Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde And Zlob.downloader


  • This topic is locked This topic is locked
10 replies to this topic

#1 bauermw

bauermw

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 29 May 2008 - 03:29 PM

I was browsing the internet last night, trying to watch a video, when I must have clicked on something that I wasn't supposed to, because that's when it started. First, a bunch of virtual bugs started crawling around on my screen. I quickly exited IE to find that my desktop was changed. It said something similar to "infected with malicious spyware, etc..." in the middle of the desktop. I immediately ran AdAware as well as Spybot Search and Destroy. Multiple things came up in both. The things in AdAware were easily removed, for they were mostly tracking cookies. However, the items in Spybot were another story. Several Zlob.Downloader as well as several Virtumonde items appeared, as well as AntiVirus 2008 Pro. I tried to fix the selected problems, but Spybot nearly froze when doing so. However, it did notify me that all of the items were fixed. Unfortuanately, the Spybot program that informs me of registry changes was going crazy even after I "fixed" the problems in actual Spybot. I looked online for guidance and I ended up downloading SmitFraudFix. I restarted my machine and ran SmitFraudFix in safe mode and it appeared to take care of a few issues. But when I rebooted in normal mode, i still had several problems. First, when I run Spybot, Virtmonde and Zlob.Downloader keep appearing. Also, the Spybot program informing me of registry changes continued to bombard me with proposed changes, none of which I allowed. Another problem that I am running into is that I am unable to turn on automatic updates through Windows Security Center. This message appears when I try:


"We're sorry. The security center could not change your automatic update settings. To try changing these settings yourself, go to system in control panel. On the automatic updates tab, select automatic (recommended) and press ok."


Finally, besides my computer running extremey slow, when I try to navigate through internet explorer, I am often times redirected to this "Reported Insecure Browsing" page. It reads:


"Insecure internet activity. Threat of Virus Attack.

Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register KvmSecure.

We recommend you to protect your PC now and continue safe Internet browsing.

Insert link 1

Insert link 2"


Since it appeared as though my problems weren't being properly fixed, I used an online resource and ended up downloading SmitFraudFix. I ran this in safe mode and it seemed to get rid of Antivirus 2008 Pro, but that was about it. Finally, I called dell and ended up performing a Windows repair using my reinstallation CD. This appeared to fix nothing. So, in a last ditch effort, I am hoping that you can help me. I have followed all of the steps in the Preparation Guide and I would greatly appreciate your help. Here is the HJT and Kaspersky logs.

Deckard's System Scanner v20071014.68
Run by Mike on 2008-05-29 15:50:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-05-29 19:50:15 UTC - RP556 - Deckard's System Scanner Restore Point
4: 2008-05-29 13:31:53 UTC - RP555 - Installed AVG Free 8.0
3: 2008-05-29 08:34:31 UTC - RP554 - Restore Operation
2: 2008-05-29 05:12:21 UTC - RP553 - Last known good configuration
1: 2008-05-29 05:10:44 UTC - RP552 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:27 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myxu.xu.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - C:\WINDOWS\system32\mlJcyxxu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: QXK Olive - {82852436-F845-4519-A0CC-B2A8D54C3704} - C:\WINDOWS\boqnrwdmslm.dll
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - C:\WINDOWS\system32\qoMFYqRj.dll (file missing)
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - C:\WINDOWS\system32\awtqnkhe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [d808fe6f] rundll32.exe "C:\WINDOWS\system32\busmkfgj.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: awtqnkhe - C:\WINDOWS\SYSTEM32\awtqnkhe.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9670 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
S3 USB200M (Linksys USB 2.0 Network Adapter ver.2) - c:\windows\system32\drivers\usb200m2.sys <Not Verified; Linksys; Linksys USB 2.0 Network Adapter ver.2>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&00F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&00F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-27 20:01:11 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 15:51:39 0 d-------- C:\Program Files\Trend Micro
2008-05-29 15:15:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 15:15:32 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 15:15:30 0 d-------- C:\WINDOWS\LastGood
2008-05-29 15:00:08 95232 --a------ C:\WINDOWS\system32\busmkfgj.dll
2008-05-29 14:58:52 586055 --ahs---- C:\WINDOWS\system32\uxxycJlm.ini2
2008-05-29 14:58:40 322816 --a------ C:\WINDOWS\system32\mlJcyxxu.dll
2008-05-29 10:05:16 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 09:11:41 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 09:11:05 0 d-------- C:\Documents and Settings\Mike\Application Data\PC Tools
2008-05-29 04:40:05 95232 --a------ C:\WINDOWS\system32\unoxrpoj.dll
2008-05-29 04:03:28 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-29 04:03:17 0 d-------- C:\Program Files\Spyware Doctor
2008-05-29 03:58:07 1848 --ahs---- C:\WINDOWS\system32\loruBJjl.ini2
2008-05-29 02:59:27 1995 --ahs---- C:\WINDOWS\system32\cbegjkkj.ini2
2008-05-29 02:34:10 0 d-------- C:\WINDOWS\pss
2008-05-29 01:45:20 0 d-------- C:\Program Files\Antivirus 2008 PRO
2008-05-29 01:10:52 5586944 --a------ C:\Documents and Settings\Mike\ntuser.dat
2008-05-29 01:10:50 577536 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-05-29 01:10:28 2051 --ahs---- C:\WINDOWS\system32\jRqYFMoq.ini2
2008-05-29 01:05:12 33920 --a------ C:\WINDOWS\system32\cbXPiIbx.dll
2008-05-29 01:04:19 33920 --a------ C:\WINDOWS\system32\awtqnkhe.dll
2008-05-29 01:04:09 81920 --a------ C:\WINDOWS\xmpstean.exe
2008-05-29 01:04:09 94208 --a------ C:\WINDOWS\ealm.exe
2008-05-29 01:04:09 233472 --a------ C:\WINDOWS\boqnrwdmslm.dll
2008-05-28 16:32:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-28 16:32:00 0 d-------- C:\Program Files\Citrix
2008-05-28 15:25:46 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-05-28 15:25:24 0 d-------- C:\Program Files\Dell A920
2008-05-28 15:25:21 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-05-28 15:25:19 0 d-------- C:\Documents and Settings\Mike\WINDOWS
2008-05-27 14:18:44 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-08 10:22:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-29 15:47:11 0 d-------- C:\Documents and Settings\Mike\Application Data\DNA
2008-05-29 04:03:28 0 d-------- C:\Program Files\Common Files
2008-05-27 14:18:23 0 d-------- C:\Program Files\Common Files\Real
2008-05-22 03:33:31 0 d-------- C:\Program Files\Java
2008-05-08 10:22:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-08 10:20:38 0 d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-04-23 13:55:39 0 d-------- C:\Program Files\ZillaTube
2008-04-23 13:53:35 2 --ahs---- C:\Documents and Settings\Mike\Application Data\evf
2008-04-21 18:37:14 0 d-------- C:\Documents and Settings\Mike\Application Data\Real
2008-04-20 17:30:42 0 d-------- C:\Program Files\Common Files\Viewpoint
2008-04-12 14:54:33 282624 -ra------ C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-04-12 14:54:30 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-12 14:54:29 102400 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-08 18:35:33 0 d-------- C:\Program Files\Viewpoint
2008-04-06 16:38:34 0 d-------- C:\Program Files\Ares
2008-04-06 16:01:48 0 d-------- C:\Program Files\DNA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD}]
05/29/2008 02:58 PM 322816 --a------ C:\WINDOWS\system32\mlJcyxxu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82852436-F845-4519-A0CC-B2A8D54C3704}]
05/28/2008 07:43 PM 233472 --a------ C:\WINDOWS\boqnrwdmslm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92}]
C:\WINDOWS\system32\qoMFYqRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96134ABB-AD7C-4135-A927-329B735D524F}]
05/29/2008 01:04 AM 33920 --a------ C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [12/19/2006 11:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 09:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 07:36 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/27/2008 02:16 PM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [05/12/2003 03:02 PM]
"d808fe6f"="C:\WINDOWS\system32\busmkfgj.dll" [05/29/2008 03:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [04/26/2008 04:05 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 09:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/08/2008 04:08 PM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/2008 10:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [12/7/2007 6:12:50 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{96134ABB-AD7C-4135-A927-329B735D524F}"= C:\WINDOWS\system32\awtqnkhe.dll [05/29/2008 01:04 AM 33920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkhe]
awtqnkhe.dll 05/29/2008 01:04 AM 33920 C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 05/28/2008 04:31 PM 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJcyxxu

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72021c5c-faa4-11dc-9bbb-0016b6ef02dc}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\desktop.exe
Explore\Command- RECYCLER\desktop.exe
Open\Command- RECYCLER\desktop.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7897 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-29 15:54:17 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 510.98 MiB / 143.75 MiB
Pagefile Memory (total/avail): 1249.77 MiB / 644.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1906.89 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 101.63 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160023AS - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: VirusScan Enterprise + AntiSpyware Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"="C:\\Program Files\\myTunes Redux\\mDNSResponder.exe:*:Enabled:mDNSResponder"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade™\\Renegade\\Game.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade™\\Renegade\\Game.exe:*:Disabled:Renegade"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Disabled:Ares p2p for windows"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Disabled:BitTorrent"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals\\game.dat"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals\\game.dat:*:Disabled:game"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\game.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\game.exe:*:Disabled:Main executable for Red Alert 2"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Tiberian Sun™\\SUN\\Game.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Tiberian Sun™\\SUN\\Game.exe:*:Disabled:Main executable for Tiberian Sun"
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\gamemd.exe"="C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\gamemd.exe:*:Disabled:Main executable for Yuri's Revenge"
"C:\\Program Files\\Valve\\Steam\\steam.exe"="C:\\Program Files\\Valve\\Steam\\steam.exe:*:Disabled:Steam"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MICHAEL-5B9A322
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike
LOGONSERVER=\\MICHAEL-5B9A322
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mike\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mike\LOCALS~1\Temp
USERDOMAIN=MICHAEL-5B9A322
USERNAME=Mike
USERPROFILE=C:\Documents and Settings\Mike
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mike (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Cisco Clean Access Agent --> MsiExec.exe /X{04010300-6D72-4D54-8686-91D884A27B5C}
Command & Conquer The First Decade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}\setup.exe" -l0x9 -removeonly
Dell AIO Printer A920 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
DriveImage XML --> "C:\Program Files\Runtime Software\DriveImage XML\Uninstall.exe" "C:\Program Files\Runtime Software\DriveImage XML\install.log" -u
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GoToAssist 8.0.0.514 --> C:\Program Files\Citrix\GoToAssist\514\G2AUninstaller.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee AntiSpyware Enterprise Module --> "C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
myTunes Redux 1.0 --> "C:\Program Files\myTunes Redux\unins000.exe"
Python 2.5.1 --> MsiExec.exe /I{31800004-6386-4999-A519-518F2D78D8F0}
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
wxPython 2.8.7.1 (unicode) for Python 2.5 --> "C:\Python25\Lib\site-packages\wx-2.8-msw-unicode\unins000.exe"
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
ZillaTube 3.1 --> C:\Program Files\ZillaTube\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type42 / Warning
Event Submitted/Written: 05/29/2008 02:51:00 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type39 / Error
Event Submitted/Written: 05/29/2008 09:37:28 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application scan32.exe, version 8.5.0.781, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type38 / Warning
Event Submitted/Written: 05/29/2008 09:33:25 AM
Event ID/Source: 258 / McLogEvent
Event Description:
The file C:\Documents and Settings\Mike\My Documents\My Music\iTunes...\T-13068350-Brasilian Women Soccer Team - porn erotic flatrix young teen lolita ass playboy asian preteen raped girl suck xxx bleep pee cock raped old anal bleeping mpg hentai nude group sex.wmv contains Downloader-UA Trojan. The file was successfully deleted.

Event Record #/Type37 / Error
Event Submitted/Written: 05/29/2008 09:32:14 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 736063344.

Event Record #/Type36 / Error
Event Submitted/Written: 05/29/2008 09:32:01 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application avgsetup.exe, version 8.0.0.100, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11079 / Error
Event Submitted/Written: 05/29/2008 02:50:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type11078 / Error
Event Submitted/Written: 05/29/2008 02:01:53 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type11077 / Error
Event Submitted/Written: 05/29/2008 02:00:34 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type11076 / Error
Event Submitted/Written: 05/29/2008 10:37:45 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type11075 / Error
Event Submitted/Written: 05/29/2008 10:05:23 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-05-29 15:54:17 ------------



KASPERSKY ONLINE SCANNER REPORT
Thursday, May 29, 2008 5:47:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 812777


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 57754
Number of viruses found 3
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 01:01:26

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_MICHAEL-5B9A322.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_MICHAEL-5B9A322.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Mike\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mwbcobra\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mykohlbower\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\NAILogs\UpdaterUI_MICHAEL-5B9A322.log Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\~DF52B0.tmp Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\~DF52C0.tmp Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026718.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026897.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026897.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026906.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026907.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026909.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP556\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.


I have no idea what I should do now, so any help would be greatly appreciated. Thanks in advance,
Mike

Edited by bauermw, 29 May 2008 - 05:08 PM.


BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 30 May 2008 - 02:36 PM

HI Mike

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 bauermw

bauermw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 31 May 2008 - 12:02 AM

Your instructions have already seemed to help a great deal. Many of the problems that I was having are gone. I'm sure that I'm not completely clean though. I ran a Spybot S and D and it came up with one Virtumonde.dll entry as well as one MediaPlex entry. i deleted them both and ran Spybot again. Nothing was found the second time. I also ran kaspersky and multiple items showed up. Here are my logs for Malwarebytes' Anti-Malware, Combofix, HJT and kaspersky.


Malwarebytes' Anti-Malware 1.14
Database version: 807

12:18:34 AM 5/31/2008
mbam-log-5-31-2008 (00-18-34).txt

Scan type: Quick Scan
Objects scanned: 35767
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sreeagce.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\awtqnkhe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\busmkfgj.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUoPgFX.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\boqnrwdmslm.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqnkhe (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c2b273f7-4cdb-42ed-8016-bcd41372fcd5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2b273f7-4cdb-42ed-8016-bcd41372fcd5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{82852436-f845-4519-a0cc-b2a8d54c3704} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82852436-f845-4519-a0cc-b2a8d54c3704} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bqfm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d808fe6f (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvuopgfx -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sreeagce.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtqnkhe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\busmkfgj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvUoPgFX.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cbXPiIbx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\unoxrpoj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\PQ3Y4XEI\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\TMYP0FHO\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\xmpstean.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\boqnrwdmslm.dll (Trojan.FakeAlert) -> Delete on reboot.





ComboFix 08-05-29.1 - Mike 2008-05-31 0:44:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -4:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Antivirus 2008 PRO
C:\Program Files\Antivirus 2008 PRO\vscan.tsi
C:\WINDOWS\boqnrwdmslm.dll
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\busmkfgj.dll
C:\WINDOWS\system32\cbegjkkj.ini2
C:\WINDOWS\system32\ecgaeers.ini
C:\WINDOWS\system32\jgfkmsub.ini
C:\WINDOWS\system32\joprxonu.ini
C:\WINDOWS\system32\jRqYFMoq.ini
C:\WINDOWS\system32\jRqYFMoq.ini2
C:\WINDOWS\system32\loruBJjl.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sreeagce.dll
C:\WINDOWS\system32\uxxycJlm.ini
C:\WINDOWS\system32\uxxycJlm.ini2
C:\WINDOWS\system32\XFgPoUvw.ini
C:\WINDOWS\system32\XFgPoUvw.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-31 00:09 . 2008-05-31 00:09 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-05-31 00:09 . 2008-05-31 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 00:09 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-31 00:09 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 00:08 . 2008-05-31 00:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 00:00 . 2008-05-31 00:18 324,864 --------- C:\WINDOWS\system32\wvUoPgFX.dll
2008-05-29 15:51 . 2008-05-29 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 15:49 . 2008-05-29 15:49 <DIR> d-------- C:\Deckard
2008-05-29 15:15 . 2008-05-29 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 15:15 . 2008-05-29 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 10:05 . 2008-05-29 10:05 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 09:11 . 2008-05-29 09:11 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\PC Tools
2008-05-29 09:11 . 2008-05-31 00:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 09:11 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-29 09:11 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-29 09:11 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-29 09:11 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-29 08:56 . 2008-05-29 18:58 416 --a------ C:\WINDOWS\wininit.ini
2008-05-29 04:03 . 2008-05-29 15:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-29 04:03 . 2008-05-29 04:34 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-29 01:04 . 2008-05-28 19:43 94,208 --a------ C:\WINDOWS\ealm.exe
2008-05-28 16:32 . 2008-05-28 16:32 <DIR> d-------- C:\Program Files\Citrix
2008-05-28 16:32 . 2008-05-28 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-28 16:31 . 2008-05-28 16:31 61,224 --a------ C:\Documents and Settings\Mike\GoToAssistDownloadHelper.exe
2008-05-28 15:26 . 2003-05-12 15:02 303,104 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2008-05-28 15:26 . 2003-05-12 15:02 286,720 --a------ C:\WINDOWS\system32\dlbkcomm.dll
2008-05-28 15:26 . 2003-05-12 15:02 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2008-05-28 15:26 . 2003-05-12 15:02 196,096 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2008-05-28 15:26 . 2003-05-12 15:02 192,512 --a------ C:\WINDOWS\system32\lexlmpm.dll
2008-05-28 15:26 . 2003-05-12 15:02 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2008-05-28 15:26 . 2003-05-12 15:02 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2008-05-28 15:26 . 2003-05-12 15:02 73,728 --a------ C:\WINDOWS\system32\dlbkpwr.dll
2008-05-28 15:26 . 2003-05-12 15:02 40,960 --a------ C:\WINDOWS\system32\dlbkvs.dll
2008-05-28 15:26 . 2008-05-28 15:54 243 --a------ C:\WINDOWS\dellstat.ini
2008-05-28 15:25 . 2008-05-28 15:26 <DIR> d-------- C:\Program Files\Dell AIO Printer A920
2008-05-28 15:25 . 2008-05-28 15:25 <DIR> d-------- C:\Program Files\Dell A920
2008-05-28 15:25 . 2008-05-28 15:25 <DIR> d-------- C:\Documents and Settings\Mike\WINDOWS
2008-05-28 15:25 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-05-28 15:25 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-05-28 15:25 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-05-28 15:25 . 2003-05-12 15:02 69,632 --a------ C:\WINDOWS\system32\dlbkscin.dll
2008-05-28 15:25 . 2003-05-12 15:02 57,344 --a------ C:\WINDOWS\system32\dlbkcinf.dll
2008-05-28 15:25 . 2003-05-12 15:02 49,152 --a------ C:\WINDOWS\system32\dlbkcoin.dll
2008-05-28 15:25 . 2003-05-12 15:02 255 --a------ C:\WINDOWS\system32\dlbkcoin.ini
2008-05-28 15:22 . 2008-05-28 15:22 23,456,456 --a------ C:\WINDOWS\R60655.EXE
2008-05-27 14:18 . 2008-05-27 14:18 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-12 15:06 . 2008-04-23 13:55 <DIR> d-------- C:\Program Files\ZillaTube
2008-04-12 14:54 . 2007-09-21 19:31 1,370,890 -ra------ C:\WINDOWS\kiss.CAB
2008-04-12 14:54 . 2008-04-12 14:54 282,624 -ra------ C:\WINDOWS\Setup1.exe
2008-04-12 14:54 . 2008-04-12 14:54 102,400 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-12 14:54 . 2008-04-12 14:54 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-06 16:38 . 2008-04-06 16:38 <DIR> d-------- C:\Program Files\Ares
2008-04-06 16:01 . 2008-04-06 16:01 <DIR> d-------- C:\Program Files\DNA
2008-04-06 16:01 . 2008-05-31 00:47 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DNA
2008-04-05 18:17 . 2008-04-05 18:17 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 18:18 --------- d-----w C:\Program Files\Common Files\Real
2008-05-22 07:33 --------- d-----w C:\Program Files\Java
2008-05-08 14:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 14:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-04-20 21:30 --------- d-----w C:\Program Files\Common Files\Viewpoint
2008-04-08 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-08 22:35 --------- d-----w C:\Program Files\Viewpoint
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 22:26 691,545 ----a-w C:\WINDOWS\unins000.exe
2006-09-05 03:24 14,249,868 -c--a-w C:\Documents and Settings\Mike\VS80i.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD}]
C:\WINDOWS\system32\mlJcyxxu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82852436-F845-4519-A0CC-B2A8D54C3704}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92}]
C:\WINDOWS\system32\qoMFYqRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96134ABB-AD7C-4135-A927-329B735D524F}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-04-26 16:05 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 16:08 289088]
"ares"="C:\Program Files\Ares\Ares.exe" [2008-02-20 10:33 963072]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9668"="command /c del C:\WINDOWS\system32\mlJcyxxu.dll_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 14:16 185896]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02 270336]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 2008-05-28 16:31 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade™\\Renegade\\Game.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals\\game.dat"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\game.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Tiberian Sun™\\SUN\\Game.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\gamemd.exe"=
"C:\\Program Files\\Valve\\Steam\\steam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service []
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 00:01:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 00:49:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-05-31 0:56:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 04:56:19

Pre-Run: 109,025,890,304 bytes free
Post-Run: 109,028,773,888 bytes free

197 --- E O F --- 2008-05-27 18:25:42




Deckard's System Scanner v20071014.68
Run by Mike on 2008-05-31 01:09:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:11 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myxu.xu.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - C:\WINDOWS\system32\mlJcyxxu.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - C:\WINDOWS\system32\qoMFYqRj.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8353 bytes

-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-31 00:43:51 68096 --a------ C:\WINDOWS\zip.exe
2008-05-31 00:43:51 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-31 00:43:51 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-31 00:43:51 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-31 00:43:51 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-31 00:43:51 98816 --a------ C:\WINDOWS\sed.exe
2008-05-31 00:43:51 80412 --a------ C:\WINDOWS\grep.exe
2008-05-31 00:43:51 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-31 00:09:15 0 d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-05-31 00:09:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 00:08:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 00:00:13 324864 -----n--- C:\WINDOWS\system32\wvUoPgFX.dll
2008-05-29 15:51:39 0 d-------- C:\Program Files\Trend Micro
2008-05-29 15:15:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 15:15:32 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 10:05:16 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 09:11:41 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 09:11:05 0 d-------- C:\Documents and Settings\Mike\Application Data\PC Tools
2008-05-29 04:03:28 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-29 04:03:17 0 d-------- C:\Program Files\Spyware Doctor
2008-05-29 02:34:10 0 d-------- C:\WINDOWS\pss
2008-05-29 01:10:52 5586944 --a------ C:\Documents and Settings\Mike\ntuser.dat
2008-05-29 01:10:50 577536 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-05-29 01:04:09 94208 --a------ C:\WINDOWS\ealm.exe
2008-05-28 16:32:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-28 16:32:00 0 d-------- C:\Program Files\Citrix
2008-05-28 15:25:46 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-05-28 15:25:24 0 d-------- C:\Program Files\Dell A920
2008-05-28 15:25:21 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-05-28 15:25:19 0 d-------- C:\Documents and Settings\Mike\WINDOWS
2008-05-27 14:18:44 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-08 10:22:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-31 01:00:45 0 d-------- C:\Documents and Settings\Mike\Application Data\DNA
2008-05-29 04:03:28 0 d-------- C:\Program Files\Common Files
2008-05-27 14:18:23 0 d-------- C:\Program Files\Common Files\Real
2008-05-22 03:33:31 0 d-------- C:\Program Files\Java
2008-05-08 10:22:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-08 10:20:38 0 d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-04-23 13:55:39 0 d-------- C:\Program Files\ZillaTube
2008-04-23 13:53:35 2 --ahs---- C:\Documents and Settings\Mike\Application Data\evf
2008-04-21 18:37:14 0 d-------- C:\Documents and Settings\Mike\Application Data\Real
2008-04-20 17:30:42 0 d-------- C:\Program Files\Common Files\Viewpoint
2008-04-12 14:54:33 282624 -ra------ C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-04-12 14:54:30 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-12 14:54:29 102400 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-08 18:35:33 0 d-------- C:\Program Files\Viewpoint
2008-04-06 16:38:34 0 d-------- C:\Program Files\Ares
2008-04-06 16:01:48 0 d-------- C:\Program Files\DNA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD}]
C:\WINDOWS\system32\mlJcyxxu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92}]
C:\WINDOWS\system32\qoMFYqRj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [12/19/2006 11:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 09:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 07:36 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/27/2008 02:16 PM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [05/12/2003 03:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [04/26/2008 04:05 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 09:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/08/2008 04:08 PM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/2008 10:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [12/7/2007 6:12:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 05/28/2008 04:31 PM 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2008-05-31 01:09:34 ------------






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:30 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myxu.xu.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - C:\WINDOWS\system32\mlJcyxxu.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - C:\WINDOWS\system32\qoMFYqRj.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8321 bytes




KASPERSKY ONLINE SCANNER REPORT
Saturday, May 31, 2008 4:30:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 818692


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 58263
Number of viruses found 9
Number of infected objects 35
Number of suspicious objects 0
Duration of the scan process 00:49:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_MICHAEL-5B9A322.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_MICHAEL-5B9A322.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs.zip/vltdfabw.dll Infected: Trojan.Win32.Vapsup.fwk skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs1.zip/atfxqogp.dll Infected: Trojan.Win32.Vapsup.fwq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs2.zip/vltdfabw.dll_old Infected: Trojan.Win32.Vapsup.fwk skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs3.zip/atfxqogp.dll_old Infected: Trojan.Win32.Vapsup.fwq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs4.zip/vltdfabw.dll Infected: Trojan.Win32.Vapsup.fwk skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs5.zip/atfxqogp.dll Infected: Trojan.Win32.Vapsup.fwq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderbs5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd2.zip/vregfwlx.dll Infected: Trojan.Win32.Vapsup.fws skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd3.zip/vregfwlx.dll_old Infected: Trojan.Win32.Vapsup.fws skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd4.zip/vregfwlx.dll Infected: Trojan.Win32.Vapsup.fws skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Mike\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mwbcobra\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mykohlbower\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\MSHist012008053120080601\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\NAILogs\UpdaterUI_MICHAEL-5B9A322.log Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\~DFE126.tmp Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temp\~DFE143.tmp Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP553\A0025513.dll Infected: Trojan.Win32.Vapsup.fwk skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP553\A0025514.dll Infected: Trojan.Win32.Vapsup.fwq skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP553\A0025515.dll Infected: Trojan.Win32.Vapsup.fws skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP553\A0025546.dll Infected: Trojan.Win32.Vapsup.fwm skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP553\A0025547.exe Infected: not-a-virus:FraudTool.Win32.Agent.c skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026718.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026897.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026897.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026906.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026907.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026909.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.voi skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP554\A0026953.exe Infected: not-a-virus:FraudTool.Win32.Agent.c skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP555\A0026973.dll Infected: Trojan.Win32.Vapsup.fwk skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP555\A0026974.dll Infected: Trojan.Win32.Vapsup.fwq skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP555\A0026975.dll Infected: Trojan.Win32.Vapsup.fws skipped
C:\System Volume Information\_restore{B4546CEA-4E69-40D5-B873-C7B9BE71725E}\RP557\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ealm.exe Infected: Trojan.Win32.Vapsup.fwt skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




I noticed that it said that i did not have Recovery console installed, but I followed the instructions to do so. I couln't load it from my cd, because for some reason, I had a XP professional CD, but i'm only running the Home Addition. So I navigated through the website that I was instructed, and downloaded it from there. I must have some made mistake. If I did, could you possibly direct me towards slightly more informative instructions, or tell my what I might have done wrong? Also, since my computer was infected, I have been browsing from another computer in my house that isn't infected. It is connected to the infected computer though by a wired router. Should I be worried about the malware transferring systems? The last thing I want is to have two bum computers. Finally, what would be the best, free way to protect my computer? I already have Spybot, Ad-Aware (which I will re-download the newer 2008 version), and I'm using the default Windows firewall. What else would you recommend that I use once all of this is said and done? I really appreciate your help. Thanks.

Edited by bauermw, 31 May 2008 - 03:34 PM.


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 31 May 2008 - 05:47 PM

Hi

There is little or no chance anything you have will infect networked computers unless you manually transfer infected files between computers yourself ...

I can't make the installation of the recovery console any easier than the instructions are at the moment ... I can't think why it didn't work for you, but not to worry, the recovery console is desirable but not necessary to be able to clean your computer.

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

But before you do any of that, let's get your computer clean :thumbsup:

Please empty spybots Quarantine folder ...

run spybot > click recovery > tick everything ...

then click purge selected items

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\ealm.exe
C:\WINDOWS\system32\wvUoPgFX.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82852436-F845-4519-A0CC-B2A8D54C3704}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96134ABB-AD7C-4135-A927-329B735D524F}]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 bauermw

bauermw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 31 May 2008 - 06:07 PM

Thanks for the information. Here are the new logs.


ComboFix 08-05-29.1 - Mike 2008-05-31 19:01:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222 [GMT -4:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\ealm.exe
C:\WINDOWS\system32\wvUoPgFX.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ealm.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-31 00:09 . 2008-05-31 00:09 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-05-31 00:09 . 2008-05-31 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 00:09 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-31 00:09 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 00:08 . 2008-05-31 00:09 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 15:51 . 2008-05-29 15:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 15:49 . 2008-05-29 15:49 <DIR> d-------- C:\Deckard
2008-05-29 15:15 . 2008-05-29 15:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 15:15 . 2008-05-29 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 10:05 . 2008-05-29 10:05 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 09:11 . 2008-05-29 09:11 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\PC Tools
2008-05-29 09:11 . 2008-05-31 18:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 09:11 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-29 09:11 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-29 09:11 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-29 09:11 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-29 08:56 . 2008-05-29 18:58 416 --a------ C:\WINDOWS\wininit.ini
2008-05-29 04:03 . 2008-05-29 15:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-29 04:03 . 2008-05-29 04:34 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-28 16:32 . 2008-05-28 16:32 <DIR> d-------- C:\Program Files\Citrix
2008-05-28 16:32 . 2008-05-28 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-28 16:31 . 2008-05-28 16:31 61,224 --a------ C:\Documents and Settings\Mike\GoToAssistDownloadHelper.exe
2008-05-28 15:26 . 2003-05-12 15:02 303,104 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2008-05-28 15:26 . 2003-05-12 15:02 286,720 --a------ C:\WINDOWS\system32\dlbkcomm.dll
2008-05-28 15:26 . 2003-05-12 15:02 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2008-05-28 15:26 . 2003-05-12 15:02 196,096 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2008-05-28 15:26 . 2003-05-12 15:02 192,512 --a------ C:\WINDOWS\system32\lexlmpm.dll
2008-05-28 15:26 . 2003-05-12 15:02 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2008-05-28 15:26 . 2003-05-12 15:02 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2008-05-28 15:26 . 2003-05-12 15:02 73,728 --a------ C:\WINDOWS\system32\dlbkpwr.dll
2008-05-28 15:26 . 2003-05-12 15:02 40,960 --a------ C:\WINDOWS\system32\dlbkvs.dll
2008-05-28 15:26 . 2008-05-28 15:54 243 --a------ C:\WINDOWS\dellstat.ini
2008-05-28 15:25 . 2008-05-28 15:26 <DIR> d-------- C:\Program Files\Dell AIO Printer A920
2008-05-28 15:25 . 2008-05-28 15:25 <DIR> d-------- C:\Program Files\Dell A920
2008-05-28 15:25 . 2008-05-28 15:25 <DIR> d-------- C:\Documents and Settings\Mike\WINDOWS
2008-05-28 15:25 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-05-28 15:25 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-05-28 15:25 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-05-28 15:25 . 2003-05-12 15:02 69,632 --a------ C:\WINDOWS\system32\dlbkscin.dll
2008-05-28 15:25 . 2003-05-12 15:02 57,344 --a------ C:\WINDOWS\system32\dlbkcinf.dll
2008-05-28 15:25 . 2003-05-12 15:02 49,152 --a------ C:\WINDOWS\system32\dlbkcoin.dll
2008-05-28 15:25 . 2003-05-12 15:02 255 --a------ C:\WINDOWS\system32\dlbkcoin.ini
2008-05-28 15:22 . 2008-05-28 15:22 23,456,456 --a------ C:\WINDOWS\R60655.EXE
2008-05-27 14:18 . 2008-05-27 14:18 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-12 15:06 . 2008-04-23 13:55 <DIR> d-------- C:\Program Files\ZillaTube
2008-04-12 14:54 . 2007-09-21 19:31 1,370,890 -ra------ C:\WINDOWS\kiss.CAB
2008-04-12 14:54 . 2008-04-12 14:54 282,624 -ra------ C:\WINDOWS\Setup1.exe
2008-04-12 14:54 . 2008-04-12 14:54 102,400 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-04-12 14:54 . 2008-04-12 14:54 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-06 16:38 . 2008-04-06 16:38 <DIR> d-------- C:\Program Files\Ares
2008-04-06 16:01 . 2008-04-06 16:01 <DIR> d-------- C:\Program Files\DNA
2008-04-06 16:01 . 2008-05-31 18:58 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\DNA
2008-04-05 18:17 . 2008-04-05 18:17 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 18:18 --------- d-----w C:\Program Files\Common Files\Real
2008-05-22 07:33 --------- d-----w C:\Program Files\Java
2008-05-08 14:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 14:20 --------- d-----w C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-04-20 21:30 --------- d-----w C:\Program Files\Common Files\Viewpoint
2008-04-08 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-08 22:35 --------- d-----w C:\Program Files\Viewpoint
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 22:26 691,545 ----a-w C:\WINDOWS\unins000.exe
2006-09-05 03:24 14,249,868 -c--a-w C:\Documents and Settings\Mike\VS80i.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 16:08 289088]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9668"="command /c del C:\WINDOWS\system32\mlJcyxxu.dll_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 14:16 185896]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02 270336]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-12 10:00 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 2008-05-28 16:31 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2008-02-20 10:33 963072 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-26 16:05 1271032 c:\program files\valve\steam\steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\myTunes Redux\\mDNSResponder.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade™\\Renegade\\Game.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Generals\\game.dat"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\game.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer™ Tiberian Sun™\\SUN\\Game.exe"=
"C:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert™ II\\RA2\\gamemd.exe"=
"C:\\Program Files\\Valve\\Steam\\steam.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service []
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;C:\WINDOWS\system32\DRIVERS\USB200M2.sys [2005-04-21 02:30]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 00:01:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 19:03:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 19:03:59
ComboFix-quarantined-files.txt 2008-05-31 23:03:55
ComboFix2.txt 2008-05-31 04:56:32

Pre-Run: 108,976,549,888 bytes free
Post-Run: 108,997,496,832 bytes free

165 --- E O F --- 2008-05-27 18:25:42




Deckard's System Scanner v20071014.68
Run by Mike on 2008-05-31 19:05:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:43 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myxu.xu.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {82852436-F845-4519-A0CC-B2A8D54C3704} - (no file)
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - (no file)
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8231 bytes

-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-31 00:43:51 68096 --a------ C:\WINDOWS\zip.exe
2008-05-31 00:43:51 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-31 00:43:51 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-31 00:43:51 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-31 00:43:51 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-31 00:43:51 98816 --a------ C:\WINDOWS\sed.exe
2008-05-31 00:43:51 80412 --a------ C:\WINDOWS\grep.exe
2008-05-31 00:43:51 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-31 00:09:15 0 d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-05-31 00:09:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 00:08:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 15:51:39 0 d-------- C:\Program Files\Trend Micro
2008-05-29 15:15:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 15:15:32 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-29 10:05:16 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 09:11:41 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 09:11:05 0 d-------- C:\Documents and Settings\Mike\Application Data\PC Tools
2008-05-29 04:03:28 0 d-------- C:\Program Files\Common Files\PC Tools
2008-05-29 04:03:17 0 d-------- C:\Program Files\Spyware Doctor
2008-05-29 02:34:10 0 d-------- C:\WINDOWS\pss
2008-05-29 01:10:52 5586944 --a------ C:\Documents and Settings\Mike\ntuser.dat
2008-05-29 01:10:50 577536 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-05-28 16:32:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-28 16:32:00 0 d-------- C:\Program Files\Citrix
2008-05-28 15:25:46 0 d-------- C:\Program Files\Dell AIO Printer A920
2008-05-28 15:25:24 0 d-------- C:\Program Files\Dell A920
2008-05-28 15:25:21 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-05-28 15:25:19 0 d-------- C:\Documents and Settings\Mike\WINDOWS
2008-05-27 14:18:44 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-08 10:22:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-31 18:58:48 0 d-------- C:\Documents and Settings\Mike\Application Data\DNA
2008-05-29 04:03:28 0 d-------- C:\Program Files\Common Files
2008-05-27 14:18:23 0 d-------- C:\Program Files\Common Files\Real
2008-05-22 03:33:31 0 d-------- C:\Program Files\Java
2008-05-08 10:22:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-08 10:20:38 0 d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2008-04-23 13:55:39 0 d-------- C:\Program Files\ZillaTube
2008-04-23 13:53:35 2 --ahs---- C:\Documents and Settings\Mike\Application Data\evf
2008-04-21 18:37:14 0 d-------- C:\Documents and Settings\Mike\Application Data\Real
2008-04-20 17:30:42 0 d-------- C:\Program Files\Common Files\Viewpoint
2008-04-12 14:54:33 282624 -ra------ C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-04-12 14:54:30 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-12 14:54:29 102400 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-08 18:35:33 0 d-------- C:\Program Files\Viewpoint
2008-04-06 16:38:34 0 d-------- C:\Program Files\Ares
2008-04-06 16:01:48 0 d-------- C:\Program Files\DNA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82852436-F845-4519-A0CC-B2A8D54C3704}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96134ABB-AD7C-4135-A927-329B735D524F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [12/19/2006 11:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 09:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 07:36 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/27/2008 02:16 PM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [05/12/2003 03:02 PM]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [08/12/2004 10:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 09:56 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/08/2008 04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 05/28/2008 04:31 PM 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk
backup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"C:\Program Files\Ares\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\valve\steam\steam.exe" -silent

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-05-31 19:06:08 ------------

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 31 May 2008 - 06:50 PM

HI

You don't have to run Deckard's System Scanner in order to run hijackthis

Do you have a link to run hijackthis on your desktop ?

HijackThis.exe or (run as Mike.exe)

If you do then ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - (no file)

O2 - BHO: (no name) - {82852436-F845-4519-A0CC-B2A8D54C3704} - (no file)
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - (no file)
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


THEN ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

THEN ...

You are running an out-of-date version of java (you're only one update behind, so you could safely leave Java™ 6 Update 5 if you want to)but remove all the earlier ones as they are an infection risk.

Go to add/remove programs and uninstall any earlier versions ... in your case :-

J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}


Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

THEN ...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

& lastly post a new KASPERSKY ONLINE SCANNER REPORT

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 bauermw

bauermw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 31 May 2008 - 09:48 PM

I'm getting excited over the results that I'm seeing. Here are the logs you wanted...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:14 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myxu.xu.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {82852436-F845-4519-A0CC-B2A8D54C3704} - (no file)
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - (no file)
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8688 bytes



KASPERSKY ONLINE SCANNER REPORT
Saturday, May 31, 2008 10:39:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 819549


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 51489
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:38:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_MICHAEL-5B9A322.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_MICHAEL-5B9A322.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Mike\Application Data\acccore\nss\cert8.db Object is locked skipped

C:\Documents and Settings\Mike\Application Data\acccore\nss\key3.db Object is locked skipped

C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mwbcobra\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mykohlbower\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\History\History.IE5\MSHist012008053120080601\index.dat Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Temp\NAILogs\UpdaterUI_MICHAEL-5B9A322.log Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Temp\~DFD4A6.tmp Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Temp\~DFD4B0.tmp Object is locked skipped

C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Mike\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped

C:\Documents and Settings\Mike\ntuser.dat Object is locked skipped

C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


If there's anything else to do, let me know. And once again, thanks a ton for you help.

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 01 June 2008 - 03:19 PM

HI

Did you attempt to fix these with hijackthis as I said in my previous post ?

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

O2 - BHO: (no name) - {3C28A243-BF87-4A1A-86A8-9B9BF8EC02FD} - (no file)

O2 - BHO: (no name) - {82852436-F845-4519-A0CC-B2A8D54C3704} - (no file)
O2 - BHO: (no name) - {8344AA6F-8ECE-4EF2-9A9D-4BCC15DD5A92} - (no file)
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

They are all orphan (empty) keys ... & will cause you no trouble, but you don't need to leave them either ...

Your logs are clean now :thumbsup:

Is your problem resolved ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 bauermw

bauermw
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 01 June 2008 - 09:22 PM

Yes, I thought that i fixed those 8 files with HJT. Does it appear that it didn't work, or are you just wondering if I did? All of my other problems seem to be fixed and i have since run multiple scans with spybot, ad-aware, and kaspersky, after having restarted my computer and they all have come up clean. Can I now delete Deckard's, HJT, CCleaner, Anti-Malware, and the mbam setup, or would you recommend keeping one or more of them and running them occasionally? Besides that, everything seems great. I really appreciate your time and assistance. Thanks.

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 02 June 2008 - 02:10 PM

Hi

Yes, your last log still showed those entries, so if you tried to fix them, it didn't work...

It may be Spybot's teatimer stopping you making the changes ...

Right click the teatimer icon in the systray, > click Exit Spybot-S&D Resident then run hijackthis & fix those entries, > reboot > when you reboot teatimer will be running again.

You can indeed now delete any of those programs you want to :thumbsup:

None of them are running or using any resources unless you choose to click on them & run them, I would recommend you keep Ccleaner & run it weekly, the others are up to you :)

& you're very welcome ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 30 June 2008 - 03:18 PM

As this thread is resolved, :thumbsup: it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users