View Full Version : virtumonde virus help needed
please can you help ,i have virtumonde for severl days i have tryed s&d but no joy, i also used s&d in safe mode no joy .i tryed to use kaspersky on line
scanner but could nt get it to work ,i have managed to get a HJT log
thanks in advance
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25:29, on 30/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Derek\Program Files\DNA\btdna.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\Derek\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=6080219
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\mlJCSkhE.dll,#1
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Derek\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Derek\AppData\Local\Temp\jkkLFvTk.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Derek\AppData\Local\Temp\jkkKdBQH.dll,#1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [a81a5681] rundll32.exe "C:\Users\Derek\AppData\Local\Temp\hfvcfsco.dll",b
O4 - HKCU\..\Run: [BMab29651d] Rundll32.exe "C:\Users\Derek\AppData\Local\Temp\hlpgfeao.dll",s
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 8463 bytes
please im adding to this post and have logged into this account on behalf of my dad who currently has this virus, he is not pc literate and doesnt understand a lot of terminology often used,
i will be reading the responses to his request and helping him do you suggested actions, please excuse me if i am posting again but he really needs help as like it seems lots of others do with this horrid virus.
We very much appreciate all the help you can give us to get my dad back up and running on his pc again.
He currently cannot run the kaspersky scanner and is finding logging into internet almost impossible to do.
Kat (dell44 daughter)
Rorschach112
2008-04-30, 20:41
Hello Kat
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
hi again (kat here)
thanks for the post my dad is running vista business is the xp recovery fine to use with vista?
thanks kat
Rorschach112
2008-04-30, 22:50
Leave the Recovery Console then, and just run ComboFix.exe
thanks i will get my dad to run the combo.exe tomorrow as it is late now i will get him to post the results.
thanks again.
Rorschach112
2008-04-30, 23:09
Ok cool take your time :)
ComboFix 08-05-01.3 - Derek 2008-05-02 21:16:33.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1205 [GMT 1:00]
Running from: C:\Users\Derek\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.
2008-04-27 23:33 . 2008-04-27 23:33 <DIR> d-------- C:\PerfLogs
2008-04-27 22:52 . 2008-01-19 08:33 2,623,488 --a------ C:\Windows\System32\SLsvc.exe
2008-04-27 22:52 . 2008-01-19 08:36 1,541,120 --a------ C:\Windows\System32\onex.dll
2008-04-27 22:50 . 2008-01-19 06:46 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-04-27 22:49 . 2008-01-19 08:35 4,875,776 --a------ C:\Windows\System32\NlsData0009.dll
2008-04-27 22:48 . 2008-01-19 08:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-04-27 22:47 . 2008-01-19 08:35 3,072,000 --a------ C:\Windows\System32\networkmap.dll
2008-04-27 22:46 . 2008-01-19 08:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
2008-04-27 22:45 . 2008-01-19 07:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-04-27 22:44 . 2008-01-19 08:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-04-27 22:44 . 2008-01-19 08:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-04-27 22:44 . 2008-01-19 08:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-04-27 22:44 . 2008-01-19 08:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-04-27 22:44 . 2008-01-19 08:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-04-27 22:43 . 2008-01-19 08:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-04-27 22:43 . 2008-01-19 08:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-04-27 22:43 . 2008-01-19 08:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-04-27 22:43 . 2008-01-19 08:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-04-23 20:37 . 2008-04-23 20:37 <DIR> d-------- C:\Users\All Users\Ahead
2008-04-23 20:37 . 2008-04-23 20:37 <DIR> d-------- C:\ProgramData\Ahead
2008-04-23 18:06 . 2008-04-23 18:06 524,288 --ahs---- C:\Users\Derek\ntuser.dat{77479044-1157-11dd-b8f0-001aa0935a8d}.TMContainer00000000000000000002.regtrans-ms
2008-04-23 18:06 . 2008-05-02 21:02 524,288 --ahs---- C:\Users\Derek\ntuser.dat{77479044-1157-11dd-b8f0-001aa0935a8d}.TMContainer00000000000000000001.regtrans-ms
2008-04-23 18:06 . 2008-05-02 21:02 65,536 --ahs---- C:\Users\Derek\ntuser.dat{77479044-1157-11dd-b8f0-001aa0935a8d}.TM.blf
2008-04-22 21:59 . 2006-12-05 19:52 505 --a------ C:\unPDVDDX.iss
2008-04-22 21:44 . 2008-05-02 21:04 <DIR> d-------- C:\MDT
2008-04-22 21:42 . 2008-04-22 22:47 <DIR> d-------- C:\Users\Derek\AppData\Roaming\DivX
2008-04-22 21:30 . 2008-04-22 21:31 <DIR> d-------- C:\Users\Derek\AppData\Roaming\CyberLink
2008-04-22 21:30 . 2008-04-22 23:46 <DIR> d-------- C:\Users\All Users\CyberLink
2008-04-22 21:30 . 2008-04-22 23:46 <DIR> d-------- C:\ProgramData\CyberLink
2008-04-22 20:58 . 2008-04-22 20:58 <DIR> d-------- C:\Users\All Users\Yahoo! Companion
2008-04-22 20:58 . 2008-04-22 20:58 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-04-22 20:57 . 2008-04-22 20:57 <DIR> d-------- C:\Users\Derek\AppData\Roaming\Yahoo!
2008-04-22 20:57 . 2008-04-22 20:57 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-22 20:57 . 2008-04-29 17:58 <DIR> d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-22 20:56 . 2008-04-29 17:58 <DIR> d-------- C:\Program Files\DivX
2008-04-22 00:18 . 2008-04-22 00:18 <DIR> d-------- C:\Users\Derek\AppData\Roaming\vlc
2008-04-22 00:05 . 2008-04-29 17:58 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-21 23:37 . 2008-04-28 05:41 <DIR> d-------- C:\Users\Derek\Program Files
2008-04-21 15:58 . 2008-04-21 15:58 <DIR> d-------- C:\Program Files\MagicISO
2008-04-21 15:49 . 2008-05-02 21:14 <DIR> d-------- C:\Users\Derek\AppData\Roaming\DNA
2008-04-21 15:49 . 2008-04-21 23:16 <DIR> d-------- C:\Users\Derek\AppData\Roaming\BitTorrent
2008-04-21 15:49 . 2008-04-21 15:49 <DIR> d-------- C:\Program Files\DNA
2008-04-21 15:49 . 2008-04-21 15:49 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-20 20:35 . 2008-04-20 20:35 <DIR> d-------- C:\Program Files\AltBinz
2008-04-18 17:39 . 2008-04-22 00:16 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2008-04-18 17:39 . 2008-04-22 00:15 737,280 --a------ C:\Windows\iun6002.exe
2008-04-18 16:50 . 2008-04-18 16:50 <DIR> d-------- C:\Program Files\QuickPar
2008-04-15 20:47 . 2008-04-19 22:37 <DIR> d-------- C:\Users\Derek\AppData\Roaming\GrabIt
2008-04-08 20:58 . 2008-02-22 03:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-08 20:58 . 2008-02-22 06:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-08 20:58 . 2008-02-22 05:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-06 10:24 . 2008-04-06 10:25 <DIR> d-------- C:\Program Files\Microsoft AutoRoute
2008-04-02 09:12 . 2008-01-02 17:07 920,088 --a------ C:\Windows\System32\igxpun.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 20:04 352,615 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Mail
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Journal
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Defender
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-29 16:59 --------- d-----w C:\Program Files\Windows Calendar
2008-04-29 16:58 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-04-27 22:41 174 --sha-w C:\Program Files\desktop.ini
2008-04-27 22:15 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-27 22:15 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-04-23 19:37 --------- d-----w C:\Users\Derek\AppData\Roaming\Ahead
2008-04-22 21:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 20:59 --------- d-----w C:\Program Files\CyberLink
2008-04-06 09:20 --------- d-----w C:\ProgramData\Logishrd
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-13 18:31 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 20:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-10 20:22 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-03-10 19:39 --------- d-----w C:\ProgramData\Logitech
2008-03-04 13:04 --------- d-----w C:\Program Files\Windows Live
2008-03-04 13:03 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-03-04 13:02 --------- d-----w C:\Program Files\Windows Live Favorites
2008-03-04 13:00 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 12:53 --------- d-----w C:\ProgramData\WLInstaller
2008-03-04 12:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 12:27 --------- d-----w C:\ProgramData\CheckPoint
2008-03-04 12:27 --------- d-----w C:\Program Files\Zone Labs
2008-03-04 12:00 --------- d-----w C:\Program Files\Alwil Software
2008-03-04 11:11 --------- d-----w C:\ProgramData\Dell
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-21 12:50 0 ----a-w C:\Users\Derek\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2008-05-02_20.54.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-02 18:23:08 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-02 20:03:59 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-02 18:23:09 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-02 20:04:00 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-02 18:23:09 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-02 20:04:00 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-02 19:38:17 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-02 20:19:09 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-02 18:24:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-05-02 20:05:25 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-05-02 20:05:25 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-05-02 19:50:17 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-02 20:16:38 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-02 18:24:35 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-05-02 20:05:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-05-02 20:05:20 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-05-02 18:26:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-02 20:10:26 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-02 18:26:41 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-02 20:10:26 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-02 18:26:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-02 20:10:26 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-02 18:27:59 105,448 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-05-02 20:08:20 105,448 ----a-w C:\Windows\System32\perfc009.dat
- 2008-05-02 18:27:59 599,942 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-05-02 20:08:20 599,942 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-30 17:06:48 6,990 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1308768875-418848988-3680320805-1000_UserData.bin
+ 2008-05-02 20:05:47 7,140 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1308768875-418848988-3680320805-1000_UserData.bin
- 2008-05-02 18:25:16 72,956 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-02 20:05:47 73,068 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-02 18:25:14 42,874 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-02 20:05:45 43,024 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 14:49 153136]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"BitTorrent DNA"="C:\Users\Derek\Program Files\DNA\btdna.exe" [2008-04-21 23:37 288576]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38 1008184]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 07:03 17920]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-02-19 03:26 77824]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-19 03:32 1838592]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 04:06 40048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 19:53 153136]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 18:37 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-01-09 04:31 959976]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 17:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 18:06 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 18:07 133656]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 18:40 128560]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{73DEE09F-3E57-472F-9AC5-F4AFAAD65EE5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C1F5417C-7A5F-47E3-AAF8-5CE5BC7E5A3D}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{B54E58D4-186E-4E03-8B9B-737735947627}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{4397BF73-4BD2-4B74-BE04-0201145F2CFE}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{70FEC9FF-52EF-4407-833D-345D48B5AC3B}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{898B3388-3832-4BC2-A0D1-3CAA756CE834}"= C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{6A66B10D-F774-42DA-AE3B-4421D234284C}"= C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program
"{30DEDA6E-F33D-498D-A0B0-DCC5C3CA2B5D}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 18:32]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 16:48]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 08:36]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 13:03:14 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 21:19:24
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AntiSpywareMaster = C:\Program Files\AntiSpywareMaster\asm.exe?ows\Temporary Internet Files\Content.IE5\6H5ZWLJJ\install_asm_en[1].exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-02 21:19:57
ComboFix-quarantined-files.txt 2008-05-02 20:19:53
ComboFix2.txt 2008-05-02 19:54:23
Pre-Run: 678,049,742,848 bytes free
Post-Run: 678,017,519,616 bytes free
231 --- E O F --- 2008-05-02 18:28:10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08:50, on 02/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Derek\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Derek\Desktop\HiJackThis.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 1668 bytes
hi (kat here)
Dad had just posted the logs from combofix and HJT , we would be gratefull for you help .
kat
Rorschach112
2008-05-03, 00:59
Hello
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
done the kaspersky scan and the deckard scan here are the results.
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 5:17:10 PM
Operating System: Microsoft Windows Vista Professional, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 737249
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 85211
Number of viruses found: 3
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 00:33:51
Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Adobe\Reader 8.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A81000000003}\Enterprise.mnt Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dell.txt Object is locked skipped
C:\ProgramData\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\QooBox\Quarantine\C\Windows\System32\mlJCSkhE.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qoi skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbc2e.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbdam Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbdao Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbeam Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbeao Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbm Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbu2d.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbvm.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\dbvmh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\fii.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\fiih.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\hp Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\hpt2i.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\rpm.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\rpm1m.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\rpm1mh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\rpmh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Users\Derek\AppData\Local\Google\Google Desktop\b9bc73c9f9ec\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008050320080504\index.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4521Y0IW\_bm1fcmlkZ2d0aG5rc19tYV9rdzFfbWE1cw_eWFob28uY29t_bm1fMTUyOTk4XzQ4ZWUxZDZhMGZiNzExZGQ4NzU2MTUyOTk4Y2ZmZmZmX2MzNmQ5OWY2YzEwNjQ1ZmQ4ODM5NWM1ZGQwYzQ0M2Rj_[3].exe Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4RA3QB4M\_bm1fcmlkZ2d0aG5rc19tYV9rdzFfbWE1cw_eWFob28uY29t_bm1fMTUyOTk4XzQ4ZWUxZDZhMGZiNzExZGQ4NzU2MTUyOTk4Y2ZmZmZmX2MzNmQ5OWY2YzEwNjQ1ZmQ4ODM5NWM1ZGQwYzQ0M2Rj_[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4RA3QB4M\_bm1fcmlkZ2d0aG5rc19tYV9rdzFfbWE1cw_eWFob28uY29t_bm1fMTUyOTk4XzQ4ZWUxZDZhMGZiNzExZGQ4NzU2MTUyOTk4Y2ZmZmZmX2MzNmQ5OWY2YzEwNjQ1ZmQ4ODM5NWM1ZGQwYzQ0M2Rj_[2].exe Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LGT1S59H\install_asm_en[2].exe Infected: not-a-virus:FraudTool.Win32.AntiSpywareExpert.f skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LGT1S59H\_bm1fcmlkZ2d0aG5rc19tYV9rdzFfbWE1cw_eWFob28uY29t_bm1fMTUyOTk4XzQ4ZWUxZDZhMGZiNzExZGQ4NzU2MTUyOTk4Y2ZmZmZmX2MzNmQ5OWY2YzEwNjQ1ZmQ4ODM5NWM1ZGQwYzQ0M2Rj_[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LGT1S59H\_bm1fcmlkZ2d0aG5rc19tYV9rdzFfbWE1cw_eWFob28uY29t_bm1fMTUyOTk4XzQ4ZWUxZDZhMGZiNzExZGQ4NzU2MTUyOTk4Y2ZmZmZmX2MzNmQ5OWY2YzEwNjQ1ZmQ4ODM5NWM1ZGQwYzQ0M2Rj_[2].exe Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LP3R6NJ1\_bm1fcmlkZ2d0aG5rc19tYV9rdzFfbWE1cw_eWFob28uY29t_bm1fMTUyOTk4XzQ4ZWUxZDZhMGZiNzExZGQ4NzU2MTUyOTk4Y2ZmZmZmX2MzNmQ5OWY2YzEwNjQ1ZmQ4ODM5NWM1ZGQwYzQ0M2Rj_[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Derek\AppData\Roaming\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\UsrClass.dat{782599de-e077-11dc-a55f-001aa0935a8d}.TM.blf Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\UsrClass.dat{782599de-e077-11dc-a55f-001aa0935a8d}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\UsrClass.dat{782599de-e077-11dc-a55f-001aa0935a8d}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report06a7e215\Report.cab/file[1].exe.xor Infected: Trojan-Downloader.Win32.FraudLoad.op skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report06a7e215\Report.cab CAB: infected - 1 skipped
C:\Users\Derek\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Messenger\pamdella@hotmail.co.uk\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Messenger\pamdella@hotmail.co.uk\SharingMetadata\pending.dat Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Messenger\pamdella@hotmail.co.uk\SharingMetadata\Working\database_40A8_1A61_A81A_562E\dfsr.db Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Messenger\pamdella@hotmail.co.uk\SharingMetadata\Working\database_40A8_1A61_A81A_562E\fsr.log Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Messenger\pamdella@hotmail.co.uk\SharingMetadata\Working\database_40A8_1A61_A81A_562E\fsrtmp.log Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Messenger\pamdella@hotmail.co.uk\SharingMetadata\Working\database_40A8_1A61_A81A_562E\tmp.edb Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows Defender\FileTracker\{AB55F8A9-FCCD-4A44-836B-658BF2A99814} Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows Live Contacts\pamdella@hotmail.co.uk\real\members.stg Object is locked skipped
C:\Users\Derek\AppData\Local\Microsoft\Windows Live Contacts\pamdella@hotmail.co.uk\shadow\members.stg Object is locked skipped
C:\Users\Derek\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Derek\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Derek\AppData\Local\SupportSoft\DellSupportCenter\Derek\state\logs\sprtcmd.log Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\Low\~DFD989.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\Low\~DFD9A8.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\Low\~DFE1BF.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\~DF4EE5.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\~DF4EFA.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\~DF5048.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\~DF5061.tmp Object is locked skipped
C:\Users\Derek\AppData\Local\Temp\~DFA920.tmp Object is locked skipped
C:\Users\Derek\AppData\Roaming\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Users\Derek\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Users\Derek\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Derek\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Derek\ntuser.dat Object is locked skipped
C:\Users\Derek\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Derek\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Derek\ntuser.dat{77479044-1157-11dd-b8f0-001aa0935a8d}.TM.blf Object is locked skipped
C:\Users\Derek\ntuser.dat{77479044-1157-11dd-b8f0-001aa0935a8d}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Derek\ntuser.dat{77479044-1157-11dd-b8f0-001aa0935a8d}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Installer\MSIAAB1.tmp Object is locked skipped
C:\Windows\Internet Logs\DEREK-PC.ldb Object is locked skipped
C:\Windows\Internet Logs\fwdbglog.txt Object is locked skipped
C:\Windows\Internet Logs\fwpktlog.txt Object is locked skipped
C:\Windows\Internet Logs\IAMDB.RDB Object is locked skipped
C:\Windows\Internet Logs\tvDebug.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\setupact.log Object is locked skipped
C:\Windows\Panther\setuperr.log Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.bld Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.bld Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.bld Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.bld Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Antivirus.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd Object is locked skipped
E:\Windows\security\database\secedit.sdb Object is locked skipped
Deckard's System Scanner v20071014.68
Run by Derek on 2008-05-03 17:20:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- Last 5 Restore Point(s) --
9: 2008-05-02 19:50:15 UTC - RP77 - ComboFix created restore point
8: 2008-05-02 18:27:45 UTC - RP76 - Windows Update
7: 2008-04-30 13:54:05 UTC - RP75 - Scheduled Checkpoint
6: 2008-04-29 16:43:54 UTC - RP74 - Restore Operation
5: 2008-04-29 16:19:53 UTC - RP73 - Restore Operation
-- First Restore Point --
1: 2008-04-27 22:01:28 UTC - RP68 - Windows Vista Service Pack 1
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Derek.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:58, on 03/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Derek\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Users\Derek\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Derek\Desktop\Derek.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Derek\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Derek\AppData\Local\Temp\jkkKdBQH.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 8971 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
-- Scheduled Tasks -------------------------------------------------------------
2008-03-04 14:03:14 254 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
-- Files created between 2008-04-03 and 2008-05-03 -----------------------------
2008-05-03 16:18:25 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-02 20:49:51 68096 --a------ C:\Windows\zip.exe
2008-05-02 20:49:51 49152 --a------ C:\Windows\VFind.exe
2008-05-02 20:49:51 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-02 20:49:51 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-02 20:49:51 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-02 20:49:51 98816 --a------ C:\Windows\sed.exe
2008-05-02 20:49:51 80412 --a------ C:\Windows\grep.exe
2008-05-02 20:49:51 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 23:33:55 0 d-------- C:\PerfLogs
2008-04-23 20:37:00 0 d-------- C:\Users\All Users\Ahead
2008-04-22 21:44:51 0 d-------- C:\MDT
2008-04-22 21:30:57 0 d-------- C:\Users\All Users\CyberLink
2008-04-22 20:58:10 0 d-------- C:\Users\All Users\Yahoo! Companion
2008-04-22 20:57:39 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-22 20:57:00 0 d-------- C:\Program Files\Yahoo!
2008-04-22 20:56:59 0 d-------- C:\Program Files\DivX
2008-04-22 00:05:51 0 d-------- C:\Program Files\VideoLAN
2008-04-21 23:37:25 0 d-------- C:\Users\Derek\Program Files
2008-04-21 15:58:01 0 d-------- C:\Program Files\MagicISO
2008-04-21 15:49:35 0 d-------- C:\Program Files\DNA
2008-04-21 15:49:35 0 d-------- C:\Program Files\BitTorrent
2008-04-20 20:35:32 0 d-------- C:\Program Files\AltBinz
2008-04-18 17:39:25 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-18 17:39:22 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-04-18 16:50:50 0 d-------- C:\Program Files\QuickPar
2008-04-06 10:24:26 0 d-------- C:\Program Files\Microsoft AutoRoute
-- Find3M Report ---------------------------------------------------------------
2008-05-03 17:15:40 0 d-------- C:\Users\Derek\AppData\Roaming\DNA
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Sidebar
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Mail
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Journal
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Defender
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Collaboration
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Calendar
2008-04-29 17:59:07 0 d-------- C:\Program Files\Movie Maker
2008-04-27 23:41:47 174 --ahs---- C:\Program Files\desktop.ini
2008-04-23 20:37:00 0 d-------- C:\Users\Derek\AppData\Roaming\Ahead
2008-04-22 22:47:34 0 d-------- C:\Users\Derek\AppData\Roaming\DivX
2008-04-22 22:44:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 21:59:56 0 d-------- C:\Program Files\CyberLink
2008-04-22 21:31:09 0 d-------- C:\Users\Derek\AppData\Roaming\CyberLink
2008-04-22 20:57:39 0 d-------- C:\Program Files\Common Files
2008-04-22 20:57:01 0 d-------- C:\Users\Derek\AppData\Roaming\Yahoo!
2008-04-22 00:18:33 0 d-------- C:\Users\Derek\AppData\Roaming\vlc
2008-04-21 23:16:14 0 d-------- C:\Users\Derek\AppData\Roaming\BitTorrent
2008-04-19 22:37:27 0 d-------- C:\Users\Derek\AppData\Roaming\GrabIt
2008-04-19 20:23:39 0 d-------- C:\Users\Derek\AppData\Roaming\WinRAR
2008-03-13 19:31:50 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 21:23:16 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-05 20:51:44 0 d-------- C:\Users\Derek\AppData\Roaming\Adobe
2008-03-04 14:04:22 0 d-------- C:\Program Files\Windows Live
2008-03-04 14:03:13 0 d-------- C:\Program Files\Windows Live Toolbar
2008-03-04 14:02:51 0 d-------- C:\Program Files\Windows Live Favorites
2008-03-04 14:00:08 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 13:00:50 0 d-------- C:\Program Files\Alwil Software
2008-02-21 13:50:30 0 --a------ C:\Users\Derek\AppData\Roaming\wklnhst.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [25/05/2007 07:03]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [19/02/2008 03:26]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 12:37]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [19/02/2008 03:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 04:06]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 19:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 18:37]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/01/2008 04:31]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 17:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [08/06/2007 18:40]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 14:49]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"BitTorrent DNA"="C:\Users\Derek\Program Files\DNA\btdna.exe" [21/04/2008 23:37]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]
"MSServer"="C:\Users\Derek\AppData\Local\Temp\jkkKdBQH.dll,#1" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8002 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-05-03 17:25:17 ------------
Rorschach112
2008-05-03, 20:07
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Derek\AppData\Local\Temp\jkkKdBQH.dll,#1
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\Users\Derek\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report06a7e215\Report.cab
C:\Program Files\AntiSpywareMaster
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Reboot and post a new DSS log
hi, dad is going to try to perform the requested tasks, but he cannot run ATF cleaner as he is using vista OS. is this ok ?
Rorschach112
2008-05-04, 17:14
It should work on Vista fine, if not just go ahead with the rest of the steps
Deckard's System Scanner v20071014.68
Run by Derek on 2008-05-03 17:20:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- Last 5 Restore Point(s) --
9: 2008-05-02 19:50:15 UTC - RP77 - ComboFix created restore point
8: 2008-05-02 18:27:45 UTC - RP76 - Windows Update
7: 2008-04-30 13:54:05 UTC - RP75 - Scheduled Checkpoint
6: 2008-04-29 16:43:54 UTC - RP74 - Restore Operation
5: 2008-04-29 16:19:53 UTC - RP73 - Restore Operation
-- First Restore Point --
1: 2008-04-27 22:01:28 UTC - RP68 - Windows Vista Service Pack 1
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Derek.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:58, on 03/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Derek\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Users\Derek\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Derek\Desktop\Derek.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AntiSpywareMaster] C:\Program Files\AntiSpywareMaster\asm.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Derek\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Derek\AppData\Local\Temp\jkkKdBQH.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 8971 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
-- Scheduled Tasks -------------------------------------------------------------
2008-03-04 14:03:14 254 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
-- Files created between 2008-04-03 and 2008-05-03 -----------------------------
2008-05-03 16:18:25 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-02 20:49:51 68096 --a------ C:\Windows\zip.exe
2008-05-02 20:49:51 49152 --a------ C:\Windows\VFind.exe
2008-05-02 20:49:51 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-02 20:49:51 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-02 20:49:51 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-02 20:49:51 98816 --a------ C:\Windows\sed.exe
2008-05-02 20:49:51 80412 --a------ C:\Windows\grep.exe
2008-05-02 20:49:51 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 23:33:55 0 d-------- C:\PerfLogs
2008-04-23 20:37:00 0 d-------- C:\Users\All Users\Ahead
2008-04-22 21:44:51 0 d-------- C:\MDT
2008-04-22 21:30:57 0 d-------- C:\Users\All Users\CyberLink
2008-04-22 20:58:10 0 d-------- C:\Users\All Users\Yahoo! Companion
2008-04-22 20:57:39 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-22 20:57:00 0 d-------- C:\Program Files\Yahoo!
2008-04-22 20:56:59 0 d-------- C:\Program Files\DivX
2008-04-22 00:05:51 0 d-------- C:\Program Files\VideoLAN
2008-04-21 23:37:25 0 d-------- C:\Users\Derek\Program Files
2008-04-21 15:58:01 0 d-------- C:\Program Files\MagicISO
2008-04-21 15:49:35 0 d-------- C:\Program Files\DNA
2008-04-21 15:49:35 0 d-------- C:\Program Files\BitTorrent
2008-04-20 20:35:32 0 d-------- C:\Program Files\AltBinz
2008-04-18 17:39:25 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-18 17:39:22 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-04-18 16:50:50 0 d-------- C:\Program Files\QuickPar
2008-04-06 10:24:26 0 d-------- C:\Program Files\Microsoft AutoRoute
-- Find3M Report ---------------------------------------------------------------
2008-05-03 17:15:40 0 d-------- C:\Users\Derek\AppData\Roaming\DNA
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Sidebar
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Mail
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Journal
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Defender
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Collaboration
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Calendar
2008-04-29 17:59:07 0 d-------- C:\Program Files\Movie Maker
2008-04-27 23:41:47 174 --ahs---- C:\Program Files\desktop.ini
2008-04-23 20:37:00 0 d-------- C:\Users\Derek\AppData\Roaming\Ahead
2008-04-22 22:47:34 0 d-------- C:\Users\Derek\AppData\Roaming\DivX
2008-04-22 22:44:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 21:59:56 0 d-------- C:\Program Files\CyberLink
2008-04-22 21:31:09 0 d-------- C:\Users\Derek\AppData\Roaming\CyberLink
2008-04-22 20:57:39 0 d-------- C:\Program Files\Common Files
2008-04-22 20:57:01 0 d-------- C:\Users\Derek\AppData\Roaming\Yahoo!
2008-04-22 00:18:33 0 d-------- C:\Users\Derek\AppData\Roaming\vlc
2008-04-21 23:16:14 0 d-------- C:\Users\Derek\AppData\Roaming\BitTorrent
2008-04-19 22:37:27 0 d-------- C:\Users\Derek\AppData\Roaming\GrabIt
2008-04-19 20:23:39 0 d-------- C:\Users\Derek\AppData\Roaming\WinRAR
2008-03-13 19:31:50 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 21:23:16 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-05 20:51:44 0 d-------- C:\Users\Derek\AppData\Roaming\Adobe
2008-03-04 14:04:22 0 d-------- C:\Program Files\Windows Live
2008-03-04 14:03:13 0 d-------- C:\Program Files\Windows Live Toolbar
2008-03-04 14:02:51 0 d-------- C:\Program Files\Windows Live Favorites
2008-03-04 14:00:08 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-04 13:00:50 0 d-------- C:\Program Files\Alwil Software
2008-02-21 13:50:30 0 --a------ C:\Users\Derek\AppData\Roaming\wklnhst.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [25/05/2007 07:03]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [19/02/2008 03:26]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 12:37]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [19/02/2008 03:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 04:06]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 19:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 18:37]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/01/2008 04:31]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 17:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [08/06/2007 18:40]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 14:49]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"BitTorrent DNA"="C:\Users\Derek\Program Files\DNA\btdna.exe" [21/04/2008 23:37]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]
"MSServer"="C:\Users\Derek\AppData\Local\Temp\jkkKdBQH.dll,#1" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8002 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-05-03 17:25:17 ------------
thankyou regards dell44
Rorschach112
2008-05-04, 22:54
That seems to be an old DSS log, can you run it again and post the log it produces
Deckard's System Scanner v20071014.68
Run by Derek on 2008-05-06 21:41:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Derek.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:39, on 06/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Derek\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Derek\Desktop\dss.exe
C:\Windows\System32\Narrator.exe
C:\Users\Derek\Desktop\Derek.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Derek\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 9067 bytes
-- Files created between 2008-04-06 and 2008-05-06 -----------------------------
2008-05-03 16:18:25 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-02 20:49:51 68096 --a------ C:\Windows\zip.exe
2008-05-02 20:49:51 49152 --a------ C:\Windows\VFind.exe
2008-05-02 20:49:51 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-02 20:49:51 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-02 20:49:51 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-02 20:49:51 98816 --a------ C:\Windows\sed.exe
2008-05-02 20:49:51 80412 --a------ C:\Windows\grep.exe
2008-05-02 20:49:51 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-27 23:33:55 0 d-------- C:\PerfLogs
2008-04-23 20:37:00 0 d-------- C:\Users\All Users\Ahead
2008-04-22 21:44:51 0 d-------- C:\MDT
2008-04-22 21:30:57 0 d-------- C:\Users\All Users\CyberLink
2008-04-22 20:58:10 0 d-------- C:\Users\All Users\Yahoo! Companion
2008-04-22 20:57:39 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-04-22 20:57:00 0 d-------- C:\Program Files\Yahoo!
2008-04-22 20:56:59 0 d-------- C:\Program Files\DivX
2008-04-22 00:05:51 0 d-------- C:\Program Files\VideoLAN
2008-04-21 23:37:25 0 d-------- C:\Users\Derek\Program Files
2008-04-21 15:58:01 0 d-------- C:\Program Files\MagicISO
2008-04-21 15:49:35 0 d-------- C:\Program Files\DNA
2008-04-21 15:49:35 0 d-------- C:\Program Files\BitTorrent
2008-04-20 20:35:32 0 d-------- C:\Program Files\AltBinz
2008-04-18 17:39:25 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-04-18 17:39:22 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-04-18 16:50:50 0 d-------- C:\Program Files\QuickPar
2008-04-06 10:24:26 0 d-------- C:\Program Files\Microsoft AutoRoute
-- Find3M Report ---------------------------------------------------------------
2008-05-06 13:46:11 0 d-------- C:\Users\Derek\AppData\Roaming\DNA
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Sidebar
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Photo Gallery
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Mail
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Journal
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Defender
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Collaboration
2008-04-29 17:59:07 0 d-------- C:\Program Files\Windows Calendar
2008-04-29 17:59:07 0 d-------- C:\Program Files\Movie Maker
2008-04-27 23:41:47 174 --ahs---- C:\Program Files\desktop.ini
2008-04-23 20:37:00 0 d-------- C:\Users\Derek\AppData\Roaming\Ahead
2008-04-22 22:47:34 0 d-------- C:\Users\Derek\AppData\Roaming\DivX
2008-04-22 22:44:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 21:59:56 0 d-------- C:\Program Files\CyberLink
2008-04-22 21:31:09 0 d-------- C:\Users\Derek\AppData\Roaming\CyberLink
2008-04-22 20:57:39 0 d-------- C:\Program Files\Common Files
2008-04-22 20:57:01 0 d-------- C:\Users\Derek\AppData\Roaming\Yahoo!
2008-04-22 00:18:33 0 d-------- C:\Users\Derek\AppData\Roaming\vlc
2008-04-21 23:16:14 0 d-------- C:\Users\Derek\AppData\Roaming\BitTorrent
2008-04-19 22:37:27 0 d-------- C:\Users\Derek\AppData\Roaming\GrabIt
2008-04-19 20:23:39 0 d-------- C:\Users\Derek\AppData\Roaming\WinRAR
2008-03-13 19:31:50 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 21:23:16 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-21 13:50:30 0 --a------ C:\Users\Derek\AppData\Roaming\wklnhst.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [25/05/2007 07:03]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [19/02/2008 03:26]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 12:37]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [19/02/2008 03:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 04:06]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 19:53]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 18:37]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/01/2008 04:31]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 17:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 18:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 18:07]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [08/06/2007 18:40]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 14:49]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [15/11/2007 10:23]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"BitTorrent DNA"="C:\Users\Derek\Program Files\DNA\btdna.exe" [21/04/2008 23:37]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-05-06 21:42:44 ------------
Rorschach112
2008-05-06, 22:59
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
in you last reply you instuctoin say . run otmove2.exe and click the box clean up i then get a box otmove2exe file access denied . regard dell44
Rorschach112
2008-05-07, 18:13
Delete OTMoveIt2.exe and the other tools yourself then
Let me know how the rest of the steps go
Rorschach112
2008-05-12, 01:38
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.