Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • Please log in to reply
22 replies to this topic

#1 Kaari

Kaari

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 24 February 2008 - 03:37 AM

Hi,

Here's the new Hijack This Log, I have run it with IE and FF on, I don't know if that is right or not.

I have a McAfee as firewall and antivirus and I have Kaspersky as a secondary checker.
I have installed Ad-Aware although It has some problem "access violation at address 005CBF8C...", Spy Hunter, Spybot and Hijack This.
I run house call with nothing found.
I had a reg. file sent from Spy Hunter that I run in safemode that I think got rid of the pop-ups. But I still get 21 skype help tabs that opens everytime I open IE. Nothing in FF.
Kaspersky shows that I still have adware (Agent.zm, Vapsup.awu, BHO.ww and Wimad.I.) but it can't disinfect it, deletes it and puts it in its backup. I don't know if it is ok to delete that backup or not, so I have released them back into the computer, mainly to see if any of the spyware programs pick them up which they have not.

Looking at the log I found something new - "winnit.exe" that doesn't look good. I so need your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:21, on 24/02/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\mobsync.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sofielyr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet 

Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [MskAgentexe] "C:\Program Files\McAfee\MSK\MskAgent.exe"
O4 - HKLM\..\Run: [dscactivate] "c:\dell\dsca.exe" 3
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q 

C:\Users\Sofie\AppData\Local\Temp\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q 

C:\Users\Sofie\AppData\Local\Temp\HSPERF~1.SH! (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: McAfee Application Installer Cleanup (0300001203841469) (0300001203841469mcinstcleanup) - McAfee, Inc. - 

C:\Windows\TEMP\030000~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device 

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program 

Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet 

Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common 

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0

\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & 

Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 13660 bytes


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:35 PM

Posted 07 March 2008 - 02:03 PM

Hello Kaari and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 09 March 2008 - 03:09 PM

Hello Kaari and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

Hi Johannes.

I have made a new log after doing the steps I could in the prep. guide. I still have the same problems as before with lots of skype tabs opening in IE. I get temp files in my documents and a very sluggish computer, which should run quick as it has good capacity. Unfortunately I can't run Ad-aware by the same reason as mentioned above, and my internet connection is too slow for housecall.

I know it looks really messy, sorry.

And thank you very much for taking the time to look at the log!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:15, on 09/03/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Mail\WinMail.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sofielyr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [MskAgentexe] "C:\Program Files\McAfee\MSK\MskAgent.exe"
O4 - HKLM\..\Run: [dscactivate] "c:\dell\dsca.exe" 3
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\Users\Sofie\AppData\Local\Temp\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\Users\Sofie\AppData\Local\Temp\HSPERF~1.SH! (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: McAfee Application Installer Cleanup (0112421205059917) (0112421205059917mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\011242~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 13643 bytes


#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:35 PM

Posted 10 March 2008 - 02:02 PM

Hey Kaari,

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

SpyHunter has a history of rogue behaviour. Please refer to these links for further detail [1] & [2]. I therefore suggest you remove this programme.

Please note that you are infected with a trojan (Winad-I) or a Backdoor (Backdoor.Agent.ZM).

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:
  • Disconnect the infected computer from the internet until the computer can be cleaned.
  • From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the infection looks relatively small from first sight, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

Should you have any questions, please feel free to ask.

Now, on to the fix.

Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #3

Once you have done this please create an uninstall list:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location
Step #4

Please post back with a fresh HijackThis log, the ComboFix log and the Uninstal list. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 11 March 2008 - 11:56 AM

Hi Johannes,
I completed Step 1 (update Java), but have not been able to start my computer in Windows Recovery Environment. I am using Vista, and have an OEM install - seems I am not able to boot from the OS discs supplied with the PC. When pressing F8 during boot I get the following options:
Repair Your Computer
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable boot logging
Enable lo-res video
Last known good config
Directory services retore mode
Debugging mode
Disable auto restart on system failure
Disable driver signature enforcement
Start windowns normally

I tried selecting "Repair your computer" and got the "System recovery options" screen but when opening a command prompt here I am unable to see the desktop so cannot start ComboFix.

Any ideas???

Thanks for all the help.

Kaari

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:35 PM

Posted 11 March 2008 - 12:36 PM

Hey Kaari,

do not worry about the recovery bit yet. Just make sure you disable your security software as described above, give ComboFix a "whirl" and have it run. Once its done, post the log along with the other requested logs and we will go from there :thumbsup:.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 11 March 2008 - 04:52 PM

Hi again,

Here's the combofix log...


ComboFix 08-03-10.1 - Sofie 2008-03-11 22:41:46.1 - NTFSx86
Microsoft® Windows Vista™ Business   6.0.6000.0.1252.1.1033.18.2249 [GMT 1:00]
Running from: C:\Users\Sofie\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dcads Advanced Toolbar
C:\Users\Sofie\AppData\Roaming\urlredir.cfg
C:\Windows\system32\dcads_sidebar.dll
C:\Windows\system32\dcads_sidebar_uninstall.exe
C:\Windows\system32\x64
I	C:\Users\Sofie\tmp177b.tmp.exe
I	C:\Users\Sofie\tmp63d0.tmp.exe
I	C:\Users\Sofie\tmp658a.tmp.exe
I	C:\Users\Sofie\tmpa637.tmp.exe
I	C:\Users\Sofie\tmpab94.tmp.exe
I	C:\Users\Sofie\tmpb726.tmp.exe
I	C:\Users\Sofie\tmpe6ca.tmp.exe

.
(((((((((((((((((((((((((   Files Created from 2008-02-11 to 2008-03-11  )))))))))))))))))))))))))))))))
.

2008-03-10 21:59 . 2008-03-10 21:59	<DIR>	d--------	C:\Program Files\Common Files\Java
2008-03-10 09:54 . 2008-03-10 09:54	<DIR>	d--------	C:\Program Files\Common Files\Canon
2008-03-10 09:54 . 2008-03-10 11:31	<DIR>	d--------	C:\Program Files\Canon
2008-02-23 22:31 . 2008-02-23 22:31	<DIR>	d--------	C:\Program Files\Uniblue
2008-02-23 10:52 . 2008-02-23 10:52	<DIR>	d--------	C:\Program Files\Lavasoft
2008-02-23 10:51 . 2008-02-23 10:51	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 15:09 . 2008-02-22 15:09	<DIR>	d--------	C:\Program Files\Trend Micro
2008-02-21 21:19 . 2008-02-21 21:20	192,255,410	--a------	C:\Windows\System32\registry080221.reg
2008-02-21 20:57 . 2008-02-21 21:02	<DIR>	d--------	C:\Program Files\SpywareBlaster
2008-02-21 20:57 . 2005-08-25 18:19	115,920	--a------	C:\Windows\System32\MSINET.OCX
2008-02-20 22:22 . 2008-02-21 20:51	221,184	--a------	C:\Users\Sofie\nsbrowseropt.dll
2008-02-20 22:21 . 2008-02-21 20:51	294,912	--a------	C:\Users\Sofie\iebrowserc.dll
2008-02-20 19:17 . 2008-02-20 19:19	<DIR>	d--------	C:\Users\All Users\Lavasoft
2008-02-20 19:17 . 2008-02-20 19:19	<DIR>	d--------	C:\ProgramData\Lavasoft
2008-02-20 18:29 . 2008-02-20 18:47	<DIR>	d--------	C:\Users\All Users\Spybot - Search & Destroy
2008-02-20 18:29 . 2008-02-20 18:47	<DIR>	d--------	C:\ProgramData\Spybot - Search & Destroy
2008-02-20 18:29 . 2008-02-20 18:29	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-02-15 16:08 . 2008-03-04 20:34	<DIR>	d-a------	C:\Users\Sofie\New Folder
2008-02-14 17:12 . 2008-02-14 17:12	0	--ah-----	C:\ProgramData.LOG2
2008-02-14 17:12 . 2008-02-14 17:12	0	--ah-----	C:\ProgramData.LOG1
2008-02-14 16:34 . 2008-02-14 16:34	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-02-13 03:13 . 2008-02-13 03:13	194,560	--a------	C:\Windows\System32\WebClnt.dll
2008-02-13 03:13 . 2008-02-13 03:13	110,080	--a------	C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 03:10 . 2008-02-13 03:10	595,456	--a------	C:\Windows\System32\schedsvc.dll
2008-02-13 03:06 . 2008-02-13 03:06	3,504,696	--a------	C:\Windows\System32\ntkrnlpa.exe
2008-02-13 03:06 . 2008-02-13 03:06	3,470,392	--a------	C:\Windows\System32\ntoskrnl.exe
2008-02-13 03:06 . 2008-02-13 03:06	154,624	--a------	C:\Windows\System32\drivers\nwifi.sys
2008-02-13 03:06 . 2008-02-13 03:06	110,136	--a------	C:\Windows\System32\drivers\ataport.sys
2008-02-13 03:06 . 2008-02-13 03:06	45,112	--a------	C:\Windows\System32\drivers\pciidex.sys
2008-02-13 03:06 . 2008-02-13 03:06	21,560	--a------	C:\Windows\System32\drivers\atapi.sys
2008-02-13 03:06 . 2008-02-13 03:06	15,928	--a------	C:\Windows\System32\drivers\pciide.sys
2008-02-13 03:05 . 2008-02-13 03:05	4,247,552	--a------	C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 03:05 . 2008-02-13 03:05	1,686,528	--a------	C:\Windows\System32\gameux.dll
2008-02-13 03:05 . 2008-02-13 03:05	803,328	--a------	C:\Windows\System32\drivers\tcpip.sys
2008-02-13 03:05 . 2008-02-13 03:05	216,632	--a------	C:\Windows\System32\drivers\netio.sys
2008-02-13 03:05 . 2008-02-13 03:05	167,424	--a------	C:\Windows\System32\tcpipcfg.dll
2008-02-13 03:05 . 2008-02-13 03:05	24,064	--a------	C:\Windows\System32\netcfg.exe
2008-02-13 03:05 . 2008-02-13 03:05	22,016	--a------	C:\Windows\System32\netiougc.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 21:24	---------	d-----w	C:\ProgramData\Microsoft Help
2008-03-10 21:00	---------	d-----w	C:\Program Files\Java
2008-03-10 08:58	---------	d-----w	C:\Program Files\McAfee
2008-03-03 09:56	---------	d-----w	C:\Users\Sofie\AppData\Roaming\LimeWire
2008-03-02 20:57	---------	d-----w	C:\Users\Sofie\AppData\Roaming\Skype
2008-02-21 19:51	231,678	----a-w	C:\Users\Sofie\tmp177b.tmp.exe
2008-02-20 17:48	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-16 08:17	---------	d-----w	C:\Users\Sofie\AppData\Roaming\SiteAdvisor
2008-02-14 23:34	231,678	----a-w	C:\Users\Sofie\tmpb726.tmp.exe
2008-02-14 23:34	231,678	----a-w	C:\Users\Sofie\tmpab94.tmp.exe
2008-02-14 16:07	---------	d-----w	C:\Program Files\Google
2008-02-14 15:40	3,184	----a-w	C:\Users\Sofie\AppData\Roaming\wklnhst.dat
2008-02-13 02:05	537,600	----a-w	C:\Windows\AppPatch\AcLayers.dll
2008-02-13 02:05	449,536	----a-w	C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 02:05	2,144,256	----a-w	C:\Windows\AppPatch\AcGenral.dll
2008-02-13 02:05	173,056	----a-w	C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 02:02	824,832	----a-w	C:\Windows\System32\wininet.dll
2008-02-13 02:02	56,320	----a-w	C:\Windows\System32\iesetup.dll
2008-02-13 02:02	52,736	----a-w	C:\Windows\AppPatch\iebrshim.dll
2008-02-13 02:02	26,624	----a-w	C:\Windows\System32\ieUnatt.exe
2008-02-07 19:07	---------	d-----w	C:\Users\Sofie\AppData\Roaming\Nokia Multimedia Player
2008-02-06 08:51	171,400	----a-w	C:\Windows\system32\drivers\mfehidk.sys
2008-02-01 07:53	231,678	----a-w	C:\Users\Sofie\tmp63d0.tmp.exe
2008-01-29 19:22	217,293	----a-w	C:\Users\Sofie\tmp658a.tmp.exe
2008-01-24 23:03	154,392	----a-w	C:\Windows\System32\hkcmd.exe
2008-01-24 22:50	---------	d-----w	C:\Program Files\Kaspersky Lab
2008-01-20 19:43	231,678	----a-w	C:\Users\Sofie\tmpa637.tmp.exe
2008-01-14 20:12	---------	d-----w	C:\Users\Sofie\AppData\Roaming\Azureus
2008-01-14 18:58	---------	d-----w	C:\Program Files\MSBuild
2008-01-14 18:58	---------	d-----w	C:\Program Files\Microsoft Works
2008-01-14 18:55	---------	d-----w	C:\Program Files\Microsoft.NET
2008-01-14 18:53	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2008-01-13 14:53	---------	d-----w	C:\Program Files\Azureus
2008-01-12 21:50	---------	d-----w	C:\Users\Sofie\AppData\Roaming\uTorrent
2008-01-12 19:52	---------	d-----w	C:\Program Files\Flash Slideshow Maker Professional
2008-01-10 16:23	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-01-09 13:55	231,678	----a-w	C:\Users\Sofie\tmpe6ca.tmp.exe
2007-12-14 10:32	12,632	----a-w	C:\Windows\System32\lsdelete.exe
2007-12-13 02:05	1,327,104	----a-w	C:\Windows\System32\quartz.dll
2007-12-13 02:04	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2007-12-13 02:04	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2007-10-20 07:47	174	--sha-w	C:\Program Files\desktop.ini
2007-11-16 18:51	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-16 18:51	32,768	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-16 18:51	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 12:09 460784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-03 09:19 1006264]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 07:03 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 10:03 4452352 C:\Windows\RtHDVCpl.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 11:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 17:30 152144]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 20:40 16384]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-03 01:47 1862144]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-05-10 11:03 142104]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-25 00:03 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-05-10 11:02 138008]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 22:57 36640]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-01-17 18:02 95784]

C:\Users\Sofie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 15:19:14 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FBC50424-954B-497C-A042-283A6742DE23}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{4B5032E1-FEC0-4F3B-B8F8-B85C8DD95536}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{8A474971-E181-48B9-B0D0-5715B3E03754}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{53305A07-12FD-4719-BB49-704A0365E773}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{5C814897-7282-4661-9521-BF32AE9DA0CC}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9672F7F1-AE75-47A6-9DA9-CF135F741136}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4162B520-C408-4517-A782-BC2390753F68}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B61E8DD3-ADEC-44D8-B6AD-E6418AA4B5B7}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D1E1B63E-FC27-419C-880F-972D68770EEA}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A9D68951-AF20-427E-AB7D-320CA97F84BE}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1369AE11-BE0C-441F-A3D3-21CEA8BFC754}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-05-28 10:51]
S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-05-10 11:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc

*Newly Created Service* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 00:00:03 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 00:00:05 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 22:43:13
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-03-11 22:43:51
ComboFix-quarantined-files.txt  2008-03-11 21:43:49
.
2008-03-03 08:48:54	--- E O F ---
Here's the uninstall list
Ad-Aware 2007
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
Azureus Vuze
Browser Address Error Redirector
Canon Camera Access Library
Canon G.726 WMP-Decoder
Canon Internet Library for ZoomBrowser EX
Compact Wireless-G USB Adapter
Dell Support Center
Dell System Customization Wizard
DellSupport
Flash Slideshow Maker Pro 4.75
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.11.0
Intel(R) PRO Network Connections 12.1.11.0
iTunes
Java(TM) 6 Update 5
K-Lite Codec Pack 3.5.3 Basic
LimeWire 4.14.10
McAfee SecurityCenter
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Works
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
PDF Settings
PowerDVD
PowerISO
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Search Assistant Dcads
Skype™ 3.5
Sonic Activation Module
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Sverigejakten
Uniblue RegistryBooster 2
User's Guides
Windows Media Player Firefox Plugin
WinRAR archiver
Here's the new hijack this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:22, on 11/03/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\conime.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sofielyr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [MskAgentexe] "C:\Program Files\McAfee\MSK\MskAgent.exe"
O4 - HKLM\..\Run: [dscactivate] "c:\dell\dsca.exe" 3
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [PcSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\Users\Sofie\AppData\Local\Temp\HSPERF~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\Users\Sofie\AppData\Local\Temp\HSPERF~1.SH! (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11029 bytes
Thank you

Edited by Kaari, 11 March 2008 - 04:56 PM.


#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:35 PM

Posted 12 March 2008 - 02:16 PM

Hey Kaari,

The following is referring to Uniblue RegistryBooster 2.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

Step #1
  • Open notepad and copy/paste the text in the codebox below into it:

    Folder::
    C:\Program Files\Enigma Software Group
    
    File::
    C:\Users\Sofie\nsbrowseropt.dll
    C:\Users\Sofie\iebrowserc.dll
    C:\Windows\System32\drivers\mrxdav.sys
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #2

Do you know this programme: Sverigejakten? If not, please remove it in the following manner:

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Sverigejakten

Step #3

Please post back with the ComboFix log. Also, please let me know how your pc is doing?

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 12 March 2008 - 04:19 PM

Hi again,

Here's the log:
ComboFix 08-03-10.1 - Sofie 2008-03-12 21:30:52.2 - NTFSx86
Microsoft® Windows Vista™ Business   6.0.6000.0.1252.1.1033.18.2212 [GMT 1:00]
Running from: C:\Users\Sofie\Desktop\ComboFix.exe
Command switches used :: C:\Users\Sofie\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
C:\Users\Sofie\iebrowserc.dll
C:\Users\Sofie\nsbrowseropt.dll
C:\Windows\System32\drivers\mrxdav.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\AXList.txt
C:\Program Files\Enigma Software Group\SpyHunter\def.dat.bak
C:\Program Files\Enigma Software Group\SpyHunter\key.dat
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00000.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00001.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00002.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00003.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00004.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00005.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00006.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00007.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00008.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00009.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0000a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0000b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0000c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0000d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0000e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0000f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00010.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00011.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00012.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00013.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00014.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00015.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00016.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00017.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00018.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]00019.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0001a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\[u]0[/u]0001b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\rollback.dat
C:\Program Files\Enigma Software Group\SpyHunter\scan.log
C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.log
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\Users\Sofie\iebrowserc.dll
C:\Users\Sofie\nsbrowseropt.dll
I	C:\Users\Sofie\tmp177b.tmp.exe
I	C:\Users\Sofie\tmp63d0.tmp.exe
I	C:\Users\Sofie\tmp658a.tmp.exe
I	C:\Users\Sofie\tmpa637.tmp.exe
I	C:\Users\Sofie\tmpab94.tmp.exe
I	C:\Users\Sofie\tmpb726.tmp.exe
I	C:\Users\Sofie\tmpe6ca.tmp.exe
C:\Windows\System32\drivers\mrxdav.sys . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2008-02-12 to 2008-03-12  )))))))))))))))))))))))))))))))
.

2008-03-10 21:59 . 2008-03-10 21:59	<DIR>	d--------	C:\Program Files\Common Files\Java
2008-03-10 09:54 . 2008-03-10 09:54	<DIR>	d--------	C:\Program Files\Common Files\Canon
2008-03-10 09:54 . 2008-03-10 11:31	<DIR>	d--------	C:\Program Files\Canon
2008-02-23 22:31 . 2008-02-23 22:31	<DIR>	d--------	C:\Program Files\Uniblue
2008-02-23 10:52 . 2008-02-23 10:52	<DIR>	d--------	C:\Program Files\Lavasoft
2008-02-23 10:51 . 2008-02-23 10:51	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 15:09 . 2008-02-22 15:09	<DIR>	d--------	C:\Program Files\Trend Micro
2008-02-21 21:19 . 2008-02-21 21:20	192,255,410	--a------	C:\Windows\System32\registry080221.reg
2008-02-21 20:57 . 2008-02-21 21:02	<DIR>	d--------	C:\Program Files\SpywareBlaster
2008-02-21 20:57 . 2005-08-25 18:19	115,920	--a------	C:\Windows\System32\MSINET.OCX
2008-02-20 19:17 . 2008-02-20 19:19	<DIR>	d--------	C:\Users\All Users\Lavasoft
2008-02-20 19:17 . 2008-02-20 19:19	<DIR>	d--------	C:\ProgramData\Lavasoft
2008-02-20 18:29 . 2008-02-20 18:47	<DIR>	d--------	C:\Users\All Users\Spybot - Search & Destroy
2008-02-20 18:29 . 2008-02-20 18:47	<DIR>	d--------	C:\ProgramData\Spybot - Search & Destroy
2008-02-20 18:29 . 2008-02-20 18:29	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-02-15 16:08 . 2008-03-04 20:34	<DIR>	d-a------	C:\Users\Sofie\New Folder
2008-02-14 17:12 . 2008-02-14 17:12	0	--ah-----	C:\ProgramData.LOG2
2008-02-14 17:12 . 2008-02-14 17:12	0	--ah-----	C:\ProgramData.LOG1
2008-02-13 03:13 . 2008-02-13 03:13	194,560	--a------	C:\Windows\System32\WebClnt.dll
2008-02-13 03:13 . 2008-03-12 21:32	110,080	--a------	C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 03:10 . 2008-02-13 03:10	595,456	--a------	C:\Windows\System32\schedsvc.dll
2008-02-13 03:06 . 2008-02-13 03:06	3,504,696	--a------	C:\Windows\System32\ntkrnlpa.exe
2008-02-13 03:06 . 2008-02-13 03:06	3,470,392	--a------	C:\Windows\System32\ntoskrnl.exe
2008-02-13 03:06 . 2008-02-13 03:06	154,624	--a------	C:\Windows\System32\drivers\nwifi.sys
2008-02-13 03:06 . 2008-02-13 03:06	110,136	--a------	C:\Windows\System32\drivers\ataport.sys
2008-02-13 03:06 . 2008-02-13 03:06	45,112	--a------	C:\Windows\System32\drivers\pciidex.sys
2008-02-13 03:06 . 2008-02-13 03:06	21,560	--a------	C:\Windows\System32\drivers\atapi.sys
2008-02-13 03:06 . 2008-02-13 03:06	15,928	--a------	C:\Windows\System32\drivers\pciide.sys
2008-02-13 03:05 . 2008-02-13 03:05	4,247,552	--a------	C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 03:05 . 2008-02-13 03:05	1,686,528	--a------	C:\Windows\System32\gameux.dll
2008-02-13 03:05 . 2008-02-13 03:05	803,328	--a------	C:\Windows\System32\drivers\tcpip.sys
2008-02-13 03:05 . 2008-02-13 03:05	216,632	--a------	C:\Windows\System32\drivers\netio.sys
2008-02-13 03:05 . 2008-02-13 03:05	167,424	--a------	C:\Windows\System32\tcpipcfg.dll
2008-02-13 03:05 . 2008-02-13 03:05	24,064	--a------	C:\Windows\System32\netcfg.exe
2008-02-13 03:05 . 2008-02-13 03:05	22,016	--a------	C:\Windows\System32\netiougc.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 20:24	---------	d-----w	C:\Users\Sofie\AppData\Roaming\LimeWire
2008-03-10 21:24	---------	d-----w	C:\ProgramData\Microsoft Help
2008-03-10 21:00	---------	d-----w	C:\Program Files\Java
2008-03-10 08:58	---------	d-----w	C:\Program Files\McAfee
2008-03-02 20:57	---------	d-----w	C:\Users\Sofie\AppData\Roaming\Skype
2008-02-21 19:51	231,678	----a-w	C:\Users\Sofie\tmp177b.tmp.exe
2008-02-20 17:48	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-16 08:17	---------	d-----w	C:\Users\Sofie\AppData\Roaming\SiteAdvisor
2008-02-14 23:34	231,678	----a-w	C:\Users\Sofie\tmpb726.tmp.exe
2008-02-14 23:34	231,678	----a-w	C:\Users\Sofie\tmpab94.tmp.exe
2008-02-14 16:07	---------	d-----w	C:\Program Files\Google
2008-02-14 15:40	3,184	----a-w	C:\Users\Sofie\AppData\Roaming\wklnhst.dat
2008-02-13 02:05	537,600	----a-w	C:\Windows\AppPatch\AcLayers.dll
2008-02-13 02:05	449,536	----a-w	C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 02:05	2,144,256	----a-w	C:\Windows\AppPatch\AcGenral.dll
2008-02-13 02:05	173,056	----a-w	C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 02:02	824,832	----a-w	C:\Windows\System32\wininet.dll
2008-02-13 02:02	56,320	----a-w	C:\Windows\System32\iesetup.dll
2008-02-13 02:02	52,736	----a-w	C:\Windows\AppPatch\iebrshim.dll
2008-02-13 02:02	26,624	----a-w	C:\Windows\System32\ieUnatt.exe
2008-02-07 19:07	---------	d-----w	C:\Users\Sofie\AppData\Roaming\Nokia Multimedia Player
2008-02-06 08:51	171,400	----a-w	C:\Windows\system32\drivers\mfehidk.sys
2008-02-01 07:53	231,678	----a-w	C:\Users\Sofie\tmp63d0.tmp.exe
2008-01-29 19:22	217,293	----a-w	C:\Users\Sofie\tmp658a.tmp.exe
2008-01-24 23:03	154,392	----a-w	C:\Windows\System32\hkcmd.exe
2008-01-24 22:50	---------	d-----w	C:\Program Files\Kaspersky Lab
2008-01-20 19:43	231,678	----a-w	C:\Users\Sofie\tmpa637.tmp.exe
2008-01-14 20:12	---------	d-----w	C:\Users\Sofie\AppData\Roaming\Azureus
2008-01-14 18:58	---------	d-----w	C:\Program Files\MSBuild
2008-01-14 18:58	---------	d-----w	C:\Program Files\Microsoft Works
2008-01-14 18:55	---------	d-----w	C:\Program Files\Microsoft.NET
2008-01-14 18:53	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2008-01-13 14:53	---------	d-----w	C:\Program Files\Azureus
2008-01-12 21:50	---------	d-----w	C:\Users\Sofie\AppData\Roaming\uTorrent
2008-01-12 19:52	---------	d-----w	C:\Program Files\Flash Slideshow Maker Professional
2008-01-10 16:23	11,776	----a-w	C:\Windows\System32\sbunattend.exe
2008-01-09 13:55	231,678	----a-w	C:\Users\Sofie\tmpe6ca.tmp.exe
2007-12-14 10:32	12,632	----a-w	C:\Windows\System32\lsdelete.exe
2007-12-13 02:05	1,327,104	----a-w	C:\Windows\System32\quartz.dll
2007-12-13 02:04	9,728	----a-w	C:\Windows\System32\LAPRXY.DLL
2007-12-13 02:04	223,232	----a-w	C:\Windows\System32\WMASF.DLL
2007-10-20 07:47	174	--sha-w	C:\Program Files\desktop.ini
2007-11-16 18:51	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-16 18:51	32,768	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-16 18:51	16,384	--sha-w	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-03-11_22.43.39.08   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-11 21:37:35	67,584	--s-a-w	C:\Windows\bootstat.dat
+ 2008-03-12 20:34:23	67,584	--s-a-w	C:\Windows\bootstat.dat
- 2008-03-11 21:39:37	262,144	--sha-w	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-12 20:34:54	262,144	--sha-w	C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-12 20:34:54	262,144	---ha-w	C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-03-11 21:39:43	262,144	--sha-w	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-12 20:34:54	262,144	--sha-w	C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-12 20:34:54	262,144	---ha-w	C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-03-11 21:38:30	32,768	--sha-w	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-12 19:37:58	32,768	--sha-w	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-11 21:38:30	49,152	--sha-w	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-12 19:37:58	49,152	--sha-w	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-11 21:38:30	32,768	--sha-w	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-12 19:37:58	32,768	--sha-w	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-02-14 16:06:11	6,291,456	----a-w	C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-03-12 20:19:36	6,291,456	----a-w	C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-03-10 20:58:00	11,548	----a-w	C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1329701823-2676636046-186486880-1000_UserData.bin
+ 2008-03-12 20:36:30	11,690	----a-w	C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1329701823-2676636046-186486880-1000_UserData.bin
- 2008-03-10 20:58:00	57,074	----a-w	C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-12 20:36:30	57,246	----a-w	C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-11 21:40:01	47,958	----a-w	C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-12 20:36:15	50,186	----a-w	C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-12 19:38:01	101,587	----a-w	C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 12:09 460784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-03 09:19 1006264]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 07:03 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 10:03 4452352 C:\Windows\RtHDVCpl.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 11:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 17:30 152144]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 20:40 16384]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-03 01:47 1862144]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-05-10 11:03 142104]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-25 00:03 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-05-10 11:02 138008]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 22:57 36640]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 12:36 229376]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\PROGRA~1\mcafee\mshr\ShrCL.exe" [2007-01-17 18:02 95784]

C:\Users\Sofie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 15:19:14 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FBC50424-954B-497C-A042-283A6742DE23}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{4B5032E1-FEC0-4F3B-B8F8-B85C8DD95536}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{8A474971-E181-48B9-B0D0-5715B3E03754}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{53305A07-12FD-4719-BB49-704A0365E773}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{5C814897-7282-4661-9521-BF32AE9DA0CC}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9672F7F1-AE75-47A6-9DA9-CF135F741136}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{4162B520-C408-4517-A782-BC2390753F68}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B61E8DD3-ADEC-44D8-B6AD-E6418AA4B5B7}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D1E1B63E-FC27-419C-880F-972D68770EEA}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A9D68951-AF20-427E-AB7D-320CA97F84BE}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1369AE11-BE0C-441F-A3D3-21CEA8BFC754}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-05-28 10:51]
S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-05-10 11:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork	REG_MULTI_SZ   	PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 00:00:03 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 00:00:05 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 21:38:01
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Windows\system32\conime.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Mail\WinMail.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-03-12 21:38:38 - machine was rebooted [Sofie]
ComboFix-quarantined-files.txt  2008-03-12 20:38:35
ComboFix2.txt  2008-03-11 21:43:52
.
2008-03-03 08:48:54	--- E O F ---


I have no skype tabs opening in IE anymore! :blink: :thumbsup: Thanks! Although I don't know if I still have something else.

Sverigejakten is a kids game completely alright.

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:35 PM

Posted 13 March 2008 - 01:48 PM

Hey Kaari,

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 13 March 2008 - 02:21 PM

I am doing that now. However when I started the computer I got a spybot warning saying that there was an important registry entry that had been changed the Category was "sessions manager" the Change "value added" And the entry: "BootExecute" New data: "autocheck autichk *\ Isdelete\" should I allow that?

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:35 PM

Posted 13 March 2008 - 02:23 PM

Mhhm, not much to go by. But I would suppose No would be best to do until we could find out what else it was. Can you check Spybot logs what it was detecting?

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 13 March 2008 - 02:46 PM

Mhhm, not much to go by. But I would suppose No would be best to do until we could find out what else it was. Can you check Spybot logs what it was detecting?

Yeah,

Ive tried to deny it but it just keeps popping up..

#14 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 13 March 2008 - 03:51 PM

autocheck autichk *\ Isdelete\


The 'i' which I highlighted appears to be a typo you made. It's supposed to be "autocheck autchk *\ Isdelete\". If so, then it's legit. Both "autocheck autchk" are default MS values. Isdelete is related to the program Adaware.

#15 Kaari

Kaari
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 13 March 2008 - 03:52 PM

OK, My computer is infected, no surprise there....Enjoy!

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Thursday, March 13, 2008 9:49:11 PM
 Operating System: Microsoft Windows Vista Professional,  (Build 6000)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 13/03/2008
 Kaspersky Anti-Virus database records: 627867
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	E:\
	F:\
	G:\

Scan Statistics:
	Total number of scanned objects: 134136
	Number of viruses found: 4
	Number of infected objects: 78
	Number of suspicious objects: 0
	Duration of the scan process: 00:56:53

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD	Object is locked	skipped
C:\Boot\BCD.LOG	Object is locked	skipped
C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.ilg	Object is locked	skipped
C:\ProgramData\McAfee\MNA\NAData	Object is locked	skipped
C:\ProgramData\McAfee\MPF\data\log.edb	Object is locked	skipped
C:\ProgramData\McAfee\MSC\Logs\Events.dat	Object is locked	skipped
C:\ProgramData\McAfee\MSC\Logs\{E35C1B08-BF21-436F-8F1D-FC0FE1C036EC}.log	Object is locked	skipped
C:\ProgramData\McAfee\MSC\McUsers.dat	Object is locked	skipped
C:\ProgramData\McAfee\MSK\MSKWMDB.dat	Object is locked	skipped
C:\ProgramData\McAfee\MSK\RBLDB.dat	Object is locked	skipped
C:\ProgramData\McAfee\MSK\settingsdb.dat	Object is locked	skipped
C:\ProgramData\McAfee\VirusScan\Logs\OAS.Log	Object is locked	skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dell.txt	Object is locked	skipped
C:\QooBox\Quarantine\C\Users\Sofie\iebrowserc.dll.vir	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\QooBox\Quarantine\C\Users\Sofie\nsbrowseropt.dll.vir	Infected: not-a-virus:AdWare.Win32.BHO.ww	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbc2e.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbdam	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbdao	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbeam	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbeao	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbm	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbu2d.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbvm.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\dbvmh.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\fii.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\fiih.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\hp	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\hpt2i.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\rpm.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\rpm1m.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\rpm1mh.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\rpmh.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\safeweb\goog-black-urlm.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\safeweb\goog-black-urlmh.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\safeweb\goog-malware-domainm.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\safeweb\goog-malware-domainmh.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\safeweb\goog-white-domainm.cf1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Google\Google Desktop\31e8b92d0c64\safeweb\goog-white-domainmh.ht1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008031320080314\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\UsrClass.dat{1d192c02-7b40-11dc-ba8b-001aa0940706}.TM.blf	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\UsrClass.dat{1d192c02-7b40-11dc-ba8b-001aa0940706}.TMContainer00000000000000000001.regtrans-ms	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows\UsrClass.dat{1d192c02-7b40-11dc-ba8b-001aa0940706}.TMContainer00000000000000000002.regtrans-ms	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Feeds Cache\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows Mail\edb.log	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows Mail\tmp.edb	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore	Object is locked	skipped
C:\Users\Sofie\AppData\Local\ATI\ACE\Log\MOM-1.log	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Temp\FXSAPIDebugLogFile.txt	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Temp\hsperfdata_Sofie\4132	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Temp\Low\~DF2FD2.tmp	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Temp\~DFA503.tmp	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Temp\~DFA585.tmp	Object is locked	skipped
C:\Users\Sofie\AppData\Local\Temp\~ROMFN_00000E7C	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\GTek\GTUpdate\AUpdate\DellSupport\glog.log	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\Microsoft\Windows\Cookies\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\Roxio\MediaManager9\Album.ldb	Object is locked	skipped
C:\Users\Sofie\AppData\Roaming\Roxio\MediaManager9\Album.psod	Object is locked	skipped
C:\Users\Sofie\DcadsSocialSetup[1]/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\DcadsSocialSetup[1]/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\DcadsSocialSetup[1]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[1]/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[1]/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[1]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[2]/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[2]/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[2]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[3]/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[3]/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[3]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[4]/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[4]/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[4]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[5]/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[5]/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Documents\dcadssocialsetup[5]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[1]/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[1]/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[1]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[3]/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[3]/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[3]	NSIS: infected - 2	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[4]/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[4]/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Documents\silent_dcads_sidebar_1007[4]	NSIS: infected - 2	skipped
C:\Users\Sofie\NTUSER.DAT	Object is locked	skipped
C:\Users\Sofie\ntuser.dat.LOG1	Object is locked	skipped
C:\Users\Sofie\ntuser.dat.LOG2	Object is locked	skipped
C:\Users\Sofie\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf	Object is locked	skipped
C:\Users\Sofie\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms	Object is locked	skipped
C:\Users\Sofie\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regtrans-ms	Object is locked	skipped
C:\Users\Sofie\Shared\songs\silent_dcads_sidebar_1007[1]/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\silent_dcads_sidebar_1007[1]/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\silent_dcads_sidebar_1007[1]	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\silent_dcads_sidebar_1007[2]/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\silent_dcads_sidebar_1007[2]/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\silent_dcads_sidebar_1007[2]	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmp2C44.tmp.exe/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Shared\songs\tmp2C44.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Shared\songs\tmp2C44.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmp34d1.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp34d1.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp34d1.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmp4464.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp4464.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp4464.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmp518b.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp518b.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp518b.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmp98fd.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp98fd.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmp98fd.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmpa8ee.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmpa8ee.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\Shared\songs\tmpa8ee.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\tmpcd90.tmp.exe/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Shared\songs\tmpcd90.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\Shared\songs\tmpcd90.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\Shared\songs\Wicked Remix.wma	Infected: Trojan-Downloader.WMA.Wimad.l	skipped
C:\Users\Sofie\tmp177b.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmp177b.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmp177b.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\tmp63d0.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmp63d0.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmp63d0.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\tmp658a.tmp.exe/stream/data0001	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\tmp658a.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Vapsup.awu	skipped
C:\Users\Sofie\tmp658a.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\tmpa637.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpa637.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpa637.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\tmpab94.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpab94.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpab94.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\tmpb726.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpb726.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpb726.tmp.exe	NSIS: infected - 2	skipped
C:\Users\Sofie\tmpe6ca.tmp.exe/stream/data0002	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpe6ca.tmp.exe/stream	Infected: not-a-virus:AdWare.Win32.Agent.zm	skipped
C:\Users\Sofie\tmpe6ca.tmp.exe	NSIS: infected - 2	skipped
C:\Windows\Debug\PASSWD.LOG	Object is locked	skipped
C:\Windows\Debug\sam.log	Object is locked	skipped
C:\Windows\Debug\WIA\wiatrace.log	Object is locked	skipped
C:\Windows\Logs\CBS\CBS.log	Object is locked	skipped
C:\Windows\Logs\CBS\CBS.persist.log	Object is locked	skipped
C:\Windows\Logs\DPX\setupact.log	Object is locked	skipped
C:\Windows\Logs\DPX\setuperr.log	Object is locked	skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config	Object is locked	skipped
C:\Windows\Panther\setupact.log	Object is locked	skipped
C:\Windows\Panther\setuperr.log	Object is locked	skipped
C:\Windows\Panther\UnattendGC\diagerr.xml	Object is locked	skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml	Object is locked	skipped
C:\Windows\Panther\UnattendGC\setupact.bld	Object is locked	skipped
C:\Windows\Panther\UnattendGC\setupact.log	Object is locked	skipped
C:\Windows\Panther\UnattendGC\setuperr.bld	Object is locked	skipped
C:\Windows\Panther\UnattendGC\setuperr.log	Object is locked	skipped
C:\Windows\security\database\secedit.sdb	Object is locked	skipped
C:\Windows\SoftwareDistribution\EventCache\{D82428A8-DB2E-4F27-A7E8-CF7B424BCA40}.bin	Object is locked	skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0	Object is locked	skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0	Object is locked	skipped
C:\Windows\System32\catroot2\edb.log	Object is locked	skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb	Object is locked	skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	Object is locked	skipped
C:\Windows\System32\config\COMPONENTS	Object is locked	skipped
C:\Windows\System32\config\COMPONENTS.LOG1	Object is locked	skipped
C:\Windows\System32\config\COMPONENTS.LOG2	Object is locked	skipped
C:\Windows\System32\config\DEFAULT	Object is locked	skipped
C:\Windows\System32\config\DEFAULT.LOG1	Object is locked	skipped
C:\Windows\System32\config\DEFAULT.LOG2	Object is locked	skipped
C:\Windows\System32\config\SAM	Object is locked	skipped
C:\Windows\System32\config\SAM.LOG1	Object is locked	skipped
C:\Windows\System32\config\SAM.LOG2	Object is locked	skipped
C:\Windows\System32\config\SECURITY	Object is locked	skipped
C:\Windows\System32\config\SECURITY.LOG1	Object is locked	skipped
C:\Windows\System32\config\SECURITY.LOG2	Object is locked	skipped
C:\Windows\System32\config\SOFTWARE	Object is locked	skipped
C:\Windows\System32\config\SOFTWARE.LOG1	Object is locked	skipped
C:\Windows\System32\config\SOFTWARE.LOG2	Object is locked	skipped
C:\Windows\System32\config\SYSTEM	Object is locked	skipped
C:\Windows\System32\config\SYSTEM.LOG1	Object is locked	skipped
C:\Windows\System32\config\SYSTEM.LOG2	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms	Object is locked	skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms	Object is locked	skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM	Object is locked	skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl	Object is locked	skipped
C:\Windows\System32\restore\MachineGuid.txt	Object is locked	skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT	Object is locked	skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1	Object is locked	skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2	Object is locked	skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3d4e88ed-6a70-11db-b1ba-d64300c9c793}.TM.blf	Object is locked	skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3d4e88ed-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms	Object is locked	skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3d4e88ed-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regtrans-ms	Object is locked	skipped
C:\Windows\System32\spool\SpoolerETW.etl	Object is locked	skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml	Object is locked	skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml	Object is locked	skipped
C:\Windows\System32\sysprep\Panther\setupact.bld	Object is locked	skipped
C:\Windows\System32\sysprep\Panther\setupact.log	Object is locked	skipped
C:\Windows\System32\sysprep\Panther\setuperr.bld	Object is locked	skipped
C:\Windows\System32\sysprep\Panther\setuperr.log	Object is locked	skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof	Object is locked	skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof	Object is locked	skipped
C:\Windows\System32\wbem\Logs\WMITracing.log	Object is locked	skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR	Object is locked	skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP	Object is locked	skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP	Object is locked	skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Application.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\OSession.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Security.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\Setup.evtx	Object is locked	skipped
C:\Windows\System32\winevt\Logs\System.evtx	Object is locked	skipped
C:\Windows\Tasks\McDefragTask.job	Object is locked	skipped
C:\Windows\Tasks\McQcTask.job	Object is locked	skipped
C:\Windows\Tasks\SCHEDLGU.TXT	Object is locked	skipped
C:\Windows\Temp\JETB0F6.tmp	Object is locked	skipped
C:\Windows\Temp\mcafee_0ADLwYcsjlWGq01	Object is locked	skipped
C:\Windows\Temp\mcmsc_1EV9S5u9SQadrYy	Object is locked	skipped
C:\Windows\Temp\mcmsc_2ChfrTr2WP6Xlbh	Object is locked	skipped
C:\Windows\Temp\mcmsc_53taaJb9hmKKRV8	Object is locked	skipped
C:\Windows\Temp\mcmsc_vrPuu2uy10jThNf	Object is locked	skipped
C:\Windows\Temp\sqlite_2tNp2F4csExPuJr	Object is locked	skipped
C:\Windows\Temp\sqlite_F9u1qRl3KcxHtxB	Object is locked	skipped
C:\Windows\Temp\sqlite_reijZcogusY5c5r	Object is locked	skipped
C:\Windows\Temp\sqlite_XCcQVy8ZDCd2nCz	Object is locked	skipped
C:\Windows\WindowsUpdate.log	Object is locked	skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd	Object is locked	skipped
E:\Windows\security\database\secedit.sdb	Object is locked	skipped

Scan process completed.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users