Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus, Infected, Can't Clean


  • This topic is locked This topic is locked
11 replies to this topic

#1 gto65

gto65

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 31 May 2008 - 12:40 PM

notice slow operation. No applications were running but 100% cpu. In safe mode, cpu usage is maybe 6%. Down loaded many recommended programs to clean, none worked. Kaspersky found a virus and infected files. I hope you can help me clean the virus.
Deckard's System Scanner v20071014.68
Run by Ken Arp on 2008-05-31 11:53:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-05-31 16:54:18 UTC - RP339 - Deckard's System Scanner Restore Point
5: 2008-05-31 11:05:17 UTC - RP338 - Installed Windows XP KB915865.
4: 2008-05-30 23:14:14 UTC - RP337 - Restore Operation
3: 2008-05-30 21:54:15 UTC - RP336 - Restore Operation
2: 2008-05-30 19:44:51 UTC - RP335 - RegCure Backup


-- First Restore Point --
1: 2008-05-29 02:07:54 UTC - RP334 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Ken Arp.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:56 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken Arp\Application Data\Mozilla\Firefox\Profiles\35nrtvn6.default\extensions\{a4db76ad-4807-4957-b536-f9b8cf884c21}\components\SBUpdate.exe
C:\Documents and Settings\Ken Arp\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ken Arp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114302294078
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,36
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 9165 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT®>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Intel® 537EP V9x DFV PCI Modem>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 dlbt_device - c:\windows\system32\dlbtcoms.exe -service <Not Verified; Dell; Dell Communication System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-30 18:48:46 442 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-05-24 12:32:40 376 --a------ C:\WINDOWS\Tasks\RegCure.job
2005-04-23 18:40:53 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-05-31 06:43:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 06:43:26 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 06:03:43 0 d-------- C:\WINDOWS\LastGood
2008-05-30 19:53:13 0 dr-h----- C:\Documents and Settings\Ken Arp\Recent
2008-05-30 18:23:25 0 d-------- C:\VundoFix Backups
2008-05-30 18:16:17 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 15:31:43 0 d-------- C:\Program Files\Safer Networking
2008-05-30 15:27:42 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\Uniblue
2008-05-30 14:00:56 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\Leadertech
2008-05-26 16:13:02 68096 --a------ C:\WINDOWS\zip.exe
2008-05-26 16:13:02 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-26 16:13:02 80412 --a------ C:\WINDOWS\grep.exe
2008-05-26 16:13:01 98816 --a------ C:\WINDOWS\sed.exe
2008-05-26 16:13:01 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-26 16:13:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-26 16:12:59 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-26 16:12:59 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-26 10:13:36 0 d-------- C:\Program Files\Sun
2008-05-26 10:05:04 0 d-------- C:\Program Files\Java
2008-05-24 18:12:39 2828 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-24 15:42:40 0 d-------- C:\Program Files\SpywareGuard
2008-05-24 12:14:43 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-24 11:39:30 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-24 11:39:29 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\SUPERAntiSpyware.com
2008-05-20 18:35:58 0 d-------- C:\Program Files\Maxtor
2008-05-20 18:35:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Maxtor
2008-05-20 18:33:27 0 d-------- C:\Program Files\MSXML 6.0
2008-05-20 18:31:24 0 d--hs---- C:\WINDOWS\ftpcache
2008-05-18 08:55:31 0 d-------- C:\Program Files\RegCure
2008-05-12 16:33:26 0 d-------- C:\Program Files\Datachem Software


-- Find3M Report ---------------------------------------------------------------

2008-05-30 18:24:13 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\Sonic
2008-05-30 18:24:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-30 18:16:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 12:21:32 0 d-------- C:\Program Files\SpywareBlaster
2008-05-26 21:47:32 4484 --a------ C:\Documents and Settings\Ken Arp\Application Data\wklnhst.dat
2008-05-26 21:29:12 0 d-------- C:\Program Files\Dl_cats
2008-05-23 12:44:29 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-20 18:37:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-26 10:33:26 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\Malwarebytes
2008-04-26 10:30:44 0 d-------- C:\Program Files\Common Files
2008-04-26 10:30:44 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-25 21:05:47 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\Real
2008-04-25 18:07:40 0 d-------- C:\Program Files\Trend Micro
2008-04-25 09:07:21 0 d-------- C:\Documents and Settings\Ken Arp\Application Data\AVG7
2008-04-04 12:31:19 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-27 03:12:54 151583 --a------ C:\WINDOWS\system32\msjint40.dll <Not Verified; Microsoft Corporation; Microsoft ® Jet>
2008-03-19 04:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/20/2007 06:28 PM 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 04:42 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 02:05 AM]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [11/09/2004 04:41 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 10:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 10:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 10:36 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/14/2007 11:30 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/29/2007 08:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/24/2005 08:31 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/13/2008 12:43 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Ken Arp\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 2:04:12 PM]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
DESKTOP.INI [8/10/2004 2:04:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
"C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" /startup
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

KASPERSKY ONLINE SCANNER REPORT
Saturday, May 31, 2008 11:37:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/05/2008
Kaspersky Anti-Virus database records: 818004
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 58868
Number of viruses found 1
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 01:55:48

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix(2).exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix(2).exe RAR: infected - 1 skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Ken Arp\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Ken Arp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ken Arp\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ken Arp\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0221445.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0221445.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0221459.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0221468.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0221468.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\D43W6W61.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_610.dat Object is locked skipped
C:\WINDOWS\TEMP\ZLT00498.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT004a2.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\change.log Object is locked skipped
Scan process completed.




-- End of Deckard's System Scanner: finished at 2008-05-31 12:00:00 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 253.98 MiB / 43.75 MiB
Pagefile Memory (total/avail): 1004.63 MiB / 557.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.54 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.59 GiB total, 19.76 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 298.09 GiB total, 297.75 GiB free.

\\.\PHYSICALDRIVE0 - ST340014A - 37.25 GiB - 3 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 33.59 GiB - C:
\PARTITION2 - Unknown - 3.62 GiB

\\.\PHYSICALDRIVE1 - Maxtor OneTouch USB Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.) Disabled
AV: AVG 7.5.524 v7.5.524 (Grisoft)
AV: avast! antivirus 4.8.1201 [VPS 080531-0] v4.8.1201 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ken Arp\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D43W6W61
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ken Arp
LOGONSERVER=\\D43W6W61
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\KENARP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\KENARP~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=D43W6W61
USERNAME=Ken Arp
USERPROFILE=C:\Documents and Settings\Ken Arp
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ken Arp (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
AbiWord 2.5.2 (remove only) --> C:\Program Files\AbiSuite2\UninstallAbiWord2.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ASPprep V4.1 --> MsiExec.exe /I{E9DE2A70-1802-4A3A-A71D-3A09929A9343}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Banctec Service Agreement --> MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Photo AIO Printer 922 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBTUNST.EXE -NOLICENSE
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Development Kit 6 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160060}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Maxtor Manager --> "C:\Program Files\InstallShield Installation Information\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\setup.exe" -runfromtemp -l0x0409 -removeonly
Maxtor Manager --> MsiExec.exe /I{B8281D46-D846-4BB9-BC84-F1115A7BF820}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Picture It! Photo Premium 9 --> C:\WINDOWS\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0903}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Streets and Trips 2004 --> MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790210}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works --> MsiExec.exe /I{B9966F27-9678-4620-9579-925E3084647E}
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{33BEE6F3-9987-4F98-A069-97A64EC8321A}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (1.5) --> C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
My Wal-Mart Digital Photo Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAF8B012-D559-4B8D-95C0-D98E1172E5C3}\setup.exe" -l0x9 -removeonly
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.1 --> C:\Program Files\RegCure\uninst.exe
RunAlyzer --> "C:\Program Files\Safer Networking\RunAlyzer\unins000.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type1192 / Error
Event Submitted/Written: 05/31/2008 06:05:28 AM
Event ID/Source: 471 / ESENT
Event Description:
Catalog Database (896) Unable to rollback operation #124405 on database C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB. Error: -510. All future database updates will be rejected.

Event Record #/Type1191 / Error
Event Submitted/Written: 05/31/2008 06:05:27 AM
Event ID/Source: 492 / ESENT
Event Description:
Catalog Database (896) The logfile sequence in "C:\WINDOWS\system32\CatRoot2\" has been halted due to a fatal error. No further updates are possible for the databases that use this logfile sequence. Please correct the problem and restart or restore from backup.

Event Record #/Type1190 / Error
Event Submitted/Written: 05/31/2008 06:05:27 AM
Event ID/Source: 418 / ESENT
Event Description:
Catalog Database (896) Error -1032 (0xfffffbf8) occurred while opening a newly-created logfile C:\WINDOWS\system32\CatRoot2\edb.log.

Event Record #/Type1189 / Error
Event Submitted/Written: 05/31/2008 06:05:27 AM
Event ID/Source: 490 / ESENT
Event Description:
svchost (896) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type1187 / Error
Event Submitted/Written: 05/31/2008 05:07:05 AM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Word 2002 -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2199 / Warning
Event Submitted/Written: 05/31/2008 11:54:02 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type2194 / Warning
Event Submitted/Written: 05/31/2008 11:39:10 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type2193 / Warning
Event Submitted/Written: 05/31/2008 11:14:26 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type2192 / Warning
Event Submitted/Written: 05/31/2008 09:17:27 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.

Event Record #/Type2191 / Warning
Event Submitted/Written: 05/31/2008 09:06:25 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk1\D during a paging operation.



-- End of Deckard's System Scanner: finished at 2008-05-31 12:00:00 ------------

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:43 PM

Posted 01 June 2008 - 04:39 PM

Hello gto65,

Welcome to Bleeping Computer :thumbsup:

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (AVG and Avast!) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable or uninstall the other one, and use it as an on demand only scan occasionally.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Now please run a scan with your MBAM and post the report for me in your reply. :)

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 gto65

gto65
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 June 2008 - 10:06 PM

Tea,
Thanks for trying to help!
Still 100%cpu. I tried many things since the the original post. downloaded Kaspersky (free 30 day trail) and Armor; deleted many programs, Zone alarm, real player, avast, avg, etc. Kaspersky wanted to take 2 weeks (projected time to completion) to scan, thats why I decided to eliminate as many unnecessary STUFF as possible. I am probably not running it correctly. I ran each part separately and in the safe mode; it did finish today. It found one object, but as I said, still 100% cpu.

I've tried to duplicate on CDs and flash drive all my files, in case I need to try to reinstall.
Here's the results of the scan.

I did find the items you mentioned and fixed. They were still there even though I scanned after running Kaspersky.

Malwarebytes' Anti-Malware 1.14
Database version: 814

9:37:37 PM 6/1/2008
mbam-log-6-1-2008 (21-37-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 84657
Time elapsed: 34 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 gto65

gto65
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 01 June 2008 - 10:28 PM

Tea, Additional info.
Here is the latest Hj scan. Also, Kas. keeps asking me if I want to let SBUpdata.exe run. I don't know how to respond. Location: C:\Documents and Settings\Ken Arp\Application Data\Mozilla\Firefox\Profiles\35nrtvn6.default\extensions\(a4db76ad-4807-4957-b536-f9b8cf884c21\components\

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:30 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114302294078
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,36
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 6989 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:43 PM

Posted 03 June 2008 - 04:15 AM

Hello,

I'm still not seeing anything malicious. The things Kaspersky found are false positives. They are parts of SmitfraudFix, which you can delete. I'm thinking that there's a conflict somewhere. Or.....is Windows perhaps trying to update? If it's trying to download SP3, which is huge, it's going to take a while even with a fast connection. :thumbsup:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 gto65

gto65
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 03 June 2008 - 08:25 PM

Tea,
Thanks for the help. The fan does not spool up quite as fast as it did in the past. I am going to submit the problem to Kaspersky. I will post, if I find a solution.

Again, thanks for the time and looking.
65GTO

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:43 PM

Posted 04 June 2008 - 09:17 AM

Hello,

I would like to have that file analyzed, if that's the exact spelling, please. Navigate to it, then please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 gto65

gto65
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 04 June 2008 - 09:04 PM

Tea,

I was looking at programs which are allowed to run according to online armor. One is called mbamcatchme.sys, 0.0.0.0 I clicked on the properties and traced the path to the file. The digital signature is malwarebites. Sent it to virus total, they didn't find any problem. Another file right along side of it is mbam.sys, both created at the same time according to properties. Can I delete both without causing problems? I don't like the looks of anything saying "catchme"
Path C:windows\systems32\drivers\mbamcatchme.sys 33.4KBkb AND mbam.sys 15.4KB


Here's the scan post from the virus web site on the exe file. When I found the file, the properties indicated it was from earthlink scamblocker.

File SbUpdate.exe received on 06.05.2008 03:09:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/32 (3.13%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.30.1 2008.06.04 -
AntiVir 7.8.0.26 2008.06.04 -
Authentium 5.1.0.4 2008.06.04 -
Avast 4.8.1195.0 2008.06.04 -
AVG 7.5.0.516 2008.06.04 -
BitDefender 7.2 2008.06.05 -
CAT-QuickHeal 9.50 2008.06.04 -
ClamAV 0.92.1 2008.06.04 -
DrWeb 4.44.0.09170 2008.06.04 -
eSafe 7.0.15.0 2008.06.04 -
eTrust-Vet 31.6.5847 2008.06.04 -
Ewido 4.0 2008.06.04 -
F-Prot 4.4.4.56 2008.06.04 -
F-Secure 6.70.13260.0 2008.06.05 -
Fortinet 3.14.0.0 2008.06.05 -
GData 2.0.7306.1023 2008.06.05 -
Ikarus T3.1.1.26.0 2008.06.05 -
Kaspersky 7.0.0.125 2008.06.05 -
McAfee 5310 2008.06.04 -
Microsoft 1.3604 2008.06.05 -
NOD32v2 3159 2008.06.05 -
Norman 5.80.02 2008.06.04 -
Panda 9.0.0.4 2008.06.05 Suspicious file
Prevx1 V2 2008.06.05 -
Rising 20.47.22.00 2008.06.04 -
Sophos 4.30.0 2008.06.05 -
Sunbelt 3.0.1144.1 2008.06.04 -
Symantec 10 2008.06.05 -
TheHacker 6.2.92.335 2008.06.05 -
VBA32 3.12.6.7 2008.06.04 -
VirusBuster 4.3.26:9 2008.06.04 -
Webwasher-Gateway 6.6.2 2008.06.04 -
Additional information
File size: 106496 bytes
MD5...: df59014ac602385f1626faf2752b084c
SHA1..: b461d94ed1fd06db32048dbdf9f350390c2ef49e
SHA256: 4cc7c756291083257a8e8c30c2ef0f0eeeac9cbbfb6b8cddfb15fd3e844a6e87
SHA512: 875c1a2c9dd66a4be9156a211f013f939c5471d006e871cfb454f635a59de4f8
20760e4dc5f4153d166a449b19a402b18f03fd3d4e5dbdd4d9841ddc2bb8c104
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x408117
timedatestamp.....: 0x462d198b (Mon Apr 23 20:39:39 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d2c 0x11000 6.57 e69bc871a12fd8558662a4a79480d886
.rdata 0x12000 0x45f4 0x5000 4.71 0b195322eec321247a3351674219c864
.data 0x17000 0x3084 0x2000 2.04 a9e4218f99e45c38edf9d90878cb3a32
.rsrc 0x1b000 0x5bc 0x1000 4.22 a206cf0130d3eda2b5df3813bb6745ba

( 8 imports )
> WININET.dll: InternetGetConnectedState, DeleteUrlCacheEntry
> KERNEL32.dll: CreateFileA, Sleep, WaitForSingleObject, GetTickCount, CreateMutexA, CreateEventA, ReleaseMutex, SetEvent, GetModuleFileNameA, InterlockedExchange, InterlockedIncrement, WriteFile, GetProcAddress, LoadLibraryA, FreeLibrary, GetFileSize, GetCurrentThreadId, CreateDirectoryA, lstrlenA, ResetEvent, GetCommandLineA, GetStringTypeA, GetConsoleMode, GlobalAlloc, CloseHandle, ReadFile, GlobalFree, GetLastError, InterlockedDecrement, DeleteCriticalSection, InitializeCriticalSection, RaiseException, lstrlenW, WideCharToMultiByte, MultiByteToWideChar, GetModuleHandleA, GetStringTypeW, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetConsoleCP, HeapSize, ExitProcess, GetStdHandle, SetFilePointer, IsValidCodePage, GetOEMCP, GetCPInfo, LCMapStringW, LCMapStringA, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, EnterCriticalSection, LeaveCriticalSection, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetSystemTimeAsFileTime, RtlUnwind, HeapAlloc, GetProcessHeap, GetStartupInfoA, HeapReAlloc, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentProcessId
> USER32.dll: PostThreadMessageA, UnregisterClassA, PeekMessageA, TranslateMessage, DispatchMessageA, MsgWaitForMultipleObjects, CharUpperA, CharNextA, wsprintfA
> ADVAPI32.dll: CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptDestroyHash, CryptAcquireContextA, CryptGetUserKey, CryptGenKey, CryptDestroyKey, CryptReleaseContext, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegCloseKey, CryptDecrypt
> ole32.dll: CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, CreateStreamOnHGlobal, CoTaskMemFree
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathAppendW, PathRemoveFileSpecA, PathAppendA
> urlmon.dll: URLOpenPullStreamA

( 0 exports )

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:43 PM

Posted 05 June 2008 - 12:09 PM

Hello,

CatchMe is perfectly legit. :thumbsup: It's a part of several of the tools we use to help you. It catches things like rootkits and hidden files that the tool might not see otherwise. :) So don't delete it unless you plan on uninstalling MBAM as well.

Do you use earthlink? If not, then do a Windows search for earthlink and delete anything having to do with it.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 gto65

gto65
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 June 2008 - 04:28 PM

Tea,
Problem found!
I had tried to install an external hard drive to use as a backup (Maxtor) just before the cpu usage jumped (go figure). A friend suggested I download and run Process Explorer. Even though I did not have the external hard drive up and running, the Maxtor program was installed on the computer. Process explorer showed the Maxtor program was using about 98% of the cpu. I uninstalled the program and cpu usage is now normal. I probably did something wrong in the installation of the external hard drive. Not going to try and fix that now. Just glad to not be listening to the cooling fan scream.

I hope this helps others.
GTO65

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:43 PM

Posted 07 June 2008 - 07:42 PM

Hey that's great! :thumbsup: Thank you so much for posting back with this. I'm sure it will help others, and it's a relief to know it wasn't something extremely nasty hiding from us!

You take care and enjoy that quiet computer. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:43 PM

Posted 28 June 2008 - 11:04 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users