Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Trojan.packed.nsanti


  • This topic is locked This topic is locked
3 replies to this topic

#1 killakella

killakella

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 20 July 2008 - 04:07 PM

I use Symantec antivirus. Every time my computer starts up, an auto-protect window pops up and says it has acted on the risk Trojan.Packed.NsAnti by deleting 2 .dll files that are named different every time. I have run TrendMicro and Panda Activescan online virus scans. The TrendMicro locks up during scanning. The Panda finished but could not delete all of the infections. Below is the hijackedthis log followed by the Panda Activescan log. Please help!

Deckard's System Scanner v20071014.68
Run by Ryan.A.Keller on 2008-07-20 15:43:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
86: 2008-07-20 20:43:11 UTC - RP325 - Deckard's System Scanner Restore Point
85: 2008-07-20 20:28:20 UTC - RP324 - Installed Java™ 6 Update 7
84: 2008-07-20 19:32:21 UTC - RP323 - Installed Ad-Aware
83: 2008-07-20 19:30:55 UTC - RP322 - Installed Ad-Aware
82: 2008-07-19 21:31:59 UTC - RP321 - System Checkpoint


-- First Restore Point --
1: 2008-04-22 04:53:22 UTC - RP240 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ryan.A.Keller.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:44, on 2008-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\RAKeller.BIBB.NET\Desktop\dss.exe
C:\DOCUME~1\RAKELL~1.NET\Desktop\Ryan.A.Keller.exe
C:\Program Files\Internet Explorer\iedw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\RAKeller.BIBB.NET\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\RAKeller.BIBB.NET\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: http://*.172.30.0.100
O15 - Trusted Zone: http://*.172.30.0.120
O15 - Trusted Zone: http://*.172.30.0.121
O15 - Trusted Zone: http://*.172.30.0.122
O15 - Trusted Zone: http://*.172.30.0.123
O15 - Trusted Zone: http://*.172.30.0.124
O15 - Trusted Zone: http://*.172.30.0.130
O15 - Trusted Zone: http://*.172.30.0.4
O15 - Trusted Zone: http://*.172.30.0.47
O15 - Trusted Zone: http://*.172.30.0.5
O15 - Trusted Zone: http://*.172.30.0.51
O15 - Trusted Zone: http://*.172.30.0.6
O15 - Trusted Zone: http://*.172.30.0.81
O15 - Trusted Zone: http://*.172.30.1.193
O15 - Trusted Zone: http://*.172.30.1.8
O15 - Trusted Zone: http://*.172.30.1.9
O15 - Trusted Zone: http://*.apollo
O15 - Trusted Zone: http://*.pksweb1
O15 - Trusted Zone: http://*.pksweb2
O15 - Trusted Zone: http://*.pksweb3
O15 - Trusted Zone: http://*.pksweb4
O15 - Trusted Zone: http://*.pkswebt
O15 - Trusted Zone: http://*.plztraining
O15 - Trusted Zone: http://*.plzweb01
O15 - Trusted Zone: http://*.plzweb02
O15 - Trusted Zone: http://*.plzweb03
O15 - Trusted Zone: http://*.plzweb04
O15 - Trusted Zone: http://*.plzweb05
O15 - Trusted IP range: http://172.30.0.5
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/a...ntent/AcpIR.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197898539828
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--
End of file - 12289 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NetworkX - c:\windows\system32\ckldrv.sys
R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys
R2 pmem - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 smihlp (SMI helper driver) - c:\program files\thinkvantage fingerprint software\smihlp.sys <Not Verified; UPEK Inc.; Protector Suite QL>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Crypkey License - crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>
R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 UCLauncherService (ThinkVantage System Update) - c:\program files\thinkvantage\systemupdate\uclauncherservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep


-- Scheduled Tasks -------------------------------------------------------------

2008-07-20 15:34:54 316 --a------ C:\WINDOWS\Tasks\PMTask.job
2008-07-09 17:32:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-20 14:28:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-20 11:22:59 0 d-------- C:\Program Files\Panda Security
2008-07-18 14:56:59 117009 -r-hs---- C:\ybj8df.exe
2008-07-17 07:23:01 0 d-------- C:\fsaua.data
2008-07-17 06:55:30 0 d-------- C:\WINDOWS\BDOSCAN8
2008-07-17 06:26:27 117757 -r-hs---- C:\ivcvknr.bat
2008-07-15 00:23:19 0 d-------- C:\Documents and Settings\RAKeller.BIBB.NET\.housecall6.6
2008-07-14 07:52:25 77312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-14 07:51:46 77312 -r-hs---- C:\WINDOWS\system32\ckvo0.dll
2008-07-14 07:51:46 117009 -r-hs---- C:\WINDOWS\system32\ckvo.exe
2008-07-11 08:37:59 0 d-------- C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\Autodesk
2008-07-11 08:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-11 08:37:58 0 d-------- C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\Autodesk NavisWorks Freedom 2009
2008-07-11 08:37:58 0 d-------- C:\Documents and Settings\All Users\Application Data\NavisWorks 2009
2008-07-11 08:37:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Autodesk NavisWorks Freedom 2009
2008-07-11 07:49:22 0 d-------- C:\Program Files\Autodesk
2008-07-11 07:47:22 0 d-------- C:\Autodesk
2008-07-03 08:48:31 4 --a------ C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\125197
2008-07-03 08:47:52 0 d-------- C:\Program Files\Common Files\Real
2008-07-03 08:46:22 0 d-------- C:\Program Files\Rhapsody
2008-07-03 08:44:09 0 d-------- C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\Real
2008-07-03 08:43:28 0 d-------- C:\Program Files\Real
2008-07-02 08:59:00 1497088 --a------ C:\WINDOWS\system32\cc3250mt.dll <Not Verified; Inprise Corporation; Borland C++ Builder 5.0>
2008-07-02 08:59:00 1405440 --a------ C:\WINDOWS\system32\cc3250.dll <Not Verified; Inprise Corporation; Borland C++ Builder 5.0>
2008-07-02 08:59:00 25600 --a------ C:\WINDOWS\system32\borlndmm.dll <Not Verified; Inprise Corporation; Borland Memory Manager>
2008-07-02 08:58:54 0 d-------- C:\Program Files\Common Files\Borland Shared
2008-07-02 08:58:53 0 d-------- C:\Program Files\CITIZEN
2008-07-02 08:58:31 0 d-------- C:\Documents and Settings\RAKeller.BIBB.NET\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-07-20 15:28:55 0 d-------- C:\Program Files\Java
2008-07-20 14:40:18 1445 --a------ C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\autobahn.log
2008-07-20 14:39:47 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-20 14:27:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 11:34:59 0 d-------- C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\LimeWire
2008-07-14 06:55:16 0 d-------- C:\Program Files\LimeWire
2008-07-11 08:41:41 0 d-------- C:\Program Files\Three Rings Design
2008-07-03 08:48:44 870128 --a------ C:\Documents and Settings\RAKeller.BIBB.NET\Application Data\mcs.rma
2008-07-03 08:47:52 0 d-------- C:\Program Files\Common Files
2008-07-03 08:28:42 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-03 07:51:29 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-29 22:08:49 0 d-------- C:\Program Files\Absolute Poker


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 03:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2006-09-27 21:33]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 02:30]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 02:30]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 22:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 09:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"kamsoft"="C:\WINDOWS\system32\ckvo.exe" [2008-07-20 14:36]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe [2008-03-30 18:52:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=1 (0x1)
"HideLogonScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-08 16:59 39936 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 15:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 10:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1532566075-1165914593-1231754661-1101\Scripts\Logon\0\0]
"Script"=\\bibb.net.com\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1532566075-1165914593-1231754661-4495\Scripts\Logon\0\0]
"Script"=\\Viper1\netlogon\scan.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1532566075-1165914593-1231754661-4495\Scripts\Logon\1\0]
"Script"=\\bibb.net.com\netlogon\kix32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WFPUser.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WFPUser.lnk
backup=C:\WINDOWS\pss\WFPUser.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
"C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBM Warranty Notification]
"C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe /nointro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDService.exe]
"C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\suScheduler]
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{454c27a8-6b5d-11dc-bc89-00a0d5ffff85}]
AutoRun\command- F:\xc9f3l6.cmd
explore\Command- F:\xc9f3l6.cmd
open\Command- F:\xc9f3l6.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65b7c3c4-a8ec-11dc-bd24-00a0d5ffff85}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b660fe78-962a-11dc-bcf2-001641e3b6dd}]
AutoRun\command- E:\xc9f3l6.cmd
explore\Command- E:\xc9f3l6.cmd
open\Command- E:\xc9f3l6.cmd




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8828 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-20 15:50:29 ------------



;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-20 13:35:34
PROTECTIONS: 1
MALWARE: 55
SUSPECTS: 12
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Antivirus Corporate Edition 10.1 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No hkey_classes_root\iehlprobj.iehlprobj
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@mediaplex[1].txt
00145792 Cookie/SexList TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@sexlist[2].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@linksynergy[1].txt
00147020 Cookie/Lop TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@mp3search[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@revenue[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059575.dll
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@yadro[2].txt
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@hotlog[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@counter.hitslink[1].txt
00167765 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@hg1.hitbox[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@www.burstbeacon[2].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@weborama[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@server.iad.liveperson[1].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@media.adrevolver[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@ads.pointroll[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@zedo[2].txt
00172449 Cookie/MetriWeb TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@metriweb[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@bluestreak[2].txt
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP319\A0059828.dll
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@phg.hitbox[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@adrevolver[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@go[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@searchportal.information[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@target[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@did-it[1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@adviva[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@ads.addynamix[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Cookies\ryan.a.keller@citi.bridgetrack[1].txt
03268325 W32/Lineage.JCO.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059359.0MD
03269727 W32/Lineage.JCZ.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP317\A0059242.0LL
03295745 W32/Lineage.JDH.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP319\A0059660.0XE
03295797 W32/Lineage.IMP.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059521.dll
03295798 W32/Lineage.IMP.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059525.0MD
03299112 W32/Lineage.JDM Virus No 0 Yes No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059526.com
03301106 W32/Lineage.JDM.worm Virus/Worm No 0 Yes No C:\Documents and Settings\RAKeller.BIBB.NET\Local Settings\Temp\dtkcsly.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location 06
;===================================================================================================================================================================================
No C:\WINDOWS\system32\ckvo0.dll 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059386.0MD 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059387.0MD 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059436.0MD 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059439.0XE 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059495.dll 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP318\A0059607.dll 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP319\A0059627.exe 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP319\A0059839.bat 06
No C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP319\A0059863.com 06
No C:\WINDOWS\system32\ckvo0.dll 06
No C:\WINDOWS\system32\ckvo1.dll 06
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 06
;===================================================================================================================================================================================
;===================================================================================================================================================================================

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:19 AM

Posted 06 August 2008 - 09:40 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 killakella

killakella
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 07 August 2008 - 07:13 AM

I think I have fixed the problem. I was running Malwarebytes Anti-malware but it wasn't removing the virus. The virus was disabling hidden files and not allowing me to show them, but I found a script to override this. Running Anti-malware again found and removed a new set of threats which seems to have fixed the problem. Thanks.

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:11:19 AM

Posted 07 August 2008 - 09:20 AM

Thanks for letting us know.

Glad to hear the problem was sorted out :thumbsup:

As the issue was resolved this topic is closed should you have any future problems please start a new topic,

Thanks
Don :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users