View Full Version : Problems with System Popups and ie. toolbar.
itisonlyatest
2007-05-16, 05:19
I have some video codec virus thingy, and Spybot said it removed it, but im still getting pop-ups, etc.
I am running Windows Vista, I had a Protection Center toolbar in i.e., but I disabled it, it still won't let me delete it though.
eTrust Antivirus Web Scanner
No Infections
HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:19:00 PM, on 5/15/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Video ActiveX Access\iesmn.exe
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Program Files\Video ActiveX Access\iesmin.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Program Files\Windows NT\Accessories\WORDPAD.EXE
V:\Windows\system32\SearchFilterHost.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - V:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - V:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] V:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 8048 bytes
itisonlyatest
2007-05-20, 03:06
Also, it changed my IE homepage.
Hi itisonlyatest
I'm pretty sure that Smitfraudfix won't work in Vista, but let's test it:
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
itisonlyatest
2007-05-22, 01:42
When I run it it says: Unsupported Version, Windows 2000/XP required.
Hi
Yes, that was expectable
Then we do this:
Please print these instructions because while in safe mode you can't read this forum.
Boot in safe mode, see here (http://www.computerhope.com/issues/chsafe.htm#03)
Uninstall via add/remove programs if present:
Video ActiveX Access
Open HijackThis, click do a system scan onyly and checkmark these:
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - V:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - V:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] V:\Program Files\Video ActiveX Access\iesmn.exe
Close all windows including browser and press fix checked
Delete if present:
V:\Program Files\Video ActiveX Access
Empty Recycle Bin
Reboot
Post a fresh HijackThis log.
itisonlyatest
2007-05-23, 01:42
There is no add or remove programs entry for Video ActiveX Access, but there is for:
IExplorer Security Plug-In
This is that dumb toolbar I disabled in I.E, and when I click uninstall it says:
You should reboot your computer prior to uninstalling this software. Reboot now?
The options are: Ok and Cancel, so I put cancel and nothing happens.
Onto the other stuff:
I removed the items you told me to in HiJack This, along with the VideoActiveXAccess folder in Program Files (did this all in safe mode), I also emptied the recycle bin.
Rebooted. I notice my IE start page is now back to normal, yay!
Ran HiJack this, here is the log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:41:35 PM, on 5/22/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Windows\system32\SearchFilterHost.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - V:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 7830 bytes
Hi
Yes, log looks good now.
Not sure if Kaspersky online scanner works with Vista, but let's test it:
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
itisonlyatest
2007-05-24, 17:57
This scan took forever!
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:52:55 AM, on 5/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Program Files\iTunes\iTunes.exe
V:\Program Files\Last.fm\LastFM.exe
V:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
V:\Users\Chris\Downloads\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - V:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 8092 bytes
itisonlyatest
2007-05-24, 17:58
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 24, 2007 7:48:11 AM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/05/2007
Kaspersky Anti-Virus database records: 328326
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
F:\
N:\
V:\
Scan Statistics
Total number of scanned objects 277578
Number of viruses found 14
Number of infected objects 1533
Number of suspicious objects 0
Duration of the scan process 06:15:58
Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\boot.ini Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.bak Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.ActiveKeyLogger.24 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe/stream Infected: not-a-virus:Monitor.Win32.ActiveKeyLogger.24 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe CryptFF: infected - 2 skipped
C:\i386\closeapp.ex_/closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\i386\closeapp.ex_ CAB: infected - 1 skipped
C:\i386\vimc.ex_/vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\i386\vimc.ex_/vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\i386\vimc.ex_ CAB: infected - 2 skipped
C:\IRC Downloads\fullkeylogger.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.r skipped
C:\NTDETECT.COM Object is locked skipped
C:\ntldr Object is locked skipped
C:\pagefile.sys Object is locked skipped
C:\Program Files\Adobe\Adobe Bridge\install.adb Object is locked skipped
C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.ilg Object is locked skipped
C:\Program Files\Norton Anti-Virus\Savrt\0381NAV~.TMP Object is locked skipped
C:\Program Files\Norton Anti-Virus\Savrt\0471NAV~.TMP Object is locked skipped
C:\Program Files\Real\RealPlayer\120.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\155.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\pref.gd Object is locked skipped
C:\Program Files\Speed Startup\Backup\Adobe Gamma.lnk Object is locked skipped
C:\SpyHiJack\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SpyHiJack\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SpyHiJack\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\WINDOWS\diagerr.xml Object is locked skipped
C:\WINDOWS\diagwrn.xml Object is locked skipped
C:\WINDOWS\Minidump\Mini102506-01.dmp Object is locked skipped
C:\WINDOWS\repair\autoexec.nt Object is locked skipped
C:\WINDOWS\repair\config.nt Object is locked skipped
C:\WINDOWS\repair\default Object is locked skipped
C:\WINDOWS\repair\DS_SAM Object is locked skipped
C:\WINDOWS\repair\DS_SECURITY Object is locked skipped
C:\WINDOWS\repair\DS_SOFTWARE Object is locked skipped
C:\WINDOWS\repair\ntuser.dat Object is locked skipped
C:\WINDOWS\repair\sam Object is locked skipped
C:\WINDOWS\repair\secsetup.inf Object is locked skipped
C:\WINDOWS\repair\security Object is locked skipped
C:\WINDOWS\repair\setup.log Object is locked skipped
C:\WINDOWS\repair\software Object is locked skipped
C:\WINDOWS\repair\system.bak Object is locked skipped
C:\WINDOWS\system32\closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.sav Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.sav Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\system.sav Object is locked skipped
C:\WINDOWS\system32\config\TempKey.LOG Object is locked skipped
C:\WINDOWS\system32\config\userdiff Object is locked skipped
C:\WINDOWS\system32\config\userdiff.LOG Object is locked skipped
itisonlyatest
2007-05-24, 17:59
C:\WINDOWS\system32\sys.exe Infected: Trojan.Win32.Delf.zw skipped
C:\WINDOWS\system32\vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\WINDOWS\system32\vimc.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\system32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped
C:\WINDOWS\system32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\WINDOWS\system32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Freebay ][Date Thu, 25 Nov 2004 07:07:59 -0800 (PST)]/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Freebay ][Date Thu, 25 Nov 2004 07:07:59 -0800 (PST)]/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From mary@lycos.com][Date Fri, 26 Nov 2004 17:59:07 +0800]/UNNAMED/readme.scr Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From mary@lycos.com][Date Fri, 26 Nov 2004 17:59:07 +0800]/UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From helen@whoever.com][Date Fri, 26 Nov 2004 19:26:06 +0800]/UNNAMED/message.exe Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From helen@whoever.com][Date Fri, 26 Nov 2004 19:26:06 +0800]/UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][Date Fri, 26 Nov 2004 19:38:57 +0800]/UNNAMED/UNNAMED/body.pif Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][Date Fri, 26 Nov 2004 19:38:57 +0800]/UNNAMED/UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[From fred@msdirectservices.com][Date Fri, 26 Nov 2004 19:41: ... /message.scr Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[From fred@msdirectservices.com][Date Fri, 26 Nov 2004 19:41:01 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[F ... /[From jimmy@pldtdsl.net][Date Fri, 26 Nov 2004 19:45 ... /document.pif Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[F ... /[From jimmy@pldtdsl.net][Date Fri, 26 Nov 2004 19:45:29 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[ ... /[From brenda@info.com.ph][Date Fri, 26 Nov 2004 19:49:54 ... /data.scr Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[ ... /[From brenda@info.com.ph][Date Fri, 26 Nov 2004 19:49:54 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtd ... /document.htm .exe Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / ... /[From claudia@whoever.com][Date Fri, 26 Nov 2004 19:59:27 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / .. ... /[From tom@yahoo.com.sg][Date Fri, 26 Nov 2004 20:04:02 ... /body.scr Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / .. ... /[From tom@yahoo.com.sg][Date Fri, 26 Nov 2004 20:04:02 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl ... /readme.txt .pif Infected: Email-Worm.Win32.LovGate.w skipped
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / .. .. ... /[From debby@aol.com][Date Fri, 26 Nov 2004 20:15:49 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped
itisonlyatest
2007-05-24, 18:00
Theres way more but I have to do it when I get home from work later today, because this site makes me do piece by piece, and its an html file not a txt.
itisonlyatest
2007-05-24, 18:01
Oh wait nevermind, here it is attached. I put the scan.txt inside a .zip file because its 51KB, and the forum said its too big.
Hi
Scanning time depends on amount of files, you have lot of them. I've seen 24 hrs scanning times.
Scanning report doesn't look like complete:
Number of infected objects 1533
Empty this folder:
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine
Delete these:
C:\IRC Downloads\fullkeylogger.exe
C:\WINDOWS\system32\sys.exe
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
itisonlyatest
2007-05-25, 08:06
I did what you said, then ran another scan.
For the record I will be going out of town tomorrow evening, until Monday, so please don't lock the thread.
Here is the Kaspersky Scan Report:
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 24, 2007 10:01:05 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/05/2007
Kaspersky Anti-Virus database records: 328326
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
F:\
N:\
V:\
Scan Statistics
Total number of scanned objects 277887
Number of viruses found 3
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 06:40:29
Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\boot.ini Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.bak Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\i386\closeapp.ex_/closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\i386\closeapp.ex_ CAB: infected - 1 skipped
C:\i386\vimc.ex_/vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\i386\vimc.ex_/vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\i386\vimc.ex_ CAB: infected - 2 skipped
C:\NTDETECT.COM Object is locked skipped
C:\ntldr Object is locked skipped
C:\pagefile.sys Object is locked skipped
C:\Program Files\Adobe\Adobe Bridge\install.adb Object is locked skipped
C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.ilg Object is locked skipped
C:\Program Files\Norton Anti-Virus\Savrt\0381NAV~.TMP Object is locked skipped
C:\Program Files\Norton Anti-Virus\Savrt\0471NAV~.TMP Object is locked skipped
C:\Program Files\Real\RealPlayer\120.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\155.chl Object is locked skipped
C:\Program Files\Real\RealPlayer\pref.gd Object is locked skipped
C:\Program Files\Speed Startup\Backup\Adobe Gamma.lnk Object is locked skipped
C:\SpyHiJack\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SpyHiJack\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SpyHiJack\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\WINDOWS\diagerr.xml Object is locked skipped
C:\WINDOWS\diagwrn.xml Object is locked skipped
C:\WINDOWS\Minidump\Mini102506-01.dmp Object is locked skipped
C:\WINDOWS\repair\autoexec.nt Object is locked skipped
C:\WINDOWS\repair\config.nt Object is locked skipped
C:\WINDOWS\repair\default Object is locked skipped
C:\WINDOWS\repair\DS_SAM Object is locked skipped
C:\WINDOWS\repair\DS_SECURITY Object is locked skipped
C:\WINDOWS\repair\DS_SOFTWARE Object is locked skipped
C:\WINDOWS\repair\ntuser.dat Object is locked skipped
C:\WINDOWS\repair\sam Object is locked skipped
C:\WINDOWS\repair\secsetup.inf Object is locked skipped
C:\WINDOWS\repair\security Object is locked skipped
C:\WINDOWS\repair\setup.log Object is locked skipped
C:\WINDOWS\repair\software Object is locked skipped
C:\WINDOWS\repair\system.bak Object is locked skipped
C:\WINDOWS\system32\closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.sav Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.sav Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\system.sav Object is locked skipped
C:\WINDOWS\system32\config\TempKey.LOG Object is locked skipped
C:\WINDOWS\system32\config\userdiff Object is locked skipped
C:\WINDOWS\system32\config\userdiff.LOG Object is locked skipped
C:\WINDOWS\system32\vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\WINDOWS\system32\vimc.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\system32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped
C:\WINDOWS\system32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped
C:\WINDOWS\system32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
V:\Program Files\Adobe\Adobe Device Central CS3\AMT\AUMProduct.cer Object is locked skipped
V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
V:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
V:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
V:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
V:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
V:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
V:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\07ba6cd04f4b286329885247df66b9c5_6be9b7ca-3cce-4567-ab73-ef173748f418 Object is locked skipped
V:\ProgramData\Microsoft\User Account Pictures\Danny.dat Object is locked skipped
V:\ProgramData\Microsoft\User Account Pictures\Games.dat Object is locked skipped
V:\ProgramData\Microsoft\User Account Pictures\Guest.dat Object is locked skipped
V:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped
V:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
V:\ProgramData\Symantec\LiveUpdate\2007-05-24_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
V:\ProgramData\Symantec\Shared\QBackup\index.qbs Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
V:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtETmp\3471FB21.TMP Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtETmp\385B71B4.TMP Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
V:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
V:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
V:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
V:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
V:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
V:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
V:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
V:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012007052420070525\index.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{530936A7-0B1D-4826-BC6E-A5EEDB701421}.tmp Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Fil
itisonlyatest
2007-05-25, 08:07
es\Low\Content.IE5\P1G5517R\instrumental[1].dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1G5517R\instrumental[2].dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJ29X6SA\instrumental[1].dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJ29X6SA\instrumental[2].dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat{8bd7ba9c-c56a-11db-937f-001676a1c907}.TM.blf Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat{8bd7ba9c-c56a-11db-937f-001676a1c907}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat{8bd7ba9c-c56a-11db-937f-001676a1c907}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Outlook\Outlook.pst Object is locked skipped
V:\Users\Chris\AppData\Local\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\container.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\httpinput.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\iTunesPlugin.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\metadata.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\playback.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\sidebar.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\skype.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\transcode.log Object is locked skipped
V:\Users\Chris\AppData\Local\Last.fm\Client\webservice.log Object is locked skipped
V:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
V:\Users\Chris\AppData\Local\Temp\~DFCB39.tmp Object is locked skipped
V:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
V:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
V:\Users\Chris\AppData\Roaming\Microsoft\Outlook\Outlook.srs Object is locked skipped
V:\Users\Chris\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm Object is locked skipped
V:\Users\Chris\Downloads\backups\backup-20070522-153356-517.dll Infected: Trojan-Downloader.Win32.Zlob.bti skipped
V:\Users\Chris\Music\iTunes\iTunes Library.itl Object is locked skipped
V:\Users\Chris\NTUSER.DAT Object is locked skipped
V:\Users\Chris\ntuser.dat.LOG1 Object is locked skipped
V:\Users\Chris\ntuser.dat.LOG2 Object is locked skipped
V:\Users\Chris\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
V:\Users\Chris\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
V:\Users\Chris\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
V:\Windows\Debug\PASSWD.LOG Object is locked skipped
V:\Windows\Debug\sam.log Object is locked skipped
V:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
V:\Windows\Installer\MSI2FBD.tmp Object is locked skipped
V:\Windows\Installer\MSI57EF.tmp Object is locked skipped
V:\Windows\Installer\MSI6456.tmp Object is locked skipped
V:\Windows\Installer\MSI94A1.tmp Object is locked skipped
V:\Windows\Internet Logs\CHRIS-PC.ldb Object is locked skipped
V:\Windows\Internet Logs\fwdbglog.txt Object is locked skipped
V:\Windows\Internet Logs\fwpktlog.txt Object is locked skipped
V:\Windows\Internet Logs\IAMDB.RDB Object is locked skipped
V:\Windows\Internet Logs\tvDebug.log Object is locked skipped
V:\Windows\Internet Logs\ZALog2007.05.21.txt Object is locked skipped
V:\Windows\Logs\CBS\CBS.log Object is locked skipped
V:\Windows\Logs\DPX\setupact.log Object is locked skipped
V:\Windows\Logs\DPX\setuperr.log Object is locked skipped
V:\Windows\MEMORY.DMP Object is locked skipped
V:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
V:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
V:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
V:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
V:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
V:\Windows\security\database\secedit.sdb Object is locked skipped
V:\Windows\SoftwareDistribution\EventCache\{22E98F57-873E-4DA1-AE20-59124EDEA767}.bin Object is locked skipped
V:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
V:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
V:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
V:\Windows\System32\catroot2\edb.log Object is locked skipped
V:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
V:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
V:\Windows\System32\cleardll.reg Object is locked skipped
V:\Windows\System32\config\COMPONENTS Object is locked skipped
V:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
V:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
V:\Windows\System32\config\DEFAULT Object is locked skipped
V:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
V:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
V:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
V:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
V:\Windows\System32\config\RegBack\SAM Object is locked skipped
V:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
V:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
V:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
V:\Windows\System32\config\SAM Object is locked skipped
V:\Windows\System32\config\SAM.LOG1 Object is locked skipped
V:\Windows\System32\config\SAM.LOG2 Object is locked skipped
V:\Windows\System32\config\SECURITY Object is locked skipped
V:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
V:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
V:\Windows\System32\config\SOFTWARE Object is locked skipped
V:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
V:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
V:\Windows\System32\config\SYSTEM Object is locked skipped
V:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
V:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
V:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
V:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
V:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
V:\Windows\System32\drivers\fidbox.dat Object is locked skipped
V:\Windows\System32\drivers\fidbox.idx Object is locked skipped
V:\Windows\System32\drivers\sptd.sys Object is locked skipped
V:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
V:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
V:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1 Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2 Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.0.regtrans-ms Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.1.regtrans-ms Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.2.regtrans-ms Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.blf Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
V:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
V:\Windows\System32\wbem\AutoRecover\DE84A40F21BE6262068B17AF302B4E55.mof Object is locked skipped
V:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
V:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
V:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
V:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
V:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
V:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
V:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
V:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
V:\Windows\WindowsUpdate.log Object is locked skipped
V:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
Scan process completed.
itisonlyatest
2007-05-25, 08:08
HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:04:58 PM, on 5/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Program Files\iTunes\iTunes.exe
V:\Program Files\Last.fm\LastFM.exe
V:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
V:\Program Files\Norton AntiVirus\navw32.exe
V:\Windows\system32\SearchFilterHost.exe
V:\Windows\System32\mobsync.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - V:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 8214 bytes
Hi
Does Norton have also firewall?
Logs look good.
Still problems?
itisonlyatest
2007-05-25, 09:41
Don't think i'm having any more problems... I believe Norton has a basic firewall, but i'm using the Zone Alarm Beta for Vista as a firewall.
I just finished a scan with Norton and it said it detected this:
http://securityresponse.symantec.com/security_response/detected_writeup.jsp?name=Bloodhound%2EW32%2EEP
But that it could not fix it because it didn't recognize the file type.
Here's the Norton Scan Log:
Scan Stats:
Scan Time: 29930
Scan Options:
Scan Targets: C:, F:, V:
Counts:
Total items scanned: 350153
- Files & Directories: 344192
- Registry Entries: 182
- Processes & Start-up Items: 4557
- Network & Browser Items: 1217
- Other: 5
Total security risks detected: 2
Total items resolved: 2
Total items that require attention: 0
Resolved Threats:
Tracking Cookie
Virus ID: 4294909925
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Cookie
State: Fully Resolved
-----------
26 Tracking Cookies
Cookie:chris@ads.addynamix.com/ - Deleted
Cookie:chris@howardchui.us.intellitxt.com/ - Deleted
Cookie:chris@bleepingcomputer.us.intellitxt.com/ - Deleted
Cookie:chris@jkontherun.us.intellitxt.com/ - Deleted
Cookie:chris@juicy-news.blogspot.us.intellitxt.com/ - Deleted
Cookie:chris@tomsforumz.us.intellitxt.com/ - Deleted
Cookie:chris@ads.as4x.tmcs.net/ - Deleted
Cookie:chris@perezhilton.us.intellitxt.com/ - Deleted
Cookie:chris@wwtdd.us.intellitxt.com/ - Deleted
Cookie:chris@track.searchignite.com/ - Deleted
Cookie:chris@adopt.specificclick.net/ - Deleted
Cookie:chris@sales.liveperson.net/ - Deleted
Cookie:chris@rapgodfathers.us.intellitxt.com/ - Deleted
Cookie:chris@jupiter.us.intellitxt.com/ - Deleted
Cookie:chris@theautochannel.us.intellitxt.com/ - Deleted
Cookie:chris@hollywood.us.intellitxt.com/ - Deleted
Cookie:chris@x17online.us.intellitxt.com/ - Deleted
Cookie:chris@2dayblog.us.intellitxt.com/ - Deleted
Cookie:chris@womensforum.us.intellitxt.com/ - Deleted
Cookie:chris@sales.liveperson.net/hc/28856772 - Deleted
Cookie:chris@wincustomize.us.intellitxt.com/ - Deleted
Cookie:chris@fadedyouth.us.intellitxt.com/ - Deleted
Cookie:chris@edge.ru4.com/ - Deleted
Cookie:chris@neowin.us.intellitxt.com/ - Deleted
Cookie:chris@adopt.euroclick.com/ - Deleted
Unresolved Threats:
Bloodhound.W32.EP
Virus ID: 18960
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
State: Reviewed
-----------
1 File
[Restricted item (permission required)] - N/A
Hi
Well Norton doesn't seem to give much details where that is present.
Run another scan with norton and tell me if it still finds the same.
itisonlyatest
2007-05-25, 09:47
The scan still finds the same, but it doesn't give any details as to where it was found, it just says:
Restricted File (Permission Required)
Hi
Let's run then panda scan:
Please run this online scan:
Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
itisonlyatest
2007-05-25, 09:51
ActiveScan is currently not available for Windows Vista. There will shortly be a new version for this operating system.
Hi
Ok, dr. web cureit should work with vista
http://www.freedrweb.com/cureit/
Run a scan with it and post back report, please :)
itisonlyatest
2007-05-25, 17:41
Ran the scan, this is what I got:
Done - No Viruses Found.
Hi
Ok, then that Norton finding might just be a false positive. Do you want further research about it or do we just leave it alone?
itisonlyatest
2007-05-25, 17:49
I don't see any further problems. What exactly does the Bloodhound virus do?
Hi
See eg. here (http://www.symantec.com/security_response/writeup.jsp?docid=2002-043017-2621-99)
That one is very old virus and not active anymore.
itisonlyatest
2007-05-25, 22:27
I'd like to get it all 100% cleaned if that's ok with you.
Hi
Ok, but I'm not 100% sure what tools will work Vista.
Bloodhound is just a packer for files, not a general virus name.
Create a Startup List
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post
itisonlyatest
2007-05-29, 09:36
StartupList report, 5/28/2007, 11:35:21 PM
StartupList version: 1.52.2
Started from : V:\Users\Chris\Downloads\HiJackThis_v2.EXE
Detected: Windows Vista (WinNT 6.00.1904)
Detected: Internet Explorer v7.00 (7.00.6000.16386)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\iTunes\iTunes.exe
V:\Program Files\Last.fm\LastFM.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe
V:\Windows\system32\SearchFilterHost.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[V:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[V:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = V:\Windows\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SoundMAXPnP = V:\Program Files\Analog Devices\Core\smax4pnp.exe
GrooveMonitor = "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
iTunesHelper = "V:\Program Files\iTunes\iTunesHelper.exe"
ccApp = "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
BrMfcWnd = V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
ControlCenter3 = V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
WPCUMI = V:\Windows\system32\WpcUmi.exe
QuickTime Task = "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
ZoneAlarm Client = "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ehTray.exe = V:\Windows\ehome\ehTray.exe
WMPNSCFG = V:\Program Files\Windows Media Player\WMPNSCFG.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[AdobeUpdater]
=
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
itisonlyatest
2007-05-29, 09:36
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = V:\Windows\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = V:\Windows\system32\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = V:\Windows\system32\ie4uinit.exe -UserIconConfig
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = V:\Windows\system32\ie4uinit.exe -BaseSettings
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = V:\Windows\system32\Rundll32.exe V:\Windows\system32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from V:\Windows\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from V:\Windows\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=V:\Windows\system32\Ribbons.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
V:\Windows\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
V:\Windows\Explorer\Explorer.exe: not present
V:\Windows\System\Explorer.exe: not present
V:\Windows\System32\Explorer.exe: not present
V:\Windows\Command\Explorer.exe: not present
V:\Windows\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: *Registry value not found*
.shb: *Registry value not found*
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in V:\Windows
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename NOT OK: 'REGEDIT.EXE.MUI'
- File description: 'Registry Editor'
Registry check failed!
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - V:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
InlineSearchHandleHotKey - V:\Program Files\IEForge\Inline Search\InlineSearch.dll - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Run Full System Scan - Chris.job
--------------------------------------------------
Enumerating Download Program Files:
[Office Genuine Advantage Validation Tool]
InProcServer32 = V:\Windows\system32\OGACheckControl.DLL
CODEBASE = http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
[CKAVWebScan Object]
InProcServer32 = V:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
[Shockwave ActiveX Control]
InProcServer32 = V:\Windows\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[Windows Genuine Advantage Validation Tool]
InProcServer32 = V:\Windows\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
[Microsoft Virtual Server VMRC Advanced Control]
InProcServer32 = V:\Windows\Downloaded Program Files\VMRCActiveXClient.dll
CODEBASE = http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
[WScanCtl Class]
InProcServer32 = V:\Windows\Downloaded Program Files\webscan.dll
CODEBASE = http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
[Java Plug-in 1.5.0_03]
InProcServer32 = V:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
[Java Plug-in 1.5.0_03]
InProcServer32 = V:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = V:\Windows\system32\Macromed\Flash\FlDbg9c.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: V:\Windows\system32\NLAapi.dll
NameSpace #2: V:\Windows\System32\mswsock.dll
NameSpace #3: V:\Windows\System32\winrnr.dll
NameSpace #4: V:\Windows\system32\napinsp.dll
NameSpace #5: V:\Windows\system32\pnrpnsp.dll
NameSpace #6: V:\Windows\system32\pnrpnsp.dll
NameSpace #7: V:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: V:\Windows\system32\wpclsp.dll
Protocol #2: V:\Windows\system32\wpclsp.dll
Protocol #3: V:\Windows\system32\wpclsp.dll
Protocol #4: V:\Windows\system32\wpclsp.dll
Protocol #5: V:\Windows\system32\wpclsp.dll
Protocol #6: V:\Windows\system32\wpclsp.dll
Protocol #7: V:\Windows\system32\wpclsp.dll
Protocol #8: V:\Windows\system32\wpclsp.dll
Protocol #9: V:\Windows\system32\mswsock.dll
Protocol #10: V:\Windows\system32\mswsock.dll
Protocol #11: V:\Windows\system32\mswsock.dll
Protocol #12: V:\Windows\system32\mswsock.dll
Protocol #13: V:\Windows\system32\mswsock.dll
Protocol #14: V:\Windows\system32\mswsock.dll
Protocol #15: V:\Windows\system32\mswsock.dll
Protocol #16: V:\Windows\system32\mswsock.dll
Protocol #17: V:\Windows\system32\mswsock.dll
Protocol #18: V:\Windows\system32\mswsock.dll
Protocol #19: V:\Windows\system32\wpclsp.dll
Protocol #20: V:\Windows\system32\mswsock.dll
Protocol #21: V:\Windows\system32\mswsock.dll
Protocol #22: V:\Windows\system32\mswsock.dll
Protocol #23: V:\Windows\system32\mswsock.dll
Protocol #24: V:\Windows\system32\mswsock.dll
Protocol #25: V:\Windows\system32\mswsock.dll
Protocol #26: V:\Windows\system32\mswsock.dll
Protocol #27: V:\Windows\system32\mswsock.dll
Protocol #28: V:\Windows\system32\mswsock.dll
Protocol #29: V:\Windows\system32\mswsock.dll
Protocol #30: V:\Windows\system32\mswsock.dll
Protocol #31: V:\Windows\system32\mswsock.dll
--------------------------------------------------
itisonlyatest
2007-05-29, 09:37
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: system32\drivers\acpi.sys (system)
adp94xx: \SystemRoot\system32\drivers\adp94xx.sys (disabled)
adpahci: \SystemRoot\system32\drivers\adpahci.sys (disabled)
adpu160m: \SystemRoot\system32\drivers\adpu160m.sys (disabled)
adpu320: \SystemRoot\system32\drivers\adpu320.sys (disabled)
@%SystemRoot%\system32\aelupsvc.dll,-1: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Ancilliary Function Driver for Winsock: \SystemRoot\system32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\system32\drivers\agp440.sys (manual start)
aic78xx: \SystemRoot\system32\drivers\djsvs.sys (disabled)
@%SystemRoot%\system32\Alg.exe,-112: %SystemRoot%\System32\alg.exe (manual start)
aliide: \SystemRoot\system32\drivers\aliide.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\system32\drivers\amdagp.sys (manual start)
amdide: \SystemRoot\system32\drivers\amdide.sys (disabled)
AMD K7 Processor Driver: \SystemRoot\system32\drivers\amdk7.sys (disabled)
AMD K8 Processor Driver: \SystemRoot\system32\drivers\amdk8.sys (disabled)
@%systemroot%\system32\appinfo.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
@appmgmts.dll,-3250: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
arc: \SystemRoot\system32\drivers\arc.sys (disabled)
arcsas: \SystemRoot\system32\drivers\arcsas.sys (disabled)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
IDE Channel: system32\drivers\atapi.sys (system)
@%SystemRoot%\system32\audiosrv.dll,-204: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\audiosrv.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
Automatic LiveUpdate Scheduler: "V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
@%SystemRoot%\system32\bfe.dll,-1001: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
@%SystemRoot%\system32\qmgr.dll,-1000: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
blbdrive: \SystemRoot\system32\drivers\blbdrive.sys (disabled)
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##: "V:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
Bowser: system32\DRIVERS\bowser.sys (manual start)
Brother USB Mass-Storage Lower Filter Driver: \SystemRoot\system32\drivers\brfiltlo.sys (manual start)
Brother USB Mass-Storage Upper Filter Driver: \SystemRoot\system32\drivers\brfiltup.sys (manual start)
@%systemroot%\system32\browser.dll,-100: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Brother MFC Serial Port Interface Driver (WDM): \SystemRoot\system32\drivers\brserid.sys (disabled)
Brother MFC Serial Port Interface WDM Driver: System32\Drivers\BrSerIf.sys (manual start)
Brother WDM Serial driver: \SystemRoot\system32\drivers\brserwdm.sys (disabled)
Brother MFC USB Fax Only Modem: \SystemRoot\system32\drivers\brusbmdm.sys (disabled)
Brother MFC USB Serial WDM Driver: System32\Drivers\BrUsbSer.sys (manual start)
Bluetooth Serial Communications Driver: \SystemRoot\system32\drivers\bthmodem.sys (disabled)
Symantec Event Manager: "V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
Symantec Settings Manager: "V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
CD/DVD File System Reader: system32\DRIVERS\cdfs.sys (disabled)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
@%SystemRoot%\System32\certprop.dll,-11: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Consumer IR Devices: \SystemRoot\system32\drivers\circlass.sys (disabled)
Common Log (CLFS): System32\CLFS.sys (system)
Microsoft .NET Framework NGEN v2.0.50727_X86: %systemroot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Symantec Lic NetConnect service: "V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (autostart)
cmdide: \SystemRoot\system32\drivers\cmdide.sys (disabled)
Microsoft Composite Battery Driver: \SystemRoot\system32\drivers\compbatt.sys (disabled)
@comres.dll,-947: %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Crcdisk Filter Driver: system32\drivers\crcdisk.sys (system)
Transmeta Crusoe Processor Driver: \SystemRoot\system32\drivers\crusoe.sys (disabled)
@%SystemRoot%\system32\cryptsvc.dll,-1001: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Offline Files Driver: system32\drivers\csc.sys (system)
@%systemroot%\system32\cscsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@oleres.dll,-5012: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
Dfs Client Driver: System32\Drivers\dfsc.sys (system)
@dfsrres.dll,-101: %SystemRoot%\system32\DFSR.exe (manual start)
@%SystemRoot%\system32\dhcpcsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
Disk Driver: system32\drivers\disk.sys (system)
@%SystemRoot%\System32\dnsapi.dll,-101: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
@%systemroot%\system32\dot3svc.dll,-1102: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%systemroot%\system32\dps.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
LDDM Graphics Subsystem: \SystemRoot\System32\drivers\dxgkrnl.sys (manual start)
Intel(R) PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
Intel(R) PRO/1000 NDIS 6 Adapter Driver: system32\DRIVERS\E1G60I32.sys (manual start)
@%systemroot%\system32\eapsvc.dll,-1: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
ReadyBoost Caching Driver: System32\drivers\ecache.sys (system)
Symantec Eraser Control driver: \??\V:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
@%SystemRoot%\ehome\ehrecvr.exe,-101: %systemroot%\ehome\ehRecvr.exe (manual start)
@%SystemRoot%\ehome\ehsched.exe,-101: %systemroot%\ehome\ehsched.exe (manual start)
@%SystemRoot%\ehome\ehstart.dll,-101: %windir%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
elxstor: \SystemRoot\system32\drivers\elxstor.sys (disabled)
@%SystemRoot%\system32\emdmgmt.dll,-1000: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
EraserUtilRebootDrv: \??\V:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
@%SystemRoot%\system32\wevtsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@comres.dll,-2450: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
@%systemroot%\system32\fxsresm.dll,-118: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (disabled)
@%systemroot%\system32\fdPHost.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%systemroot%\system32\fdrespub.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
File Information FS MiniFilter: system32\drivers\fileinfo.sys (system)
FileTrace: system32\drivers\filetrace.sys (manual start)
FLEXnet Licensing Service: "V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (disabled)
FltMgr: system32\drivers\fltmgr.sys (system)
@%SystemRoot%\system32\PresentationHost.exe,-3309: %systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (manual start)
BitLocker Drive Encryption Filter Driver: System32\DRIVERS\fvevol.sys (system)
Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms: \SystemRoot\system32\drivers\gagp30kx.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
geebers12: \??\V:\Users\Games\Desktop\Vicious Engine 5.0\nvid888.sys (manual start)
@gpapi.dll,-112: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft UAA Bus Driver for High Definition Audio: \SystemRoot\system32\drivers\hdaudbus.sys (disabled)
Microsoft Bluetooth HID Miniport: \SystemRoot\system32\drivers\hidbth.sys (disabled)
Microsoft Infrared HID Driver: \SystemRoot\system32\drivers\hidir.sys (disabled)
@%SystemRoot%\System32\hidserv.dll,-101: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
Hiptop: System32\Drivers\Hiptop.sys (manual start)
@%SystemRoot%\system32\kmsvc.dll,-6: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
HpCISSs: \SystemRoot\system32\drivers\hpcisss.sys (disabled)
HTTP: system32\drivers\HTTP.sys (manual start)
i2omp: \SystemRoot\system32\drivers\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
Intel RAID Controller Vista: \SystemRoot\system32\drivers\iastorv.sys (disabled)
@%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8193: "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" (manual start)
Symantec Intrusion Prevention Driver: \??\V:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20070525.001\IDSvix86.sys (system)
iirsp: \SystemRoot\system32\drivers\iirsp.sys (disabled)
@%SystemRoot%\system32\ikeext.dll,-501: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
intelide: system32\drivers\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (manual start)
@%systemroot%\system32\IPBusEnum.dll,-102: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
@%SystemRoot%\system32\iphlpsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k NetSvcs (autostart)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IPMIDRV: \SystemRoot\system32\drivers\ipmidrv.sys (disabled)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPod Service: "V:\Program Files\iPod\bin\iPodService.exe" (manual start)
IR Bus Enumerator: system32\drivers\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: \SystemRoot\system32\drivers\isapnp.sys (disabled)
iScsiPort Driver: system32\DRIVERS\msiscsi.sys (manual start)
Symantec IS Password Validation: "V:\Program Files\Norton AntiVirus\isPwdSvc.exe" (manual start)
ITEATAPI_Service_Install: \SystemRoot\system32\drivers\iteatapi.sys (disabled)
ITERAID_Service_Install: \SystemRoot\system32\drivers\iteraid.sys (disabled)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
@keyiso.dll,-100: %SystemRoot%\system32\lsass.exe (manual start)
kl1: system32\DRIVERS\kl1.sys (system)
KLIF: system32\DRIVERS\klif.sys (system)
KSecDD: System32\Drivers\ksecdd.sys (system)
@comres.dll,-2946: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%systemroot%\system32\srvsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\wkssvc.dll,-100: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LiveUpdate: "V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
Link-Layer Topology Discovery Mapper I/O Driver: system32\DRIVERS\lltdio.sys (autostart)
@%SystemRoot%\system32\lltdres.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\lmhsvc.dll,-101: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
LSI_FC: \SystemRoot\system32\drivers\lsi_fc.sys (disabled)
LSI_SAS: \SystemRoot\system32\drivers\lsi_sas.sys (disabled)
LSI_SCSI: \SystemRoot\system32\drivers\lsi_scsi.sys (disabled)
UAC File Virtualization: \SystemRoot\system32\drivers\luafv.sys (autostart)
@%SystemRoot%\ehome\ehres.dll,-15501: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Machine Debug Manager: "V:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" (autostart)
megasas: \SystemRoot\system32\drivers\megasas.sys (disabled)
Meso1: \??\V:\Users\Games\Desktop\Meso Engine\Meso.sys (manual start)
Microsoft Office Groove Audit Service: "V:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" (manual start)
@%systemroot%\system32\mmcss.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Modem: system32\drivers\modem.sys (manual start)
Microsoft Monitor Class Function Driver Service: system32\DRIVERS\monitor.sys (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: \SystemRoot\system32\drivers\mouhid.sys (disabled)
Mount Point Manager: System32\drivers\mountmgr.sys (system)
Microsoft Multi-Path Bus Driver: \SystemRoot\system32\drivers\mpio.sys (disabled)
@%SystemRoot%\system32\FirewallAPI.dll,-23092: System32\drivers\mpsdrv.sys (manual start)
@%SystemRoot%\system32\FirewallAPI.dll,-23090: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
Mraid35x: \SystemRoot\system32\drivers\mraid35x.sys (disabled)
WebDav Client Redirector Driver: \SystemRoot\system32\drivers\mrxdav.sys (manual start)
SMB MiniRedirector Wrapper and Engine: system32\DRIVERS\mrxsmb.sys (manual start)
SMB 1.x MiniRedirector: system32\DRIVERS\mrxsmb10.sys (manual start)
SMB 2.0 MiniRedirector: system32\DRIVERS\mrxsmb20.sys (manual start)
msahci: \SystemRoot\system32\drivers\msahci.sys (disabled)
Microsoft Multi-Path Device Specific Module: \SystemRoot\system32\drivers\msdsm.sys (disabled)
@comres.dll,-2797: %SystemRoot%\System32\msdtc.exe (manual start)
ISA/EISA Class Driver: system32\drivers\msisadrv.sys (system)
@%SystemRoot%\system32\iscsidsc.dll,-5000: %systemroot%\system32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\system32\msimsg.dll,-27: %systemroot%\system32\msiexec /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Mup: System32\Drivers\mup.sys (system)
@%SystemRoot%\system32\qagentrt.dll,-6: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
NativeWiFi Filter: system32\DRIVERS\nwifi.sys (manual start)
NAVENG: \??\V:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070528.019\NAVENG.SYS (manual start)
NAVEX15: \??\V:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070528.019\NAVEX15.SYS (manual start)
NDIS System Driver: system32\drivers\ndis.sys (system)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NETBT: System32\DRIVERS\netbt.sys (system)
@%SystemRoot%\System32\netlogon.dll,-102: %systemroot%\system32\lsass.exe (manual start)
@%SystemRoot%\system32\netman.dll,-109: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%SystemRoot%\system32\netprof.dll,-246: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista: system32\DRIVERS\netr73.sys (manual start)
@%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8201: "%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" (disabled)
nfrd960: \SystemRoot\system32\drivers\nfrd960.sys (disabled)
@%SystemRoot%\System32\nlasvc.dll,-1: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
npkcrypt: \??\V:\Program Files\NEXON\MapleStory\npkcrypt.sys (autostart)
npkcusb: \??\V:\Program Files\NEXON\MapleStory\npkcusb.sys (manual start)
@%SystemRoot%\system32\nsisvc.dll,-200: %systemroot%\system32\svchost.exe -k LocalService (autostart)
NSI proxy service: system32\drivers\nsiproxy.sys (system)
N-trig HID Tablet Driver: \SystemRoot\system32\drivers\ntrigdigi.sys (disabled)
nvraid: \SystemRoot\system32\drivers\nvraid.sys (disabled)
nvstor: \SystemRoot\system32\drivers\nvstor.sys (disabled)
NVIDIA nForce AGP Bus Filter: \SystemRoot\system32\drivers\nv_agp.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Microsoft Office Diagnostics Service: "V:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (manual start)
Royalty OEM Bios Extension: System32\drivers\royal.sys (system)
NEC FireWarden OHCI Compliant IEEE 1394 Host Controller: \SystemRoot\system32\drivers\ohci1394.sys (disabled)
Office Source Engine: "V:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
@%SystemRoot%\system32\p2psvc.dll,-8004: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\system32\p2psvc.dll,-8006: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
Partition Manager: System32\drivers\partmgr.sys (system)
Parvdm: system32\DRIVERS\parvdm.sys (autostart)
@%SystemRoot%\system32\pcasvc.dll,-1: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
PCI Bus Driver: system32\drivers\pci.sys (system)
pciide: \SystemRoot\system32\drivers\pciide.sys (disabled)
pcmcia: \SystemRoot\system32\drivers\pcmcia.sys (disabled)
itisonlyatest
2007-05-29, 09:38
PEAUTH: system32\drivers\peauth.sys (autostart)
@%systemroot%\system32\pla.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork (manual start)
@%SystemRoot%\system32\umpnpmgr.dll,-100: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
@%SystemRoot%\system32\p2psvc.dll,-8002: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\system32\p2psvc.dll,-8000: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (manual start)
@%SystemRoot%\System32\polstore.dll,-5010: %SystemRoot%\system32\svchost.exe -k NetworkServiceNetworkRestricted (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: \SystemRoot\system32\drivers\processr.sys (disabled)
@%systemroot%\system32\profsvc.dll,-300: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\psbase.dll,-300: %SystemRoot%\system32\lsass.exe (manual start)
@%SystemRoot%\System32\drivers\pacer.sys,-101: system32\DRIVERS\pacer.sys (system)
QLogic Fibre Channel Miniport Driver: \SystemRoot\system32\drivers\ql2300.sys (disabled)
QLogic iSCSI Miniport Driver: \SystemRoot\system32\drivers\ql40xx.sys (disabled)
@%SystemRoot%\system32\qwave.dll,-1: %windir%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\drivers\qwavedrv.sys,-1: \SystemRoot\system32\drivers\qwavedrv.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
@%Systemroot%\system32\rasauto.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
@%Systemroot%\system32\rasmans.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Redirected Buffering Sub Sysytem: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
RDP Encoder Mirror Driver: system32\drivers\rdpencdd.sys (system)
@%Systemroot%\system32\mprdim.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
@regsvc.dll,-1: %SystemRoot%\system32\svchost.exe -k regsvc (manual start)
@%systemroot%\system32\Locator.exe,-2: %SystemRoot%\system32\locator.exe (manual start)
@oleres.dll,-5010: %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
Link-Layer Topology Discovery Responder: system32\DRIVERS\rspndr.sys (autostart)
@%SystemRoot%\system32\samsrv.dll,-1: %SystemRoot%\system32\lsass.exe (autostart)
SBP-2 Transport/Protocol Bus Driver: \SystemRoot\system32\drivers\sbp2port.sys (disabled)
@%SystemRoot%\System32\SCardSvr.dll,-1: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\schedsvc.dll,-100: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%SystemRoot%\System32\certprop.dll,-13: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\system32\sdrsvc.dll,-107: %SystemRoot%\system32\svchost.exe -k SDRSVC (manual start)
@%SystemRoot%\system32\seclogon.dll,-7001: %windir%\system32\svchost.exe -k netsvcs (autostart)
sejt1: \??\V:\Users\Games\Desktop\Akuma\sejt.sys (manual start)
senfilt: system32\drivers\senfilt.sys (manual start)
@%SystemRoot%\system32\Sens.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Serial Mouse Driver: \SystemRoot\system32\drivers\sermouse.sys (disabled)
@%SystemRoot%\System32\SessEnv.dll,-1026: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
SFF Storage Class Driver: \SystemRoot\system32\drivers\sffdisk.sys (disabled)
SFF Storage Protocol Driver for MMC: \SystemRoot\system32\drivers\sffp_mmc.sys (manual start)
SFF Storage Protocol Driver for SDBus: \SystemRoot\system32\drivers\sffp_sd.sys (manual start)
High-Capacity Floppy Disk Drive: \SystemRoot\system32\drivers\sfloppy.sys (disabled)
@%SystemRoot%\system32\ipnathlp.dll,-106: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
@%SystemRoot%\System32\shsvcs.dll,-12288: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\system32\drivers\sisagp.sys (manual start)
SiSRaid2: \SystemRoot\system32\drivers\sisraid2.sys (disabled)
SiSRaid4: \SystemRoot\system32\drivers\sisraid4.sys (disabled)
@%SystemRoot%\system32\SLsvc.exe,-101: %SystemRoot%\system32\SLsvc.exe (autostart)
@%SystemRoot%\system32\SLUINotify.dll,-103: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\tcpipcfg.dll,-50005: system32\DRIVERS\smb.sys (system)
smwdm: system32\drivers\smwdm.sys (manual start)
@%SystemRoot%\system32\snmptrap.exe,-3: %SystemRoot%\System32\snmptrap.exe (manual start)
SPBBCDrv: \??\V:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
@%systemroot%\system32\spoolsv.exe,-1: %SystemRoot%\System32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
SRTSP: System32\Drivers\SRTSP.SYS (manual start)
SRTSPL: System32\Drivers\SRTSPL.SYS (manual start)
SRTSPX: System32\Drivers\SRTSPX.SYS (system)
srv: System32\DRIVERS\srv.sys (manual start)
srv2: System32\DRIVERS\srv2.sys (manual start)
srvnet: System32\DRIVERS\srvnet.sys (manual start)
@%systemroot%\system32\ssdpsrv.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\wiaservc.dll,-9: %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
@%SystemRoot%\System32\swprv.dll,-103: %SystemRoot%\System32\svchost.exe -k swprv (manual start)
Symantec Core LC: "V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" (manual start)
Symantec AppCore Service: "V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" (autostart)
Symc8xx: \SystemRoot\system32\drivers\symc8xx.sys (disabled)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\V:\Windows\system32\Drivers\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMNDISV: \SystemRoot\System32\Drivers\SYMNDISV.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Sym_hi: \SystemRoot\system32\drivers\sym_hi.sys (disabled)
Sym_u3: \SystemRoot\system32\drivers\sym_u3.sys (disabled)
@%SystemRoot%\system32\sysmain.dll,-1000: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\TabSvc.dll,-100: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\tapisrv.dll,-10100: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
@%SystemRoot%\system32\tbssvc.dll,-100: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\tcpipcfg.dll,-50003: System32\drivers\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: system32\DRIVERS\tcpip.sys (manual start)
TCP/IP Registry Compatibility: System32\drivers\tcpipreg.sys (autostart)
TDPIPE: system32\drivers\tdpipe.sys (manual start)
TDTCP: system32\drivers\tdtcp.sys (manual start)
@%SystemRoot%\system32\tcpipcfg.dll,-50004: system32\DRIVERS\tdx.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
@%SystemRoot%\System32\termsrv.dll,-268: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%SystemRoot%\System32\shsvcs.dll,-8192: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\mmcss.dll,-102: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
TimerStop: \??\V:\Windows\system32\timerstop.sys (autostart)
@%SystemRoot%\system32\trkwks.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\servicing\TrustedInstaller.exe,-100: %SystemRoot%\servicing\TrustedInstaller.exe (manual start)
Terminal Services Security Filter Driver: System32\DRIVERS\tssecsrv.sys (manual start)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
Microsoft IPv6 Tunnel Miniport Adapter Driver: system32\DRIVERS\tunnel.sys (manual start)
Microsoft AGPv3.5 Filter: \SystemRoot\system32\drivers\uagp35.sys (manual start)
udfs: system32\DRIVERS\udfs.sys (disabled)
@%SystemRoot%\system32\ui0detect.exe,-101: %SystemRoot%\system32\UI0Detect.exe (manual start)
Uli AGP Bus Filter: \SystemRoot\system32\drivers\uliagpkx.sys (manual start)
uliahci: \SystemRoot\system32\drivers\uliahci.sys (disabled)
UlSata: \SystemRoot\system32\drivers\ulsata.sys (disabled)
ulsata2: \SystemRoot\system32\drivers\ulsata2.sys (disabled)
UMBus Enumerator Driver: system32\DRIVERS\umbus.sys (manual start)
@%SystemRoot%\system32\umrdp.dll,-1000: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%systemroot%\system32\upnphost.dll,-213: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
eHome Infrared Receiver (USBCIR): \SystemRoot\system32\drivers\usbcir.sys (disabled)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: \SystemRoot\system32\drivers\usbohci.sys (disabled)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\system32\dwm.exe,-2000: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\vds.exe,-100: %SystemRoot%\System32\vds.exe (manual start)
vga: system32\DRIVERS\vgapnp.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\system32\drivers\viaagp.sys (manual start)
VIA C7 Processor Driver: \SystemRoot\system32\drivers\viac7.sys (disabled)
viaide: \SystemRoot\system32\drivers\viaide.sys (disabled)
Volume Manager Driver: system32\drivers\volmgr.sys (system)
Dynamic Volume Manager: System32\drivers\volmgrx.sys (system)
Storage volumes: system32\drivers\volsnap.sys (system)
Zone Alarm Firewall Driver: system32\DRIVERS\vsdatant.sys (system)
TrueVector Internet Monitor: V:\Windows\System32\ZoneLabs\vsmon.exe -service (autostart)
vsmraid: \SystemRoot\system32\drivers\vsmraid.sys (disabled)
@%systemroot%\system32\vssvc.exe,-102: %systemroot%\system32\vssvc.exe (manual start)
VSTHWBS2: system32\DRIVERS\VSTBS23.SYS (manual start)
VST_DPV: system32\DRIVERS\VSTDPV3.SYS (manual start)
@%SystemRoot%\system32\w32time.dll,-200: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Wacom Serial Pen HID Driver: \SystemRoot\system32\drivers\wacompen.sys (disabled)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Remote Access IPv6 ARP Driver: system32\DRIVERS\wanarp.sys (system)
@%systemroot%\system32\wbengine.exe,-104: "%systemroot%\system32\wbengine.exe" (manual start)
@%SystemRoot%\system32\wcncsvc.dll,-3: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
@%SystemRoot%\system32\WcsPlugInService.dll,-200: %SystemRoot%\system32\svchost.exe -k wcssvc (manual start)
Microsoft Watchdog Timer Driver: \SystemRoot\system32\drivers\wd.sys (disabled)
Kernel Mode Driver Frameworks service: system32\drivers\Wdf01000.sys (system)
@%systemroot%\system32\wdi.dll,-502: %SystemRoot%\System32\svchost.exe -k wdisvc (manual start)
@%systemroot%\system32\wdi.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (manual start)
@%systemroot%\system32\webclnt.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
@%SystemRoot%\system32\wecsvc.dll,-200: %SystemRoot%\system32\svchost.exe -k NetworkService (manual start)
@%SystemRoot%\System32\wercplsupport.dll,-101: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
@%SystemRoot%\System32\wersvc.dll,-100: %SystemRoot%\System32\svchost.exe -k WerSvcGroup (autostart)
winachsf: system32\DRIVERS\VSTCNXT3.SYS (manual start)
@%ProgramFiles%\Windows Defender\MsMpRes.dll,-103: %SystemRoot%\System32\svchost.exe -k secsvcs (autostart)
@%SystemRoot%\system32\winhttp.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
@%Systemroot%\system32\wbem\wmisvc.dll,-205: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%Systemroot%\system32\wsmsvc.dll,-101: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
@%SystemRoot%\System32\wlansvc.dll,-257: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
Microsoft Windows Management Interface for ACPI: \SystemRoot\system32\drivers\wmiacpi.sys (disabled)
@%Systemroot%\system32\wbem\wmiapsrv.exe,-110: %systemroot%\system32\wbem\WmiApSrv.exe (manual start)
@%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101: "%ProgramFiles%\Windows Media Player\wmpnetwk.exe" (manual start)
@%SystemRoot%\system32\wpcsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@%SystemRoot%\system32\wpdbusenum.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\system32\drivers\ws2ifsl.sys (system)
@%SystemRoot%\System32\wscsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@%systemroot%\system32\SearchIndexer.exe,-103: %systemroot%\system32\SearchIndexer.exe /Embedding (autostart)
@%systemroot%\system32\wuaueng.dll,-105: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WUDFRd: system32\DRIVERS\WUDFRd.sys (manual start)
@%SystemRoot%\system32\wudfsvc.dll,-1000: %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: V:\Windows\system32\webcheck.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 51,337 bytes
Report generated in 1.000 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi
Nothing bad there.
You can try running symantec online scan -> http://security.symantec.com/sscv6/home.asp
And we can hope that it finds it and tells location, too. If it doesn't, i'm pretty sure that's false positive.
Remember that bloodhound doesn't mean that you have same virus that in my link; they are just using same packer.
itisonlyatest
2007-05-29, 16:50
Which one do I run, security scan or virus detection?
itisonlyatest
2007-05-31, 01:42
Well I tried to run it, but for some reason it wouldnt let me, even though I did have ActiveX and Scripting enabled. But there is another problem. Lately my space bar hasn't been working in some applications, and even if I switch keyboards it will work for a while then just randomly stop working. I think there might be some program causing this, maybe?
Hi
Are you logged in as an administrator?
You can check Keyboard settings in Control Panel.
itisonlyatest
2007-05-31, 09:26
Yes I'm logged in as an administrator. I don't think the keyboard problem has anything to do with settings or hardware...
Hi
Well I think that keyboard problem has nothing to do with malware so most likely hardware issue.
If Symantec scan doesn't work and other tools and scans don't find anything, I think we have to accept the fact that bloodhound is false positive.
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.