PDA

View Full Version : Browser Pop-Ups linking to "ErrorSafe"


snickers
2006-07-10, 13:13
Hi
I have been receiving browser pop-ups (or new windows) every now and again. I haven't been able to identify the cause however I susspect a virus or malicious application.

I have followed the instructions in http://forums.spybot.info/showthread.php?t=288

I have scanned my system with Panda Software's Activescan antivirus and the following is the log from that scan:
---------------------------------------------------------------------------------


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.revenue.net/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[www.errorsafe.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cookies.txt[.as-us.falkag.net/]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f047444-3bb4bf9d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f047444-3bb4bf9d.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f047444-3bb4bf9d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f047444-3bb4bf9d.zip[Beyond.class]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[2].txt
Potentially unwanted tool:Application/Pskill.A Not disinfected E:\Downloads\PS_Tools.zip[pskill.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected E:\Downloads\PS_Tools.zip[psexec.exe]
Potentially unwanted tool:Application/Processor Not disinfected E:\Downloads\Virus Protection\VundoFix.exe[process.exe]
Potentially unwanted tool:Application/Psexec.A Not disinfected I:\serverbkp\D-Drive\Tools\psexec.exe
Potentially unwanted tool:Application/Pskill.A Not disinfected I:\serverbkp\D-Drive\Tools\pskill.exe

---------------------------------------------------------------------------------



The following is the log from HJT

---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:08:02 PM, on 10/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: IE-Disable.lnk = C:\EzyTools\IE-Disable.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D9EFDCC-DF85-436F-B58C-838A744361B5}: NameServer = 10.16.24.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D9EFDCC-DF85-436F-B58C-838A744361B5}: NameServer = 10.16.24.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)



---------------------------------------------------------------------------------


Thank you for your help!
LonnyRJones
2006-07-13, 15:14
Browser Pop-Ups linking to "ErrorSafe"

Hi


O4 - Global Startup: IE-Disable.lnk = C:\EzyTools\IE-Disable.bat
Is that a tool from sourcefourge ?

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.


Also redownload and run vundofix, its updated frequently
http://www.atribune.org/content/view/24/2/
snickers
2006-07-18, 16:41
Hi

The script "C:\EzyTools\IE-Disable.bat" is actually something I wrote, all it does is use xcacls to remove the permissions on the Internet Explorer pages to prevent it from being used. It was just on of the steps I took after my last dusting. (also based on a security process my work had been using)

The following is the log from BlackLight
---------------------------------------------------------------------------------
07/19/06 00:31:19 [Info]: BlackLight Engine 1.0.42 initialized
07/19/06 00:31:19 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/19/06 00:31:19 [Note]: 7019 4
07/19/06 00:31:19 [Note]: 7005 0
07/19/06 00:31:23 [Note]: 7006 0
07/19/06 00:31:23 [Note]: 7011 1992
07/19/06 00:31:23 [Note]: 7026 0
07/19/06 00:31:23 [Note]: 7026 0
07/19/06 00:31:29 [Note]: FSRAW library version 1.7.1019
07/19/06 00:32:28 [Note]: 2000 1006
07/19/06 00:32:50 [Note]: 7007 0
---------------------------------------------------------------------------------


I also re-downloaded and ran vundofix but it did not report any files to be removed.

I look forward to your reply.
LonnyRJones
2006-07-18, 18:18
rename your hijackthis
C:\Program Files\HijackThis\HijackThis.exe
to for example hjt.exe run and post another log
tashi
2006-07-24, 08:38
snickers?
tashi
2006-07-25, 16:22
This topic is closed due to lack of a response to helper. :spider:

If you need it re-opened please send me a pm and provide a link to the thread.

Applies only to the original topic starter.
snickers
2006-07-28, 11:10
Hi
Thank you tashi for re-opening this topic, and my apologises to LonnyRJones for the drop in response, it was never my intention, i was dragged away from home by work and did not have a chance to finish the steps provided in the last post by LonnyRJones.

The following is the new HJT log as requested.

---------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:48:48 PM, on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\HijackThis\hjt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: IE-Disable.lnk = C:\EzyTools\IE-Disable.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D9EFDCC-DF85-436F-B58C-838A744361B5}: NameServer = 10.16.24.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D9EFDCC-DF85-436F-B58C-838A744361B5}: NameServer = 10.16.24.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

---------------------------------------------------------------------------------


I look forward to your reply and once again thank you for your assistance with this.

:)
LonnyRJones
2006-07-28, 18:34
I'm not seeing anything yet, Let's dig a Little deeper.

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
snickers
2006-07-29, 16:03
Hi
I too couldn't see anything in the previous logs (but then again my eye is not trainned, thats why im here).....
I have followed your instructions and the log files are as follows:

---------------------------------------------------------------------------------
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"IntelliType" = ""C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "ITPropertyPage Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Hardware\Keyboard\itcpl.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0BC1E559-9D68-4E99-AFD9-98D27DAB971D}\(Default) = "TreeSize FolderSizeColumn"
-> {HKLM...CLSID} = "ColHandler"
\InProcServer32\(Default) = "C:\PROGRA~1\JAMSOF~1\TREESI~1\FSizeCol.dll" ["JAM Software"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Matt" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Matt\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"IE-Disable" -> shortcut to: "C:\EzyTools\IE-Disable.bat" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 11210 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Canon Camera Access Library 8, CCALib8, "C:\Program Files\Canon\CAL\CALMAIN.exe" ["Canon Inc."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Remote Administrator Service, r_server, ""C:\WINDOWS\system32\r_server.exe" /service" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 21 seconds.
---------- (total run time: 54 seconds)
---------------------------------------------------------------------------------
snickers
2006-07-29, 16:05
Part 1 of the log from Kaspersky.com virus scan
---------------------------------------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 30, 2006 12:00:18 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 209781
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 76122
Number of viruses found: 18
Number of infected objects: 143 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:31:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/adimage.dl_/adimage.dl_ Infected: not-a-virus:AdWare.Win32.Aureate skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/adimage.dl_ Infected: not-a-virus:AdWare.Win32.Aureate skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/Amcis2.dl_/Amcis2.dl_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/Amcis2.dl_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/htmdeng.ex_/htmdeng.ex_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/htmdeng.ex_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/msipcsv.ex_/msipcsv.ex_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/msipcsv.ex_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/ipcclient.dl_/ipcclient.dl_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/ipcclient.dl_ Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/tfde.dl_/tfde.dl_ Infected: not-a-virus:AdWare.Win32.Aureate skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip/tfde.dl_ Infected: not-a-virus:AdWare.Win32.Aureate skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040/ezmtscfg.zip Infected: not-a-virus:AdWare.Win32.Aureate skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040 ZIP: infected - 13 skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\EzMTS.zip.bac_a02040 CryptFF.b: infected - 13 skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/MatrixScreenSavers.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/GoWebSite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Adobe Photoshop 7.0 Pro Installer.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/GoWebSite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.zip Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/GoWebSite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Norton Anti-Virus Professional 2004.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/GoWebSite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Mcafee Virus Scan Full Version.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/GoWebSite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/Nero Ultra CD Burning ROM Full Version.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/Install.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/GoWebSite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/mySetp.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/iexplorr23.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/iexplorr11.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/iexplorr22.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe/iexplorr24.dll Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040/ICQ Lite.exe Infected: not-a-virus:AdWare.Win32.GoWebSite skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040 ZIP: infected - 55 skipped
C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe.bac_a02040 CryptFF.b: infected - 55 skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\cert8.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\history.dat Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\key3.db Object is locked skipped
C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\parent.lock Object is locked skipped
C:\Documents and Settings\Matt\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\83a7qp2e.default\Cache\_CACHE_MAP_ Object is locked skipped
---------------------------------------------------------------------------------
snickers
2006-07-29, 16:05
Part 2 of the log from Kaspersky.com virus scan
---------------------------------------------------------------------------------
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\History\History.IE5\MSHist012006072920060730\index.dat Object is locked skipped
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matt\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matt\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\pfirewall.log Object is locked skipped
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\Radmin Viewer 3.0\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.30 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7BE4F163-D79A-4BCC-861C-89C4D916BBD8}\RP220\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{839A88B0-89C2-437F-8A50-3F2C5EA510D7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd4061.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jmail.dll Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped
C:\WINDOWS\system32\Logfiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\nvsvc32.log Object is locked skipped
C:\WINDOWS\system32\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen\Photoshop CS2 v9.0 + working KeyGen\Photoshop CS2\Adobe(R) Photoshop(R) CS2\setup.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.q skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen\Photoshop CS2 v9.0 + working KeyGen\Photoshop CS2\Adobe(R) Photoshop(R) CS2\setup.exe NSIS: infected - 1 skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen\Photoshop CS2 v9.0 + working KeyGen\Photoshop CS2\Setup.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.q skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen\Photoshop CS2 v9.0 + working KeyGen\Photoshop CS2\Setup.exe NSIS: infected - 1 skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen.rar/Photoshop CS2 v9.0 + working KeyGen/Photoshop CS2/Adobe(R) Photoshop(R) CS2/setup.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.q skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen.rar/Photoshop CS2 v9.0 + working KeyGen/Photoshop CS2/Adobe(R) Photoshop(R) CS2/setup.exe Infected: Trojan-Downloader.NSIS.Agent.q skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen.rar/Photoshop CS2 v9.0 + working KeyGen/Photoshop CS2/Setup.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.q skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen.rar/Photoshop CS2 v9.0 + working KeyGen/Photoshop CS2/Setup.exe Infected: Trojan-Downloader.NSIS.Agent.q skipped
E:\Downloads\Adobe\Photoshop CS2 v9.0 incl Keygen.rar RAR: infected - 4 skipped
E:\Downloads\components\w3JMail4\jmail.dll Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/whCC-Audiogalaxy.exe/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/whCC-Audiogalaxy.exe/wbhshare.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/whCC-Audiogalaxy.exe/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/whCC-Audiogalaxy.exe/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/whCC-Audiogalaxy.exe/whieshm.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/whCC-Audiogalaxy.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe/fsg-ag.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe ViseMan: infected - 7 skipped
E:\Downloads\Media Stuff\Audiogalaxy\AGSetup0606.exe ViseMan: infected - 7 skipped
E:\Downloads\Media Stuff\FreeRip\freeripmp3-v251.exe/data0010 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
E:\Downloads\Media Stuff\FreeRip\freeripmp3-v251.exe Inno: infected - 1 skipped
E:\Downloads\Media Stuff\freeripmp3.exe/data0010 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
E:\Downloads\Media Stuff\freeripmp3.exe Inno: infected - 1 skipped
E:\Downloads\Media Stuff\Kazaa\kazaalite_202_b1\first stage\kazaa_lite_202_english.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
E:\Downloads\Media Stuff\Kazaa\kazaalite_202_b1\first stage\kazaa_lite_202_english.exe Inno: infected - 1 skipped
E:\Downloads\Media Stuff\Kazaa\kazaalite_202_b1.zip/first stage/kazaa_lite_202_english.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
E:\Downloads\Media Stuff\Kazaa\kazaalite_202_b1.zip/first stage/kazaa_lite_202_english.exe Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
E:\Downloads\Media Stuff\Kazaa\kazaalite_202_b1.zip ZIP: infected - 2 skipped
E:\Downloads\Other\VNC\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
E:\Downloads\Other\VNC\vnc-3.3.3r9_x86_win32.zip ZIP: infected - 1 skipped
E:\Downloads\Other\VNC\vnc_x86_win32\vncviewer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
E:\Downloads\PS_Tools.zip/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped
E:\Downloads\PS_Tools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
E:\Downloads\PS_Tools.zip ZIP: infected - 2 skipped
E:\Downloads\Remote Administrator\radmin21\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
E:\Downloads\Remote Administrator\radmin21\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
E:\Downloads\Remote Administrator\radmin21\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Downloads\Remote Administrator\radmin21\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Downloads\Remote Administrator\radmin21\RADMIN21.EXE Gentee: infected - 4 skipped
E:\Downloads\Remote Administrator\radmin21.zip/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
E:\Downloads\Remote Administrator\radmin21.zip/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
E:\Downloads\Remote Administrator\radmin21.zip/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Downloads\Remote Administrator\radmin21.zip/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Downloads\Remote Administrator\radmin21.zip/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
E:\Downloads\Remote Administrator\radmin21.zip ZIP: infected - 5 skipped
E:\Downloads\Remote Administrator\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
E:\Downloads\Remote Administrator\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
E:\Downloads\Remote Administrator\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
E:\Downloads\Remote Administrator\RADMIN22.EXE Gentee: infected - 3 skipped
E:\Downloads\Remote Administrator\rviewer3.exe/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.30 skipped
E:\Downloads\Remote Administrator\rviewer3.exe CreateInstall: infected - 1 skipped
E:\Downloads\Tight VNC\tightvnc-1.2.5-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
E:\Downloads\Tight VNC\tightvnc-1.2.5-setup.exe Inno: infected - 1 skipped
E:\Downloads\Tight VNC\tightvnc-1.2.8-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
E:\Downloads\Tight VNC\tightvnc-1.2.8-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
E:\Downloads\Tight VNC\tightvnc-1.2.8-setup.exe Inno: infected - 2 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\vbScript\Global Insight\Global Insight V1-0.zip/Installation/jmail.dll Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped
H:\vbScript\Global Insight\Global Insight V1-0.zip ZIP: infected - 1 skipped
H:\vbScript\Global Insight\Installation\jmail.dll Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped
I:\serverbkp\D-Drive\components\jmail.dll Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped
I:\serverbkp\D-Drive\Tools\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
I:\serverbkp\D-Drive\Tools\pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped

Scan process completed.

---------------------------------------------------------------------------------
LonnyRJones
2006-07-29, 17:15
Your still seeing errorsafe popups ? if so when and where do they happen
any other symptoms to report ? mention them even if they do not seam related.

C:\Documents and Settings\Matt\.housecall\Quarantine\MatrixScreenSavers.exe
Uninstall any screensavers you have installed recently
E:\Downloads\Adobe\Photoshop CS2 v9.0 < the program itself is probaly infected
same here > E:\Downloads\Media Stuff\Audiogalaxy\
and here E:\Downloads\Media Stuff\FreeRip
E:\Downloads\Media Stuff\Kazaa\ < delete
snickers
2006-07-31, 15:31
Hi
Honestly I had only ever seen a hand full of pop-ups, but my girl friend had told me on many occassions that they had been occuring (she has been using the PC a lot more than I have in the past few months due to other work commitments of mine). Anyway I have checked with her and she doesnt recall seeing a pop-up recently, maybe fore just over a week.

I havent actually installed any screen savers recently, in the past i have seen a lot of viruses through them so these days i just stick to the standard windows ones. And I remember the virus scanner picking up that screen saver about 3 months or so ago, but i dont remember installing it just having the install file stored on my pc.

I have also cleaned up the downloaded files based on what you have advised.

I'm sorry because im sure this will now seem like i wasted your time but I definitely was getting the pop-ups and also probably a lot of paranoia because last time these type of things happened a 'root-kit' was found on my system. Granted I have improved my security and perform much more detailed and regular scans since then, but still all the same I wanted to try and resolve this as quick as possible to avoid any chance of a 'root-kit' doing too much damage if it was found.

I really do appreciate your help and these security forums are a really great tool in todays battle against mallicious software.
snickers
2006-07-31, 15:32
Sorry to answer your question about when they appear(ed), it used to be just as we were browsing the internet, no particular sites in general. I was trying to determine if there was a patern between the sites but I could not.
LonnyRJones
2006-07-31, 18:24
Thats good news ;)

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month


To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
snickers
2006-08-01, 15:09
Thanks LonnyRJones for the tips, I will definitely include updating the hosts file as part of my monthly scan / clean up process which I am implementing.

Thank you again for all your help and time, it is greatly appreciated :)
LonnyRJones
2006-08-05, 19:12
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).

Best regards
Lonn