a little carried away with security apps, some of which aren't yet proven so may be a bit buggy, ill suited for your system or conflicting, etc. I'll help you with your security as much as I can, but a lot of what you are asking about could be handled in other forums. But first let's get some more information.

1. Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.

2. Download DSS to your Desktop.


1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open in Notepad - main.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

3. Download AVG Anti-Rootkit Beta and save to your desktop
  • Double click avgarkt-beta-1.1.0.29.exe to install. By default it will install to "C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
  • Accept the licence and follow the prompts to install.
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit Beta on your desktop.
  • You will see a window with four buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, a small window will open so you can view the results.
  • Click "Save Result To File" and copy/paste the results in your next reply.
  • If anything was found, click "Remove selected items"
  • If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
From here let's take this one step at a time. Please refrain from installing and uninstalling anything until you hear back from me. And then please answer these questions. I mainly want to know why you are no longer running the AVG antivirus. Just guessing I would think some of the security programs you have installed are suites that included an antivirus. Some of this may be answered by the uninstall list, but I need to know the exact name of these programs so I know if they include an AV or not.

1. System Mechanic® 7 or System Mechanic® 7 Pro--the latter includes an antivirus.

2. ZoneAlarm Free, ZoneAlarm Pro or ZoneAlarm Internet Security Suite--that latter includes an AV. Also which version/build are you running? I believe you said you had trouble updating it?

Also, I know you say Spy Eraser is still the trial version, but let me know if any of the programs I've asked about are trials or if they have been purchased already, including:

1. SpywareDoctor
2. Safe Connect

I'll try to answer your questions and concerns once I've seen the above logs.
And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#7 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 23 March 2007 - 07:17 PM

Thanks for taking a look. In the interests of saving time, I probably overwhelmed you with information. I acknowledge that my computer's problems can span several forums. Please respond to what you are comfortable helping with and, if you would be so kind as to direct me I'll be happy to explore solutions in other forums as well. I am new to bleeping computer (and new to many of the things I'm having to learn), so I'm feeling a little baffled.

Yes, I realize there are lots of things that could cause the symptoms my computer is having besides malware. however, I have to tell you that my (admittedly inexperienced) gut reaction is my computer is being beseiged and regularly attacked via the Internet. It seems to be fine when working offline. The surging and stalling starts shortly after I plug into the Internet, not necessarily at start up, although start up is slow. There are many IP addresses which try to connect to my computer, but I'm noticing that one in particular is intercepted doing port scans right before an "attack." I don't know if there is any correlation or if I'm just getting paranoid. I suppose either is possible.

I don't know if I remembered to tell you that I'm constantly having to clean to open up low memory reserves as well. Another thing I forgot to mention is that Spyware Sweeper found "Maxifiles" on my computer, but I couldn't locate the files it listed.

I uninstalled both Spyware Sweeper and Spyware Doctor. I've been scanning with whatever reputable programs I could find through another forum in bleeping computer as well as a Security article in the April 2007 issue of PC Magazine. I actually only have purchased Zone Alarm Suite, which does have both a resident spyware and antivirus program, and System Mechanic (which has a System Guard feature enabled). It is my intention to offload all other programs as I've not found anything I like better. Currently I have Primary Response Safe Connect on a trial that's got about 6 days left. I like that program for the way it monitors behavior, but Zone Alarm rated high enough (in PC Magazine) for threat removal for me to feel comfortable relying on it alone. Another program installed right now is Spy Eraser, which I've kept simply because it found something and I wanted the log. Now I've saved the log, it can go too. I also tried out Registry Booster, but I've decided not to purchase it as System Mechanic, which I already own, manages the registry. That's it as far as resident guard programs. Primary Response is fairly passive, just monitoring, and if there is a question, asking me what action to take. System Mechanic should be compatible with Zone Alarm, since it was offered to me by CheckPoint as an add-on when I purchased my firewall, I believe it was last month. I have the current version of Zone Alarm Security Suite (7.0.337.000) running with TrueVector security engine version 7.0.337.000. Anti-virus engine version 3, DAT file version; Anti-spyware engine version 5.0.162.0 DAT file version 01.200703.1225 The problem I encountered with updating it was when I tried to update it from a setup program saved to my desktop. It was looking for a Temp file I had deleted. I got around that by updating it by using the online automated technician.

I uninstalled AVG Anti-Virus as I think it is probably overkill (and to avoid conflicts) since my Zone Alarm already handles AV and has a resident guard.

I hope I've answered all your questions about versions, etc? If not, let me know. As far as the Anti-Rootkit goes, I scanned both ways and it came up clean. I couldn't get it to update from the update button, though (no window came up with an update page as it instructed). And, do you know if it scanned what the Kaspersky scanner identified as locked files? Thanks again for your help, and the logs you requested follow below.

Nalyn


Deckard's System Scanner v20070318.32
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 254.3 MiB / 67.27 MiB
Pagefile Memory (total/avail): 625.24 MiB / 267.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1993.52 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 10.72 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntivirusOverride is set.

FW: ZoneAlarm Security Suite Firewall v7.0.337.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.337.000 (Check Point, LTD.)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BAINDT003
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\BAINDT003
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;\\kitobey.com\netlogon\tools;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=BAINDT003
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

jm
jhg (admin, profile directory not found)
kit employee (new local, admin)
jm.BAINDT003 (admin)
jm.BAINDT003.000 (admin)
jmain
Administrator (admin)
Guest


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\System32\Uninst.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
APC PowerChute Personal Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A0C892E-FD1C-4203-941E-0956AED20A6A}\Setup.exe" -l0x9
Burpee 3D Garden Designer --> C:\Burpee\UNWISE.EXE C:\Burpee\INSTALL.LOG
Confidence Online™ for Web Applications --> C:\Documents and Settings\Administrator\Application Data\WholeSecurity\CAT\WSUIEE.exe
Digital Developer --> MsiExec.exe /I{C55254E3-BD39-4EA8-A71D-A41DB0E857B1}
HijackThis 1.99.1 --> C:\hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iolo technologies' System Mechanic 7 --> "C:\Program Files\iolo\System Mechanic 7\unins000.exe"
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2.com Multimedia Training --> C:\WINDOWS\Uninvia2.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Move Networks Player for Firefox --> "C:\Program Files\Mozilla Firefox\plugins\unins000.exe"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PhotoParade Player --> "C:\Program Files\PhotoParade\Uninstall PhotoParade Player.exe" "PhotoParade.exe"
Primary Response SafeConnect --> C:\Program Files\InstallShield Installation Information\{AF18BF2A-255B-4A7A-8325-F545BB8CC751}\setup.exe -runfromtemp -l0x0409
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Sesame Street Baby --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E8374D9-600F-49A6-8EF9-A6BA42FDCF3D}\setup.exe"
Symnet Redirector Updater --> MsiExec.exe /X{CACE0C9D-9EF7-4F3B-9C64-88FBA245BA9C}
TurboTax Home & Business 2006 --> C:\Program Files\TurboTax\Home & Business 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Home & Business 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Uniblue Registry Booster --> "C:\Program Files\Uniblue\Registry Booster\unins000.exe"
Uniblue SpyEraser --> "C:\Program Files\Uniblue\SpyEraser\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Zinio Reader --> C:\Program Files\Zinio\uninstall.exe
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-03-23 at 15:01:12 ---------

Deckard's System Scanner v20070318.32
Run by Administrator on 2007-03-23 at 14:57:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
10: 2007-03-23 21:57:55 UTC - RP10 - Deckard's System Scanner Restore Point
9: 2007-03-23 21:43:17 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2007-03-23 15:45:31 UTC - RP8 - System Checkpoint
7: 2007-03-22 02:37:49 UTC - RP7 - System Checkpoint
6: 2007-03-20 21:30:56 UTC - RP6 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-03-20 19:15:04 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe Shockwave Player
APC PowerChute Personal Edition
Burpee 3D Garden Designer
Digital Developer
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iolo technologies' System Mechanic 7
Java™ SE Runtime Environment 6
Kaspersky Online Scanner
Learn2.com Multimedia Training
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Move Networks Player for Firefox
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB927977)
Panda ActiveScan
PhotoParade Player
Primary Response SafeConnect
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Sesame Street Baby
Symnet Redirector Updater
TurboTax Home & Business 2006
TurboTax ItsDeductible 2006
Uniblue Registry Booster
Uniblue SpyEraser
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
URGE
WexTech AnswerWorks
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Zinio Reader
ZoneAlarm Security Suite




-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:58:19 PM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Photomax Digital Developer\DDStub.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic 7\SystemGuardAlerter.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Zinio\ZinioDeliveryManager.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaMonitor.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [DigitalDeveloper] "C:\Program Files\Photomax Digital Developer\DDStub.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SanaSafeConnect] "C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaSafeConnect.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171005507397
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 7\IoloSGCtrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SanaSafeConnectAgent - Unknown owner - C:\Program Files\Sana Security\Primary Response SafeConnect\agent\bin\SanaAgent.exe" SanaSafeConnectAgent (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20070221-185243-185 O2 - BHO: (no name) - {BD257DCB-B5D0-459F-9F7D-42E27AC55266} - C:\WINDOWS\System32\kdphtdpf.dll (file missing)
backup-20070221-185243-326 O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
backup-20070221-185243-387 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070221-185243-409 O2 - BHO: (no name) - {60DF53E6-41F2-481D-9916-0B1115E42A08} - C:\WINDOWS\System32\kdphtdpf.dll (file missing)
backup-20070221-185243-433 O2 - BHO: (no name) - {C3611AF4-EF36-4167-94C1-B204F2D526F9} - C:\WINDOWS\java\mwsawve.dll (file missing)
backup-20070221-185243-909 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070225-135209-887 O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
backup-20070225-183337-898 O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
backup-20070305-152011-226 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070305-152011-673 O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
backup-20070305-152011-883 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070305-152011-893 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070306-160944-970 O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\jm.BAINDT003.000\Local Settings\Temporary Internet Files\Content.IE5\IWJEITG0\WAS5Scan[1].exe"
backup-20070308-065003-556 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070308-065003-945 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070308-081950-426 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070308-081950-986 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070312-081015-867 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070312-081015-981 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070313-114229-297 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070313-114229-339 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070313-121815-188 O17 - HKLM\System\CS1\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
backup-20070313-121815-233 O17 - HKLM\System\CS2\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
backup-20070313-121815-989 O17 - HKLM\System\CCS\Services\Tcpip\..\{755BF88C-460B-4D04-826A-A67BCE20A0CE}: NameServer = 4.2.2.2,4.2.2.3
backup-20070315-102339-192 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
backup-20070315-102339-646 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070315-102339-653 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070315-102346-411 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

-- File Associations -----------------------------------------------------------

.js - JSFile - NOTEPAD.EXE %1
.reg - regfile - NOTEPAD.EXE %1
.scr - scrfile - NOTEPAD.EXE %1
.vbs - VBSFile - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys
R3 i81x - c:\windows\system32\drivers\i81xnt5.sys
R3 SanaSafeConnectDriver - c:\program files\sana security\primary response safeconnect\agent\driver\platform_xp\safeconnectdriver.sys
R3 SanaSafeConnectShim - c:\program files\sana security\primary response safeconnect\agent\driver\platform_xp\safeconnectshim.sys

S0 kl1 - c:\windows\system32\drivers\kl1.sys (file missing)
S3 HidBatt (HID UPS Battery Driver) - c:\windows\system32\drivers\hidbatt.sys
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys
S3 iAimFP5 - c:\windows\system32\drivers\wadv07nt.sys
S3 iAimFP6 - c:\windows\system32\drivers\wadv08nt.sys
S3 iAimFP7 - c:\windows\system32\drivers\wadv09nt.sys
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys
S3 iAimTV5 - c:\windows\system32\drivers\watv10nt.sys
S3 iAimTV6 - c:\windows\system32\drivers\watv06nt.sys
S3 TSP - c:\windows\system32\drivers\klif.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 IOLO_SRV (iolo System Guard) - c:\program files\iolo\system mechanic 7\iolosgctrl.exe
R2 ioloDMV (iolo DMV Service) - c:\program files\iolo\common\lib\iolodmvsvc.exe
R2 SanaSafeConnectAgent - "c:\program files\sana security\primary response safeconnect\agent\bin\sanaagent.exe" sanasafeconnectagent


-- Scheduled Tasks -------------------------------------------------------------

2007-03-17 17:01:49 354 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job<UNIBLU~1.JOB>
2007-03-11 18:47:23 402 --ah----- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job<MPSCHE~2.JOB>


-- Files created between 2007-02-23 and 2007-03-23 -----------------------------

2007-03-23 09:45:39 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Move Networks<MOVENE~1>
2007-03-21 08:33:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\ContentGuard<CONTEN~1>
2007-03-21 08:31:39 0 d-------- C:\Program Files\Common Files\Zinio
2007-03-21 08:31:29 0 d-------- C:\Program Files\Zinio
2007-03-20 14:46:33 0 d-------- C:\Documents and Settings\jmain\Application Data\MailFrontier<MAILFR~1>
2007-03-20 14:12:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier<MAILFR~1>
2007-03-20 13:50:36 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-03-19 16:02:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1>
2007-03-19 16:01:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-03-17 22:57:02 0 d-------- C:\Program Files\a-squared Anti-Dialer<A-SQUA~2>
2007-03-17 22:17:09 0 d-------- C:\Program Files\a-squared Free<A-SQUA~1>
2007-03-17 22:01:15 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6<HOUSEC~1.6>
2007-03-17 16:01:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-03-17 16:00:42 0 d-------- C:\Program Files\Uniblue
2007-03-17 12:47:31 0 d-------- C:\Program Files\Learn2.com
2007-03-17 12:45:43 214528 --a------ C:\WINDOWS\Uninvia2.exe
2007-03-17 12:45:40 368640 --a------ C:\WINDOWS\struntme.dll
2007-03-17 12:45:40 34816 --a------ C:\WINDOWS\_Setup.dll
2007-03-17 12:45:39 254005 --a------ C:\WINDOWS\MSVCRT.DLL
2007-03-17 12:45:37 1334032 --a------ C:\WINDOWS\MSVBVM50.DLL
2007-03-17 12:45:36 995383 --a------ C:\WINDOWS\MFC42.DLL
2007-03-16 08:31:35 0 d-------- C:\Program Files\ScanSpyware v3.8.0.4<SCANSP~1.4>
2007-03-16 04:26:39 164 --a------ C:\install.dat
2007-03-15 17:27:59 626688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-03-15 17:14:01 0 d-------- C:\Program Files\Sana Security<SANASE~1>
2007-03-15 13:05:09 0 d-------- C:\Documents and Settings\jmain\Application Data\Lavasoft
2007-03-15 09:22:23 0 d-------- C:\Program Files\Lavasoft
2007-03-14 13:42:07 0 d-------- C:\Documents and Settings\jmain\Application Data\Sun
2007-03-14 11:24:03 0 d-------- C:\Program Files\MTV Networks<MTVNET~1>
2007-03-14 11:09:09 0 d-------- C:\Program Files\Windows Media Connect 2<WI4DF6~1>
2007-03-14 11:04:03 0 d-------- C:\WINDOWS\system32\LogFiles
2007-03-14 11:04:03 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-14 08:17:29 0 d-------- C:\Program Files\Common Files\Java
2007-03-14 08:12:47 370312 --a------ C:\jre-6-windows-i586-iftw.exe<JRE-6-~1.EXE>
2007-03-12 21:51:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\WholeSecurity<WHOLES~1>
2007-03-12 20:48:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-03-12 12:41:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-03-12 10:54:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-03-12 10:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\iolo
2007-03-12 07:54:01 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~1>
2007-03-11 19:03:19 0 d-------- C:\WINDOWS\SxsCaPendDel<SXSCAP~1>
2007-03-10 21:31:55 0 d-------- C:\Program Files\MSBuild
2007-03-10 21:11:15 0 d-------- C:\WINDOWS\system32\XPSViewer<XPSVIE~1>
2007-03-10 21:06:49 0 d-------- C:\Program Files\Reference Assemblies<REFERE~1>
2007-03-10 20:48:24 14048 -----n--- C:\WINDOWS\system32\spmsg2.dll
2007-03-10 16:30:49 0 d-------- C:\Documents and Settings\jmain\Application Data\Intuit
2007-03-08 20:27:41 0 d-------- C:\Documents and Settings\Guest\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-08 17:17:36 0 d-------- C:\Documents and Settings\Guest\Application Data\Sun
2007-03-07 21:29:47 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2007-03-07 21:28:51 0 d-------- C:\Documents and Settings\Guest\Application Data\iolo
2007-03-07 21:25:49 1048576 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2007-03-07 16:44:51 0 d-------- C:\Documents and Settings\jmain\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-07 16:15:57 0 d-------- C:\Documents and Settings\jmain\Application Data\Adobe
2007-03-07 16:14:59 0 d-------- C:\Documents and Settings\jmain\Application Data\iolo
2007-03-05 17:18:18 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-03-05 17:01:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-05 17:00:25 0 d-------- C:\Documents and Settings\jm.BAINDT003.000\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-02-28 13:05:36 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-02-28 13:05:35 696320 --a------ C:\WINDOWS\system32\libeay32.dll
2007-02-28 13:05:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2007-02-28 13:02:29 25264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-02-28 13:02:29 41472 --a------ C:\WINDOWS\system32\iolobtdfg.exe<IOLOBT~1.EXE>
2007-02-28 13:02:23 436840 --a------ C:\WINDOWS\system32\Incinerator.dll<INCINE~1.DLL>
2007-02-28 13:01:39 0 d-------- C:\Program Files\iolo
2007-02-28 12:54:46 0 d-------- C:\Documents and Settings\jm.BAINDT003.000\Application Data\iolo
2007-02-28 12:54:46 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-02-25 17:08:19 0 d-------- C:\Documents and Settings\jm.BAINDT003.000\Application Data\Help
2007-02-25 17:03:35 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-02-25 17:03:35 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-02-25 15:02:02 0 d-------- C:\!KillBox


-- Find3M Report ---------------------------------------------------------------

2007-03-23 14:35:21 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-23 10:00:25 512 --a------ C:\ScanSectorLog.dat<SCANSE~1.DAT>
2007-03-19 19:20:44 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft<MICROS~1>
2007-03-15 17:16:12 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-14 11:54:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia<MACROM~1>
2007-03-14 08:17:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-03-14 08:17:27 0 d-------- C:\Program Files\Java
2007-03-12 19:39:39 0 d-------- C:\Program Files\Photomax Digital Developer<PHOTOM~1>
2007-03-12 19:37:14 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-03-09 00:02:00 75512 --a------ C:\WINDOWS\zllsputility.exe<ZLLSPU~1.EXE>
2007-03-07 13:06:42 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-03-07 13:06:42 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-02-19 19:35:55 0 d-------- C:\Program Files\ItsDeductible2006<ITSDED~1>
2007-02-19 19:34:55 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0<ANSWER~1.0>
2007-02-19 19:34:18 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-19 19:28:54 0 d-------- C:\Program Files\Common Files\Intuit
2007-02-19 19:26:03 0 d-------- C:\Program Files\TurboTax
2007-02-14 17:16:11 0 d-------- C:\Program Files\Google
2007-02-09 10:51:57 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~2>
2007-02-08 10:47:03 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-02-07 10:08:27 0 d-------- C:\Program Files\Common Files\Adobe
2007-02-06 19:27:29 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-02-06 19:20:40 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-02-06 19:17:33 250032 -rahs---- C:\ntldr
2007-02-02 16:24:35 201 --a------ C:\WINDOWS\PowerReg.dat
2007-01-30 10:25:43 0 d-------- C:\Program Files\SesameWorkshop<SESAME~1>
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Uniblue SpyEraser"="\"C:\\Program Files\\Uniblue\\SpyEraser\\SpyEraser.exe\" -m"
"Zinio DLM"="C:\\Program Files\\Zinio\\ZinioDeliveryManager.exe /autostart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="\"C:\\WINDOWS\\system32\\mobsync.exe\" /logon"
"DigitalDeveloper"="\"C:\\Program Files\\Photomax Digital Developer\\DDStub.exe\""
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic 7\\SMSystemAnalyzer.exe\""
"SystemGuardAlerter"="\"C:\\Program Files\\iolo\\System Mechanic 7\\SystemGuardAlerter.exe\""
"SanaSafeConnect"="\"C:\\Program Files\\Sana Security\\Primary Response SafeConnect\\agent\\bin\\SanaSafeConnect.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-03-23 at 15:01:12 ---------

#8 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 07 April 2007 - 02:57 PM

Hello there.

I'm hoping you'll be able to respond soon?

Thanks.

Nalyn

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 09 April 2007 - 12:01 AM

My apologies again for the long delay. I'll be typing out an answer for you in just a bit.
And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,021 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 09 April 2007 - 02:34 AM

OK, there is not any malware on your system that we are able to find, I think any strangeness that may seem to you like a sign of malicious activity going on is because of stuff your former employers have set to run and frankly I'm not equipped to help you with that. One thing I do see to support this idea is a Symantec security product available only to businesses.

Confidence Online™ for Web Applications
http://www.symantec.com/press/2005/n050922a.html

Another security product that could well be the primary cause of conflicts. From what I understand--and this is coming from someone that has always been a home user--employers install their on security measures and configure their computers thru restrictions to protect their investment and ultimately the business itself. It is in their best interest not to reveal what all those restrictions and other measures are. So even if you had access to change them--and I'm not sure that you do as you are probably locked out of certain areas of what is now your own computer--you would need to know what they are.

If it were me, I would just reformat it to gain total control and be 100% sure there is no malware tucked away somewhere. It is much easier to start with a standard install of the OS and add just what you want than it is to try to find everything you might need to subtract from the system. I appreciate that you want to learn what you can, and what you've been doing so far is a good way to do that, but starting fresh is what I would do.

I also know that you may not have a standard installation disk or no recovery disk or partition. But even if it took buying a full legal copy of XP, it would still be worth the investment. If you are thinking of upgrading to Vista, you'll need a lot more RAM.

In fact the amount of RAM on your system is not really adequate. For XP, you need at least 512 MB and more is better. Security programs especially, that always run in the background are heavy on resources, and less than that will cause freezing. I've heard Vista will require 2 to 3 GB to run properly.

Best i can tell you on the security programs, is running too many of them, combined with the fact that they don't often uninstall nicely is one of the primary causes of conflict and could explain the problems you are asking about along with too little RAM. I see where several have been installed, most of which have guard or real time scanners. It is easy to go overboard on those.

It is fun to try out different security products, but unless you are a reviewer or beta tester, it is best to find what you like and stick to it. One anitvirus, one firewall, two or three antispyware mostly for on demand scans. Just about every antispyware app has a guard or protection program running in the background now, but really most of them aren't needed. Resident antivirus protection has gotten better at filling in the holes the aS apps guards were designed to protect. Everyone is also trying to do everything now, too. Some antspyware are including an antivirus, antivirus may include an AS and a firewall and as you have seen one of the premier firewalls now offers a suite with an antivirus and antispyware. Then you have all the protections against phishing, bad websites, ad blocking and spam, etc., so more conflicts are arising among apps that used to get along together fairly well.

Sana, that you've been trying is a slightly different approach and basically a HIPS (Hosted Intrusion Prevention System). There is talk of HIPS replacing the need for AV's AS's, etc. But they aren't there yet. I had read the article in PC Mag before you posted that gave it the highest rating--until then I had never heard of it. But I'm not very impressed with what it removed from your system. The reviewer seemed to be impressed by the fact that it didn't ask before removing and blocking stuff, but I hear it doesn't quarantine if it makes a mistake, so I would rather be annoyed than to trust it to always do the right thing. I don't know if you decided to keep it after the trial, but I think you could do with out it.

The ZoneAlarm Security Suite should meet all your needs. If it isn't giving you problems, I would lean up your system. Trying other scanners just to see if they can find something is OK, up to a point, but I think you are past that and you don't need to install programs to do it. For a second opinion, try these online scanners that will detect and clean--this way you don't have to install something running in the background.

TrendMicro's HouseCall
Panda ActiveScan
BitDefender

BTW, and sorry I don't answer this earlier, the Kaspersky online scanner just detects and doesn't clean. It is used primarily for its rate of detection and viewing the log sometimes reveals what others don't find. It will show which files are locked whether good or bad for information purposes only. Most of the time those files are legit and locked for a reason. Very rarely a malware file will be locked, but all in your log are OK.

I have some more information and suggestions for you, but it is getting late and will have to wait til tomorrow.
And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#11 Nalyn

Nalyn
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 19 April 2007 - 09:51 AM

And? :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users