PDA

View Full Version : got win.32



buddypatches2003
2007-09-02, 05:54
Logfile of HijackThis v1.99.1
Scan saved at 10:34:23 PM, on 01/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sympatico Starter Kit\bin\confsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sympatico Starter Kit\bin\gbConMon.exe
C:\Program Files\Sympatico Starter Kit\bin\gbTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ares P2P\AresP2P.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Darlene\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Sympatico Starter Kit\bin\confsvr.exe"
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Sympatico Starter Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares Ultra\chatServer.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

buddypatches2003
2007-09-02, 05:56
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 01, 2007 10:25:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/09/2007
Kaspersky Anti-Virus database records: 402393
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 20452
Number of viruses found: 6
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 00:11:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Darlene\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\History\History.IE5\MSHist012007090120070902\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\ntuser.dat Object is locked skipped
C:\Documents and Settings\Darlene\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\areslitefree.exe/data0010 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Program Files\areslitefree.exe Inno: infected - 1 skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\log.html Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP100\A0024383.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP100\A0024383.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP100\A0024383.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP101\A0024681.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP101\A0024681.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP101\A0024681.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP101\A0024691.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP101\A0024691.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP101\A0024691.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP110\A0025622.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP110\A0025634.exe Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP113\A0025808.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP113\A0025810.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP113\A0025825.exe Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP113\A0025826.exe Infected: not-a-virus:AdWare.Win32.RK.k skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027946.dll Infected: not-a-virus:AdWare.Win32.RK.k skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027947.exe Infected: not-a-virus:AdWare.Win32.RK.k skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027950.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027954.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027959.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027962.exe Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027974.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\A0027975.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP117\change.log Object is locked skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP98\A0021339.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP98\A0021339.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP98\A0021339.exe Inno: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rlvknlg.exe Infected: not-a-virus:AdWare.Win32.RK.k skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\Programs\Ares P2P\Partner\NPSSoftware_WhenUSaveNow_InstallerInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP110\A0025627.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
I:\System Volume Information\_restore{9F216B64-091B-4847-A02C-0073FF3E52DA}\RP110\A0025628.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

shelf life
2007-09-02, 19:19
hi buddypatches2003,

hjt log looks ok. the problem (AdTool.Win32) appears to be archived in your system restore points, which we can clean out and make a new one.

look in add/remove programs panel for and uninstall if present:

WhenUSaveNow
------------------------------
where did you get that copy of Ares??

Programs\Ares P2P\Partner\NPSSoftware_WhenUSaveNow_Installer

ares is opensource software and dosnt come with any third party add ons

i would uninstall it, but first move/copy any downloads to another location just to make sure they dont get uninstalled also.

link to ares:
http://aresgalaxy.sourceforge.net/
-------------------------------
reboot once after the uninstall. we will make a new restore point.

shelf life

buddypatches2003
2007-09-04, 02:57
Logfile of HijackThis v1.99.1
Scan saved at 11:40:59 PM, on 02/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sympatico Starter Kit\bin\confsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sympatico Starter Kit\bin\gbConMon.exe
C:\Program Files\Sympatico Starter Kit\bin\gbTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darlene\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Sympatico Starter Kit\bin\confsvr.exe"
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Sympatico Starter Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares Ultra\chatServer.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

buddypatches2003
2007-09-04, 03:06
Have uninstalled all programs involved and associated files with ares and removed restore point.
Still show one infected file. Appreciate your help.

(C:\WINDOWS\system32\rlvknlg.exe Infected: not-a-virus:AdWare.Win32.RK.k skipped)

KASPERSKY ONLINE SCANNER REPORT
Sunday, September 02, 2007 11:36:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 3/09/2007
Kaspersky Anti-Virus database records: 402748
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 18566
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:12:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Darlene\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Darlene\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darlene\ntuser.dat Object is locked skipped
C:\Documents and Settings\Darlene\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\0_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\1_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\2_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Configs_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phone Entries_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Phonebooks_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Field_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Data.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_IDs.dat Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Index1 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Index2 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\data\Table of Tables_Record_Index3 Object is locked skipped
C:\Program Files\Sympatico Starter Kit\log.html Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{80DA521D-7ED5-48FA-8C1A-378F2E97FF0E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rlvknlg.exe Infected: not-a-virus:AdWare.Win32.RK.k skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

buddypatches2003
2007-09-04, 03:36
This is the link which I used for ares download

http://www.aresp2p.net/

shelf life
2007-09-04, 04:12
hi buddypatches2003,

no where on that web page or during the install does it mention a third party add-on:

WhenUSaveNow, but its clearly bundled with the ares install.
most likely a clone with a similiar name.

get the open source ares from that link i provided.
--------------------------
look in ad/remove programs panel for netsetter or marketscore--uninstall if present

if you can see this in the system32 dir:
rlvknlg.exe

try deleting it. run spybot once also.

reboot computer and rescan with hjt.

shelf life

buddypatches2003
2007-09-04, 05:40
removed all files for marketscore and was able to delete file RLVKNLG.exe

did another scan with kaspersky and it came up totally clear


Logfile of HijackThis v1.99.1
Scan saved at 10:09:36 PM, on 03/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sympatico Starter Kit\bin\confsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sympatico Starter Kit\bin\gbConMon.exe
C:\Program Files\Sympatico Starter Kit\bin\gbTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darlene\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Sympatico Starter Kit\bin\confsvr.exe"
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Sympatico Starter Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - C:\Program Files\Ares Ultra\chatServer.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

shelf life
2007-09-05, 02:35
hi buddypatches2003,


removed all files for marketscore and was able to delete file RLVKNLG.exe


ok good. that ares was a ripped off clone. it works, but installed add-ons. add-ons can be found in all kinds of software, not just p2p. in alot of cases they are mentioned during the install process, but not in this case.

see this link:
http://www.peerevolution.com/forums/archive/index.php?t-5242.html

get ares at that link i provided.

i use p2p also (torrents) and have some tips at my website:
http://security-central.us/SafeHex/file_sharing.htm

also see this about preventing malware in the first place:
http://security-central.us/SafeHex/prevention.htm

happy safe surfing

shelf life

buddypatches2003
2007-09-05, 04:36
wanted to let you know how much I appreciated your help . Could not have done it without you. Have also downloaded the program you recommended from the site.

shelf life
2007-09-06, 01:48
hi buddypatches2003,

your welcome. happy safe surfing and downloading.

shelf life