Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Still Infected?


  • Please log in to reply
18 replies to this topic

#1 whatdidistepin

whatdidistepin

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 19 November 2007 - 05:25 PM

Hello BC Experts,

Before I continue, I would like to let everyone know that I am new to BleepingComputer.com & this is my first post. Please let me know if I am doing something incorrectly (on BleepingComputer.com).

I am having trouble determining if I am still infected. I have removed many of the threats, but I am having trouble determining if this machine is disinfected.

I have ran:
-AVG
-AdAware
-Spybot SD
-Win Defender
-SuperAntiSpyware
-Spyware Doctor
-Kaspersky online scanner
-Trend Micro online scanner
-Symantec online scanner
-And a few other programs/removal tools

I have also run HJT, but I am not a pro at interpreting it.

My biggest confusion is that I get clean results with one scan & infected results with other scans. For example, Trend Micro's online scanner (which did not work very well for me) stated that there is a 'Bifrose' threat, but I cannot find it. Another example is that SuperAntiSpyware found many threats that Spyware Doctor found again in a later scan. Another point of confusion for me is that Kaspersky is flagging items that were provided by HP with the computer. I am not sure when a clean result is actually a clean result or that the program missed something.

I will gladly post any logs or additional details. Any help is greatly appreciated.

Thanks!

WhatDidIDo

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 19 November 2007 - 06:38 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum whatdidistepin :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please read and follow the imformation in the link below.
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Once you've completed all the steps in the above link,post a Hijackthis log into this topic if you still require help.
Posted Image
Posted Image

#3 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 November 2007 - 09:59 AM

Hello,

I have followed all the steps from the Preparation Guide. Here is the new HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:26 AM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10035 bytes


Thanks!

WhatDidIStepIn

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 November 2007 - 10:07 AM

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#5 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 November 2007 - 11:04 AM

Hi RichieUK,

Thanks for the help so far. Here are the logs...


MAIN.TXT:


Deckard's System Scanner v20071014.68
Run by Compaq_Administrator on 2007-11-20 07:54:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2007-11-20 15:54:46 UTC - RP8 - Deckard's System Scanner Restore Point
7: 2007-11-20 15:51:23 UTC - RP7 - Installed Java™ 6 Update 3
6: 2007-11-20 15:45:08 UTC - RP6 - Removed J2SE Runtime Environment 5.0 Update 6
5: 2007-11-20 13:42:01 UTC - RP5 - Software Distribution Service 3.0
4: 2007-11-20 13:26:40 UTC - RP4 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-11-19 13:09:18 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).


-- HijackThis (run as Compaq_Administrator.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:19 AM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\COMPAQ~1\Desktop\Compaq_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 10132 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Managerฎ (32-bit)>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S3 catchme - c:\docume~1\compaq~1\locals~1\temp\catchme.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-20 07:50:36 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-20 07:51:27 0 d-------- C:\Program Files\Common Files\Java
2007-11-20 05:29:38 0 d-------- C:\Program Files\MSXML 6.0
2007-11-19 17:16:07 0 d-------- C:\WINDOWS\BDOSCAN8
2007-11-19 13:49:13 0 d-------- C:\Program Files\Spyware Doctor
2007-11-19 13:49:13 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\PC Tools
2007-11-19 13:04:01 164 --a------ C:\install.dat
2007-11-19 10:16:04 0 dr-h----- C:\$VAULT$.AVG
2007-11-19 09:33:03 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\AVG7
2007-11-19 09:32:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-19 09:32:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-19 09:32:36 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-19 08:55:54 0 d-------- C:\Program Files\Alwil Software
2007-11-19 08:04:24 0 d-------- C:\Documents and Settings\Compaq_Administrator\.housecall6.6
2007-11-19 06:51:32 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-19 06:51:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-19 06:51:15 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2007-11-18 19:15:48 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-18 18:34:21 0 d-------- C:\Program Files\CCleaner
2007-11-18 15:20:18 0 d-------- C:\WINDOWS\ERUNT
2007-11-18 14:50:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-18 13:24:59 0 d-------- C:\WINDOWS\CSC
2007-11-17 17:11:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 17:11:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 15:11:57 0 d-------- C:\Program Files\Windows Defender
2007-11-17 15:08:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-11-17 14:21:44 0 d-------- C:\Program Files\Lavasoft
2007-11-17 14:21:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-17 14:21:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 18:13:12 0 d--h----- C:\WINDOWS\PIF
2007-11-07 18:47:57 0 d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\WinBatch
2007-11-04 20:18:00 4 --a------ C:\WINDOWS\system32\4F760A
2007-11-04 20:14:16 0 d-------- C:\WINDOWS\system32\LogFiles
2007-11-04 20:14:16 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-04 20:12:29 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Managerฎ (32-bit)>
2007-11-04 13:03:15 0 d-------- C:\Documents and Settings\Rachel\report
2007-11-04 13:03:15 0 d-------- C:\Documents and Settings\Rachel\Application Data\cs
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Find3M Report ---------------------------------------------------------------

2007-11-20 07:52:22 0 d-------- C:\Program Files\Java
2007-11-20 07:51:27 0 d-------- C:\Program Files\Common Files
2007-11-18 16:59:35 4000 --a------ C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2007-11-18 08:07:06 0 d-------- C:\Program Files\Google
2007-11-18 08:03:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-17 11:24:32 0 d-------- C:\Program Files\Kodak
2007-11-04 20:20:13 0 d-------- C:\Program Files\Real
2007-11-04 20:19:54 0 d-------- C:\Program Files\Rhapsody
2007-09-22 11:42:51 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 08:01 PM]
"ftutil2"="ftutil2.dll" [06/07/2004 01:05 PM C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [06/13/2006 07:05 PM C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [08/02/2005 10:19 PM C:\WINDOWS\arpwrmsg.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/22/2005 09:14 PM]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [02/15/2006 09:34 PM]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [12/14/2004 01:23 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [02/17/2005 05:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/21/2006 03:09 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/09/2006 03:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/16/2005 08:43 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/19/2007 09:32 AM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/02/2007 05:24 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 03:24 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7489 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-20 07:57:22 ------------


EXTRA.TXT


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 447.36 MiB / 130.2 MiB
Pagefile Memory (total/avail): 1053.68 MiB / 415.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.05 MiB

C: is Fixed (NTFS) - 177.97 GiB total, 163.08 GiB free.
D: is Fixed (FAT32) - 8.33 GiB total, 0.36 GiB free.
E: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP2004C - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 177.97 GiB - C:
\PARTITION1 - Unknown - 8.33 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
AV: AVG 7.5.503 v7.5.503 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Administrator\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JANICEJONES
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Administrator
LOGONSERVER=\\JANICEJONES
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=c:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=JANICEJONES
USERNAME=Compaq_Administrator
USERPROFILE=C:\Documents and Settings\Compaq_Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Compaq_Administrator (admin)
CJ (admin)
Rachel (admin)
charlie (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> c:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compaq Connections (remove only) --> C:\WINDOWS\HPCPCUninstall-5577497\HPBWSetup.exe -appid 5577497 -uninstall
Customer Experience Enhancement --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{23012310-3E05-46A5-88A9-C6CBCABCAC79} /l1033
Data Fax SoftModem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE -U -ITrx200Ck.inf
Easy Internet Sign-up --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8105684D-8CA6-440D-8F58-7E5FD67A499D} /l1033
Enhanced Multimedia Keyboard Solution --> C:\HP\KBD\Install.exe /u
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Compaq_Administrator\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Boot Optimizer --> MsiExec.exe /X{1341D838-719C-4A05-B50F-49420CA1B4BB}
HP DVD Play 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Support Overview --> "C:\WINDOWS\unins000.exe"
HP Web Helper --> regsvr32 /u /s "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
iPod for Windows 2005-09-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D4936AAF-FFD0-44A1-A7EA-A2DB41CEB5BC} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{78F4DFCE-1336-4027-BCB2-1A00C24A8653} /l1033
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lexmark X6100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBFUN5C.EXE -dLexmark X6100 Series
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Away Mode -->
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 60 days trial --> c:\hp\bin\cloaker.exe c:\hp\bin\MSOffice\uninst.cmd
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Motorola Driver Installation --> MsiExec.exe /I{0D442113-1F96-40DE-948C-5850CE7B8005}
Motorola USB Drivers --> C:\PROGRA~1\MOTORO~1\UNWISE.EXE C:\PROGRA~1\MOTORO~1\INSTALL.LOG
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PC-Doctor 5 for Windows --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Print to Fax --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BF2B19D-9C79-492A-8969-F059F06A627F}\setup.exe" -l0x9 ControlPanel
Python 2.2 pywin32 extensions (build 203) --> "C:\Python22\Removepywin32.exe" -u "C:\Python22\pywin32-wininst.log"
Python 2.2.3 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2006 --> MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Remove WeatherBug Installer --> c:\hp\bin\cloaker.exe c:\hp\bin\commands.exe /c c:\hp\bin\wbug\clean.bat
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Express Labeler --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /X{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /X{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /X{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /X{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /X{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Weather Channel Desktop --> C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
Weather Services --> C:\WINDOWS\system32\control.exe C:\PROGRA~1\THEWEA~1\FRAMEW~1\wxfw.cpl,4
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4307 / Warning
Event Submitted/Written: 11/20/2007 07:46:12 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4298 / Warning
Event Submitted/Written: 11/20/2007 05:46:14 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4293 / Success
Event Submitted/Written: 11/20/2007 05:32:04 AM
Event ID/Source: 1 / Media Center Receiver
Event Description:
Service registration successful.

Event Record #/Type4285 / Warning
Event Submitted/Written: 11/20/2007 05:30:16 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4270 / Warning
Event Submitted/Written: 11/19/2007 04:41:58 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14130 / Warning
Event Submitted/Written: 11/20/2007 07:56:47 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JANICEJONES27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JANICEJONES27 can't undo changes that you allow.

For more information please see the following:
%JANICEJONES275

Scan ID: {C7AF4FD1-B583-4B96-80A9-43E9FEC30FC2}

User: JANICEJONES\Compaq_Administrator

Name: %JANICEJONES271

ID: %JANICEJONES272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JANICEJONES276

Alert Type: %JANICEJONES278

Detection Type: 1.1.1593.02

Event Record #/Type14129 / Warning
Event Submitted/Written: 11/20/2007 07:56:47 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JANICEJONES27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JANICEJONES27 can't undo changes that you allow.

For more information please see the following:
%JANICEJONES275

Scan ID: {307BAF24-15E6-4C3F-A2AF-F9736A2F57CF}

User: JANICEJONES\Compaq_Administrator

Name: %JANICEJONES271

ID: %JANICEJONES272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JANICEJONES276

Alert Type: %JANICEJONES278

Detection Type: 1.1.1593.02

Event Record #/Type14128 / Warning
Event Submitted/Written: 11/20/2007 07:56:46 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JANICEJONES27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JANICEJONES27 can't undo changes that you allow.

For more information please see the following:
%JANICEJONES275

Scan ID: {20095316-1133-4935-90E2-8EA04EBB3636}

User: JANICEJONES\Compaq_Administrator

Name: %JANICEJONES271

ID: %JANICEJONES272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JANICEJONES276

Alert Type: %JANICEJONES278

Detection Type: 1.1.1593.02

Event Record #/Type14127 / Warning
Event Submitted/Written: 11/20/2007 07:56:45 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JANICEJONES27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JANICEJONES27 can't undo changes that you allow.

For more information please see the following:
%JANICEJONES275

Scan ID: {A1BAC457-19EF-4984-9324-716D81E9D8F8}

User: JANICEJONES\Compaq_Administrator

Name: %JANICEJONES271

ID: %JANICEJONES272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JANICEJONES276

Alert Type: %JANICEJONES278

Detection Type: 1.1.1593.02

Event Record #/Type14126 / Warning
Event Submitted/Written: 11/20/2007 07:56:45 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%JANICEJONES27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JANICEJONES27 can't undo changes that you allow.

For more information please see the following:
%JANICEJONES275

Scan ID: {B3499FC2-54D8-4355-9418-6A3BADC9800F}

User: JANICEJONES\Compaq_Administrator

Name: %JANICEJONES271

ID: %JANICEJONES272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JANICEJONES276

Alert Type: %JANICEJONES278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2007-11-20 07:57:22 ------------

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 November 2007 - 03:37 PM

I can see by looking at your Hijackthis log you've already run Kaspersky WebScanner at some point,please run it again:
Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#7 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 November 2007 - 03:59 PM

Hello RichieUK,

I had actually ran a new scan just a little bit ago...

KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 20, 2007 11:29:29 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/11/2007
Kaspersky Anti-Virus database records: 462368


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 72839
Number of viruses found 1
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 01:16:27

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11172007-151223.log Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C57F1A58-562C-4CE5-B7EF-883DB2DA5140} Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\MSHist012007112020071121\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped

C:\hp\bin\wbug\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped

C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped

C:\hp\bin\wbug\CompaqPresario_Spring06.exe WiseSFX Dropper: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000010.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000011.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000012.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000013.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000014.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000015.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000016.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000017.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000018.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000019.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000020.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000021.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000022.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000023.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000024.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000025.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000026.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000027.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000028.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000029.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000030.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000031.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000032.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000033.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000034.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000035.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000036.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000037.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000038.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000039.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000040.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000041.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000042.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0000043.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0002206.dll Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{745B9248-A825-49F4-A7D9-16220AAE43BA}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\I386\APPS\APP03964\src\CompaqPresario_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped

D:\I386\APPS\APP03964\src\CompaqPresario_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped

D:\I386\APPS\APP03964\src\CompaqPresario_Spring06.exe WiseSFX: infected - 2 skipped

D:\I386\APPS\APP03964\src\CompaqPresario_Spring06.exe WiseSFX Dropper: infected - 2 skipped

D:\I386\APPS\APP03964\src\HPPavillion_Spring06.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped

D:\I386\APPS\APP03964\src\HPPavillion_Spring06.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped

D:\I386\APPS\APP03964\src\HPPavillion_Spring06.exe WiseSFX: infected - 2 skipped

D:\I386\APPS\APP03964\src\HPPavillion_Spring06.exe WiseSFX Dropper: infected - 2 skipped

Scan process completed.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 November 2007 - 04:10 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#9 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 November 2007 - 04:17 PM

Hi RichieUK,

Thanks for all of your hard work! Good to hear all is clean.

I have one last question:

I ran a scan with Spyware Doctor & received the following results:

-8 @ Adware.Advertising (cookie)
-2 @ Spyware.Known_Bad_Sites (cookie)
-14 @ Application.trackingCookies (cookie)
-1 @ Trojan-Downloader.Tiny.ID (cookie)
-11 @ Trojan.Virtumonde (10 cookies & 1 system restore file)
-1 @ Hijacker.Affiliated_with_browser_Hijackers (cookie)
-1 @ Trojan-PWS.Tanspy (registry)
-2 @ Adware.Hotbar (registry)
-2 @ Trojan-Downloader.Conhook (registry)
-1 @ Trojan.Generic (registry)

I would have fixed them, but I was using a trial version without the fix ability. I am not too familiar with Spyware Doctor, but should this raise any concerns? Is this a trick of sorts? Should I remove the registry entries & cookies?

Thanks!

WhatDidIStepIn

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 November 2007 - 04:41 PM

If you're concerned,run the following:
Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.
Posted Image
Posted Image

#11 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 November 2007 - 05:35 PM

Hi RichieUK,

Here are the CounterSpy results...

Scan History Details
Start Date: 11/20/2007 1:59:39 PM
End Date: 11/20/2007 2:29:58 PM
Total Time: 30 Min 19 Sec
Detected security risks

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-93935886-1525856114-1721195877-1007\SOFTWARE\WGET


Desktop Weather Potentially Unwanted Program more information...
Status: Deleted

Files detected
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\THE WEATHER CHANNEL\Desktop Weather\Help.lnk
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\THE WEATHER CHANNEL\Desktop Weather\Settings.lnk
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\THE WEATHER CHANNEL\Desktop Weather\The Weather Channel Desktop.lnk
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Programs\THE WEATHER CHANNEL\Desktop Weather\Uninstall.lnk
C:\Documents and Settings\CJ\Local Settings\Application Data\The Weather Channel\Desktop Weather\app.swf
C:\Program Files\Common Files\Real\Update_OB\~Upg0\weatherapp\The_Weather_Channel_Application.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\app.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\ads.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\app.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\cobrand.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\dimms.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\divs.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\forcast.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\links.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\nav.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\screens.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\version.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\defaults\vertical.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\config\settings.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\DesktopWeather.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\eula.html
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\INSTALL.LOG
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\app_elements\logo_loader.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\businessGraphicMax.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\connection.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\drivingGraphicMax.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\fitnessGraphicMax.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\FLVplayer.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\forecast\cc.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\forecast\detailed.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\forecast\hourly.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\forecast\OneClickCC.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\forecast\tenDayForecast.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\forecast\threeDayForecast.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\ForecastPageTabs.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\golfGraphicMax.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\HomePageTabs.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\HomePageTabs_f.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\HomePageTabs_p.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\instby_module.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\loaction_display.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\locManagerMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\maps\MaxRadarHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\maps\MaxRadarScreen.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\maps\radarAndMapsMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\maps\sixHundredMileRadar.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\MaxPrefsScreen.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\nav\mainNavModule.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\nav\nav_top_right.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\nav\vertical_nav.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\photo.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\pollenGraphicMax.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\promo.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\promo_p.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\SearchBarMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\SevereWeatherScreen.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\side_barmodule.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\VerticalSelectorScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\businessTravelerMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\businessTravelerScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\drivingHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\drivingScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\fitnessHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\fitnessScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\golfHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\golfScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\pollenHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\pollenScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\trafficHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\trafficScreenMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\verticles\weatherHomeMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\lib\videoTabMod.bin
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\noinet_300X250.gif
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\noinet_728x90.gif
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\ad_f.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\bkg_f.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\bkg_p.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\border_f.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\border_p.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\homepage_line_f.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\homepage_line_p.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\nav_bar_border_f.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\nav_bar_border_p.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\nav_bar_f.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\graphics\nav_bar_p.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\Thunderclap.mp3
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\businessTravelerV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\drivingV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\fitnessV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\golfV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\newsV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\pollenV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\trafficV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\swfs\verticals\weatherV.swf
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Desktop Weather\UNWISE.INI
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\flow.xml
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\INSTALL.LOG
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\TheWeatherChannelNE.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\TheWeatherChannelQC.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\TheWeatherChannelqx.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\TheWeatherChannelSetup.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\TheWeatherChannelSlnchr.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\TheWeatherChannelUpdate.exe
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\UNWISE.INI
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\ver.txt
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\wxcache\ac.dat
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\wxcache\actimes.rfsh
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\wxfw.cpl
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\Framework\wxfw.dll
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\THE WEATHER CHANNEL
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\THE WEATHER CHANNEL\DESKTOP WEATHER
C:\PROGRAM FILES\THE WEATHER CHANNEL FW
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\CONFIG
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\CONFIG\DEFAULTS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\LIB
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\LIB\APP_ELEMENTS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\LIB\FORECAST
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\LIB\MAPS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\LIB\NAV
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\LIB\VERTICLES
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\SWFS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\SWFS\GRAPHICS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\SWFS\ICONS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\DESKTOP WEATHER\SWFS\VERTICALS
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\FRAMEWORK
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\FRAMEWORK\TEMP
C:\PROGRAM FILES\THE WEATHER CHANNEL FW\FRAMEWORK\WXCACHE

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\THE WEATHER CHANNEL DESKTOP
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\THE WEATHER CHANNEL DESKTOP
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\THE WEATHER CHANNEL DESKTOP
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEATHER SERVICES
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEATHER SERVICES
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEATHER SERVICES
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{19916D47-F66E-4a24-A6EE-6304A562DE7B}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{19916D47-F66E-4a24-A6EE-6304A562DE7B}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{19916D47-F66E-4a24-A6EE-6304A562DE7B}\ComponentData
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{19916D47-F66E-4a24-A6EE-6304A562DE7B}\ComponentData
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{19916D47-F66E-4a24-A6EE-6304A562DE7B}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{19916D47-F66E-4a24-A6EE-6304A562DE7B}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{44F2FEB1-1437-417e-9836-5D7CDEF3EF6E}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{44F2FEB1-1437-417e-9836-5D7CDEF3EF6E}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{44F2FEB1-1437-417e-9836-5D7CDEF3EF6E}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{90B9F4E5-6F3C-477e-841B-797A53500F73}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{90B9F4E5-6F3C-477e-841B-797A53500F73}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{90B9F4E5-6F3C-477e-841B-797A53500F73}\ComponentData
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{90B9F4E5-6F3C-477e-841B-797A53500F73}\ComponentData
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{90B9F4E5-6F3C-477e-841B-797A53500F73}\ComponentData
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework\Components\{90B9F4E5-6F3C-477e-841B-797A53500F73}
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework
HKEY_LOCAL_MACHINE\SOFTWARE\THE WEATHER CHANNEL\Framework

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 November 2007 - 05:39 PM

Rescan with Spyware Doctor,post the report when its done please.
Posted Image
Posted Image

#13 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 20 November 2007 - 06:09 PM

Hello Richie_UK,

Here is the latest Spyware Doctor results:

-1 @ Trojan.Virtumonde (system restore file)
-1 @ Trojan-PWS.Tanspy (registry)
-2 @ Adware.Hotbar (registry)
-2 @ Trojan-Downloader.Conhook (registry)

Thanks!

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 November 2007 - 05:29 AM

Hmmm,not sure what to make of those results,try the following:
Download the trial version of Spy Sweeper:
http://www.webroot.com/shoppingcart/tryme....&vcode=DT14

Install it using the Standard Install option.
You will be asked for your e-mail address,it's safe to give it.
If you receive alerts from your firewall,allow all activities for Spy Sweeper.

You will be prompted to check for updated definitions,please do so,this may take several minutes so please be patient.

Once the updates have been installed,click on 'Options' and check/enable 'Full Sweep [Reccommended]'.
Click on 'Sweep',then 'Start Full Sweep' and allow it to fully scan your system.

When the sweep has finished,click 'Select All' and then click 'Quarantine Selected'.
Under the 'Summary' tab, select 'View Session Log'.
Click 'Save to File' and save the log to your desktop.

Exit Spy Sweeper.
Restart your pc,then copy and paste the SpySweeper log into your next reply.
Posted Image
Posted Image

#15 whatdidistepin

whatdidistepin
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 21 November 2007 - 09:49 AM

Hi RichieUK

Here is the SpySweeper log...

6:46 AM: Removal process completed. Elapsed time 00:00:48
6:45 AM: Quarantining All Traces: hotbar/zango
6:45 AM: Quarantining All Traces: Mal/Behav-010
6:45 AM: Quarantining All Traces: virtumonde
6:45 AM: Removal process initiated
6:42 AM: Traces Found: 30
6:42 AM: Full Sweep has completed. Elapsed time 00:52:06
6:42 AM: File Sweep Complete, Elapsed Time: 00:48:14
6:35 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent4.zip]
6:35 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent2.zip]
6:30 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\zangoantispambar.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\microsoftwindowssecuritycenterantivirusdisablenotify.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\virtumonde3.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\virtumonde4.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\virtumonde.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\virtumonde5.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\virtumonde1.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\virtumonde2.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent6.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent7.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent1.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent8.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent9.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\zangoantispambar1.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent5.zip]
6:26 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\wildtangent3.zip]
6:26 AM: Warning: SweepDirectories: Cannot find directory "j:". This directory was not added to the list of paths to be scanned.
6:26 AM: Warning: SweepDirectories: Cannot find directory "i:". This directory was not added to the list of paths to be scanned.
6:26 AM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
6:26 AM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
6:26 AM: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
6:19 AM: d:\i386\apps\app01856\src\install\worldwide-compaq\games\wheeloffortune-setup.exe (ID = 0)
6:19 AM: d:\i386\apps\app01856\src\install\worldwide-compaq\games\jeopardy-setup.exe (ID = 0)
6:19 AM: Found Mal/Behav-010: Mal/Behav-010
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms069724b6-f6f7-4f53-8ead-2361957be72d.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa4dcd6b5-80f6-4955-b1d2-03e347a1b66a.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms658bf944-23d5-4935-869d-eff75ca7668f.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7f578185-f83a-422a-affc-3b76d22b9343.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse75496b5-f640-4a89-b815-38a4c251cabf.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3a39997d-213b-41a7-8863-7d3fb5f5f3a2.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms276ef9a9-2db5-4143-bf08-2dc33aee0318.tmp]
6:18 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms69df51fe-02c5-4d25-a9f2-1d07bd28ebf7.tmp]
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms069724b6-f6f7-4f53-8ead-2361957be72d.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa4dcd6b5-80f6-4955-b1d2-03e347a1b66a.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms658bf944-23d5-4935-869d-eff75ca7668f.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7f578185-f83a-422a-affc-3b76d22b9343.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse75496b5-f640-4a89-b815-38a4c251cabf.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3a39997d-213b-41a7-8863-7d3fb5f5f3a2.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms276ef9a9-2db5-4143-bf08-2dc33aee0318.tmp". The operation completed successfully
6:18 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms69df51fe-02c5-4d25-a9f2-1d07bd28ebf7.tmp". The operation completed successfully
6:17 AM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\security]
6:17 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\default]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\compaq_administrator\ntuser.dat]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\ntuser.dat]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\networkservice\ntuser.dat]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms87562fac-d382-46cd-a32c-c3b8a48f3786.tmp]
6:16 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsa227cf99-7985-4810-b2a0-88dc7277ffef.tmp]
6:15 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb748a2c0-70ae-49a8-b80b-ed0801c78121.tmp]
6:15 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc51125b2-566c-4ddd-8918-a00d06d91330.tmp]
6:15 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms73834687-c0b3-4447-8897-85b1fbd5f12a.tmp]
6:15 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsd0f0517a-0d87-4045-942c-aa953fa7a242.tmp]
6:13 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscaea4072-4dec-4780-af7d-448ebfa8585b.tmp]
6:13 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\compaq_administrator\application data\superantispyware.com\superantispyware\quarantine\quarantine - 11-20-2007 - 12-57-17.sbu]
6:13 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
6:13 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\hiberfil.sys]
6:13 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4b91dfe6-16d1-411f-9803-29041380cc0c.tmp]
6:13 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms979dd341-849d-4493-949f-dafe47bb9d7d.tmp]
6:11 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmscc6b20db-a923-4e91-abd2-16e01c7f2ab2.tmp]
6:06 AM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\compaq_administrator\application data\superantispyware.com\superantispyware\quarantine\quarantine - 11-19-2007 - 07-36-25.sbu]
6:01 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\catroot2\tmp.edb]
5:58 AM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\sam]
5:56 AM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4150d173-32a7-47d5-8ba7-bd274e544b9e.tmp]
5:54 AM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\default.log]
5:54 AM: Starting File Sweep
5:54 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:54 AM: Starting Cookie Sweep
5:54 AM: Registry Sweep Complete, Elapsed Time:00:00:22
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\shoppingreport\shoppingreport\ (ID = 2390971)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\shoppingreport\ (ID = 2390970)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {c5428486-50a0-4a02-9d20-520b59a9f9b2} (ID = 2390956)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {c5428486-50a0-4a02-9d20-520b59a9f9b3} (ID = 2390955)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\microsoft\rdfa\ (ID = 2128564)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\sbtv\ (ID = 1539920)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\spamblockerutility\ (ID = 968537)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\microsoft\installer\products\d493500bd4a54ea6bc805fc9cda952c5\ (ID = 788008)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1008\software\microsoft\installer\features\10b0642b36134f8f914ea8e11ee5b503\ (ID = 788006)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\shoppingreport\shoppingreport\ (ID = 2390971)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\shoppingreport\ (ID = 2390970)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {c5428486-50a0-4a02-9d20-520b59a9f9b2} (ID = 2390956)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {c5428486-50a0-4a02-9d20-520b59a9f9b3} (ID = 2390955)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\microsoft\rdfa\ (ID = 2128564)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\sbtv\ (ID = 1539920)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\spamblockerutility\ (ID = 968537)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\microsoft\installer\products\d493500bd4a54ea6bc805fc9cda952c5\ (ID = 788008)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1009\software\microsoft\installer\features\10b0642b36134f8f914ea8e11ee5b503\ (ID = 788006)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\shoppingreport\shoppingreport\ (ID = 2390971)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\shoppingreport\ (ID = 2390970)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\microsoft\internet explorer\extensions\cmdmapping\ || {c5428486-50a0-4a02-9d20-520b59a9f9b2} (ID = 2390956)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\microsoft\internet explorer\extensions\cmdmapping\ || {c5428486-50a0-4a02-9d20-520b59a9f9b3} (ID = 2390955)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\microsoft\rdfa\ (ID = 2128564)
5:53 AM: Found Adware: virtumonde
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\sbtv\ (ID = 1539920)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\spamblockerutility\ (ID = 968537)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\microsoft\installer\products\d493500bd4a54ea6bc805fc9cda952c5\ (ID = 788008)
5:53 AM: HKU\WRSS_Profile_S-1-5-21-93935886-1525856114-1721195877-1010\software\microsoft\installer\features\10b0642b36134f8f914ea8e11ee5b503\ (ID = 788006)
5:53 AM: HKLM\software\microsoft\windows\currentversion\internet settings\5.0\user agent\post platform\ || spamblockerutility 4.8.4 (ID = 1927623)
5:53 AM: Found Adware: hotbar/zango
5:53 AM: Starting Registry Sweep
5:53 AM: Memory Sweep Complete, Elapsed Time: 00:03:21
5:50 AM: Starting Memory Sweep
5:50 AM: Start Full Sweep
5:50 AM: Sweep initiated using definitions version 1035
5:49 AM: Your definitions are up to date.
Keylogger: Off
E-mail Attachment: On
5:49 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
5:49 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:49 AM: Shield States
5:49 AM: License Check Status (0): Success
5:49 AM: Spyware Definitions: 1035
5:49 AM: Informational: Loaded AntiVirus Engine: 2.51.0; SDK Version: 4.23E; Virus Definitions: 11/21/2007 11:13:44 AM (GMT)
5:48 AM: Spy Sweeper 5.5.7.103 started
5:48 AM: Spy Sweeper 5.5.7.103 started
5:48 AM: | Start of Session, Wednesday, November 21, 2007 |
***************




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users