Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: hijack this log

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default hijack this log

    help, i know nothing but am very good at following instructions, i have followed the removal steps for spy sheriff and now am at log stage, could someone advise me on what should go and what should stay. the log is below
    thankyou in advance
    Nunzi

    Logfile of HijackThis v1.99.1
    Scan saved at 12:08:10 AM, on 19/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Canon\MultiPASS\mpservic.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Canon\MultiPASS\monitr32.exe
    C:\Program Files\Canon\MultiPASS\MPTBox.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\system32\cmd32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\FxRedir.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Tina\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup

    Program\AudioDeck\AudioDeck.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

    Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

    missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66}

    - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

    http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) -

    http://www.arcadetown.com/swf/cosmicbugs/r64loader.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

    http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) -

    http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

    http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

    http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -

    http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

    http://zone.msn.com/binFramework/v10...o.cab27513.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -

    http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - Winlogon Notify: explorer - C:\WINDOWS\SYSTEM32\explorer.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

    Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program

    Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

    C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi nunzi
    Explain to us the troubleshooting youve done prior to posting that log.
    next time you post one turn off word wrap first so that the lines are not all mixed up please.

    Start Hijackthis and place a check next to these items If there.
    Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
    O20 - Winlogon Notify: explorer - C:\WINDOWS\SYSTEM32\explorer.dll
    ====================================
    Hit fix checked and close Hijackthis.

    Restart the PC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Post a fresh hijackthis


    What version is your norton program and is it able to update its definitions ?

    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it. Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

  3. #3
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default spy sheriff

    Thanks Lonny,

    Since friday i have run symantec virus scan followed by rebooting and running in safe mode, then followed the steps about five times with no luck until the repair you sent me this morning
    1. add/remove spy sheriff
    2. run adaware scan
    3. run spybot s&d
    4. reboot normal mode
    5. remove HKEY_USERS\S-1-5-21-1275210071-583907252-1801674531-1003\SOFTWARE\Microsoft\Windows|currentVersion|Run\Windows installer.

    I have also downloaded and run killbox which didnt work
    I followed the steps on before you post a log by doing an online scan with bit defender, followed by spy bot s&d and then hijackthis which was the first log sent.
    this is what spy bot detected and tried to repair:
    --- Search result list ---
    Smitfraud-C.: Settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-583907252-1801674531-1003\WindowsSubVersion

    Smitfraud-C.: Data (File, nothing done)
    C:\WINDOWS\system32\svcp.csv

    Smitfraud-C.: Web page (File, nothing done)
    C:\WINDOWS\system32\winsub.xml

    Smitfraud-C.: Autorun settings (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-1275210071-583907252-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer


    Here is the Hijack This log from this morning after i removed the files you suggested and rebooted:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:08:18 PM, on 19/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Canon\MultiPASS\monitr32.exe
    C:\Program Files\Canon\MultiPASS\MPTBox.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Canon\MultiPASS\mpservic.exe
    C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\FxRedir.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Tina\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
    O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} (CR64Loader Object) - http://www.arcadetown.com/swf/cosmicbugs/r64loader.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    Last edited by nunzi; 2005-12-19 at 07:54.

  4. #4
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default spy sheriff

    Cont; lonny

    And lastly silent runner scan (in two parts as it is too long for one reply)

    my virus scanner is Symantec Antivirus Full Version 9.0.0.338 and can update definitions.

    The problem seems to be gone but i will leave it to you to give me the all clear.

    Thankyou heaps
    Nunzi


    "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "MediaFace Integration" = "C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" ["Fellowes, Inc."]
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
    "RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]
    "RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
    "RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "LiveMonitor" = "C:\Program Files\MSI\Live Update 3\LMonitor.exe" [empty string]
    "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
    "vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "MP_STATUS_MONITOR" = ""C:\Program Files\Canon\MultiPASS\monitr32.exe" I" ["Canon Information Systems, Inc."]
    "MPTBox" = ""C:\Program Files\Canon\MultiPASS\MPTBox.exe"" ["Canon Information Systems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}" = "MediaFace extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
    "{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
    "{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
    INFECTION WARNING! PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
    MediaFaceExtension\(Default) = "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    MediaFaceExtension\(Default) = "{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

  5. #5
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default spy sheriff

    here's the rest of silent runner log

    thanks again

    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Tina\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]


    Startup items in "Tina" & "All Users" startup folders:
    ------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "AudioDeck" -> shortcut to: "C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe -min" [empty string]
    "InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]

    {85D1F590-48F4-11D9-9669-0800200C9A66}\
    "MenuText" = "Uninstall BitDefender Online Scanner v8"
    "Exec" = "%windir%\bdoscandel.exe" [null data]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    MPService, MPService, "C:\Program Files\Canon\MultiPASS\mpservic.exe" ["Canon Information Systems, Inc."]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
    Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
    Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
    Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


    Keyboard Driver Filters:
    ------------------------

    HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
    "UpperFilters" = INFECTION WARNING! "aw_host" [file not found]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    BJ Language Monitor2\Driver = "CNBJMON2.DLL" [MS]
    CutePDF Monitor\Driver = "cutemon2k.dll" [null data]
    MPL Language Monitor\Driver = "MPASSMON.DLL" ["Canon Information Systems, Inc."]
    PRTmate\Driver = "PRTmate.dll" [null data]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 18 seconds.
    + The search for all Registry CLSIDs containing dormant Explorer Bars
    took 16 seconds.
    ---------- (total run time: 62 seconds)

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Im more concerned with that explorer.dll file and what it does than smithfraud at this point
    Troj/SCLog-B logs keypresses and system activities to temporary files named rerolpxe.dat and rerolpxe.le are also located in the Windows system folder. The Trojan periodically creates a ZIP file of the collected information and sends it to a remote user via email.
    http://www.sophos.com/virusinfo/anal...rojsclogb.html

    I suggest running sysclean while in safe mode, then changing your email address and passwords

    Sysclean a standalone scanner
    Make a new folder called C:\Sysclean
    Download Sysclean from
    http://www.trendmicro.com/download/dcs.asp
    Click the sysclean.txt link to learn how to use it. Download the latest pattern file : http://www.trendmicro.com/download/pattern.asp
    lpt(xxxx).zip (AS/400, S/390, Windows)
    Unzip it to the Sysclean folder.
    Boot to Safe Mode. Scan the system with Sysclean. It will take awhile but
    it is very thorough. When it's done, close Sysclean. restart back to a normal session.

  7. #7
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default spy sheriff

    lonny, i am confused, is this file on my computer somewhere

    Troj/SCLog-B logs keypresses and system activities to temporary files named rerolpxe.dat and rerolpxe.le are also located in the Windows system folder. The Trojan periodically creates a ZIP file of the collected information and sends it to a remote user via email.

    does everything else look ok as i have stopped receiving those warning popup but my windows security alerts icon is still red.

    thanks nunzi

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Let us know what problems exist after running sysclean in safe mode please.

  9. #9
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default spy sheriff

    hi lonny,
    have done the sysclean scan in safe mode and attached the log, i am unsure if this a a problem but i just had a small amount of problem getting around on this site, i clicked next post and my internet page said site not found after a few attempts i retyped the site address and here i am, would this be because i am trying to access further pages from a link to this site in my favorites? or could it be something else.

    LOG part one

    /--------------------------------------------------------------\
    | Trend Micro Sysclean Package |
    | Copyright 2002, Trend Micro, Inc. |
    | http://www.trendmicro.com |
    \--------------------------------------------------------------/


    2005-12-20, 14:05:09, Auto-clean mode specified.
    2005-12-20, 14:05:09, Running scanner "C:\sysclean\TSC.BIN"...
    2005-12-20, 14:08:42, Scanner "C:\sysclean\TSC.BIN" has finished running.
    2005-12-20, 14:08:42, TSC Log:

    Damage Cleanup Engine (DCE) 3.9(Build 1020)
    Windows XP(Build 2600: Service Pack 2)

    Start time : Tue Dec 20 2005 14:05:09

    Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 688) [success]

    Complete time : Tue Dec 20 2005 14:08:42
    Execute pattern count(4590), Virus found count(0), Virus clean count(0), Clean failed count(0)

    2005-12-20, 14:08:56, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\Tina\NTUSER.DAT": Access is denied.
    2005-12-20, 14:14:13, An error occurred while scanning file "C:\Documents and Settings\Tina\NTUSER.DAT.LOG": Access is denied.
    2005-12-20, 14:17:09, An error occurred while scanning file "C:\Documents and Settings\Tina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
    2005-12-20, 14:17:09, An error occurred while scanning file "C:\Documents and Settings\Tina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
    2005-12-20, 14:22:48, An error was detected on "C:\Documents and Settings\Tina\My Documents\everything\kite\kite\special\tio.doc": The system cannot find the file specified.
    2005-12-20, 14:44:30, Could not set file for reading on "C:\RECYCLER\NPROTECT\00129860.exe": Access is denied.
    2005-12-20, 14:44:30, Could not set file for reading on "C:\RECYCLER\NPROTECT\00129862.exe": Access is denied.
    2005-12-20, 14:44:30, Could not set file for reading on "C:\RECYCLER\NPROTECT\00129863._P": Access is denied.
    2005-12-20, 14:44:52, An error was detected on "C:\System Volume Information\*.*": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\AGENTSVR.EXE-002E45AB.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPDATE.EXE-2253CB60.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTOUPDATER.EXE-37B623C2.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CAPTUREDAEMON.EXE-0FF458A5.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CINEPLAYER.EXE-216DF75E.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANMGR.EXE-1F86EA8E.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CONTROL.EXE-013DBFB5.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\COSMICBUGS.EXE-308B6BB9.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CPSALBUMCORE.EXE-0487CC85.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CPSHELPRUNNER.EXE-085D357E.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\CREATOR7.EXE-04F78116.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DISCCOPIER7.EXE-0C370A8B.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DISCIMAGELOADER.EXE-0961872B.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DIVXTODVD.EXE-171309C4.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DRGTODSC.EXE-1737E026.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DRGTODSC.EXE-2EA93301.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DVDBUILDER7.EXE-0D7AA66D.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\HOMEPAGEAPP.EXE-0827C022.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\IDRIVER.EXE-205A2558.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\INSANIQUARIUM.EXE-1D5A95D2.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\KGROXIOEMC75.EXE-21743C7C.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\MEDIAMANAGER7.EXE-38CF7959.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIB4.TMP-3B10AF99.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NDETECT.EXE-16E64095.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-27D5965C.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\ROXIOCAPTURE7.EXE-0CC76A84.pf": Access is denied.

  10. #10
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default spy sheriff

    log part 2

    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1831A4F3.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2A94BB85.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E5AF1D7.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RXLABELCREATOR.EXE-2A281096.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\RXMON.EXE-06BF68E3.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD6.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\SSFLWBOX.SCR-12F43B2F.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\VWHELPSERVICE7.EXE-26DE30BF.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WINDVD.EXE-073928FB.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-29F5CB89.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
    2005-12-20, 14:52:50, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9D.pf": Access is denied.
    2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf": Access is denied.
    2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
    2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\Z12.EXE-127F50C9.pf": Access is denied.
    2005-12-20, 14:52:51, Could not set file for reading on "C:\WINDOWS\Prefetch\_IS14.TMP-00321A11.pf": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
    2005-12-20, 14:54:42, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
    2005-12-20, 14:55:45, Running scanner "C:\sysclean\VSCANTM.BIN"...
    2005-12-20, 15:26:07, Files Detected:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 12/20/2005 14:55:46
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
    Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

    C:\WINDOWS\system32\explorer.dll [TSPY_SCKEYLOG.O]
    96819 files have been read.
    96819 files have been checked.
    62018 files have been scanned.
    125277 files have been scanned. (including files in archived)
    1 files containing viruses.
    Found 1 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/20/2005 15:26:06
    ---------*---------*---------*---------*---------*---------*---------*---------*
    2005-12-20, 15:26:07, Files Clean:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 12/20/2005 14:55:46
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
    Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

    Success Clean [ TSPY_SCKEYLOG.O]( 1) from C:\WINDOWS\system32\explorer.dll
    96819 files have been read.
    96819 files have been checked.
    62018 files have been scanned.
    125277 files have been scanned. (including files in archived)
    1 files containing viruses.
    Found 1 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/20/2005 15:26:06 30 minutes 18 seconds (1818.74 seconds) has elapsed.

    ---------*---------*---------*---------*---------*---------*---------*---------*
    2005-12-20, 15:26:07, Clean Fail:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 12/20/2005 14:55:46
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
    Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\sysclean

    96819 files have been read.
    96819 files have been checked.
    62018 files have been scanned.
    125277 files have been scanned. (including files in archived)
    1 files containing viruses.
    Found 1 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/20/2005 15:26:06 30 minutes 18 seconds (1818.74 seconds) has elapsed.

    ---------*---------*---------*---------*---------*---------*---------*---------*
    2005-12-20, 15:26:07, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
    2005-12-20, 15:33:16, Running scanner "C:\sysclean\VSCANTM.BIN"...
    2005-12-20, 15:37:45, Files Detected:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 12/20/2005 15:33:16
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
    Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\sysclean

    10941 files have been read.
    10941 files have been checked.
    7582 files have been scanned.
    12552 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/20/2005 15:37:45
    ---------*---------*---------*---------*---------*---------*---------*---------*
    2005-12-20, 15:37:45, Files Clean:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 12/20/2005 15:33:16
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
    Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\sysclean

    10941 files have been read.
    10941 files have been checked.
    7582 files have been scanned.
    12552 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/20/2005 15:37:45 4 minutes 27 seconds (267.73 seconds) has elapsed.

    ---------*---------*---------*---------*---------*---------*---------*---------*
    2005-12-20, 15:37:45, Clean Fail:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 12/20/2005 15:33:16
    VSAPI Engine Version : 7.510-1002
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 115 (116250 Patterns) (2005/12/19) (311500)
    Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 F:\*.* /P=C:\sysclean

    10941 files have been read.
    10941 files have been checked.
    7582 files have been scanned.
    12552 files have been scanned. (including files in archived)
    0 files containing viruses.
    Found 0 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 12/20/2005 15:37:45 4 minutes 27 seconds (267.73 seconds) has elapsed.

    ---------*---------*---------*---------*---------*---------*---------*---------*
    2005-12-20, 15:37:45, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •