Can't remove Trojan Generic9.AJIM

DSS main.txt

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-05 14:31:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2008-02-05 22:31:14 UTC - RP212 - Deckard's System Scanner Restore Point
52: 2008-02-05 22:15:03 UTC - RP211 - ComboFix created restore point
51: 2008-02-05 18:15:19 UTC - RP210 - System Checkpoint
50: 2008-02-04 17:58:08 UTC - RP209 - ComboFix created restore point
49: 2008-02-04 13:10:22 UTC - RP208 - System Checkpoint


-- First Restore Point --
1: 2008-01-08 20:06:55 UTC - RP160 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:25 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\common files\aolcoach\en_en\player\plugin\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146596725093
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\Software\..\Telephony: DomainName = feddema.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = feddema.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8692 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S1 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys (file missing)
S3 btaudio (Bluetooth Audio Device) - c:\windows\system32\drivers\btaudio.sys (file missing)
S3 BTDriver (Bluetooth Virtual Communications Driver) - c:\windows\system32\drivers\btport.sys (file missing)
S3 BTWDNDIS (Bluetooth LAN Access Server) - c:\windows\system32\drivers\btwdndis.sys (file missing)
S3 btwhid - c:\windows\system32\drivers\btwhid.sys (file missing)
S3 BTWUSB (WIDCOMM USB Bluetooth Driver) - c:\windows\system32\drivers\btwusb.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 FTDIBUS (USB Serial Converter Driver) - c:\windows\system32\drivers\ftdibus.sys (file missing)
S3 FTSER2K (USB Serial Port Driver) - c:\windows\system32\drivers\ftser2k.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S3 UPS (Uninterruptible Power Supply) - c:\windows\system32\ups.exe (file missing)
S4 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe (file missing)
S4 PcScnSrv (Trend Micro Protection Against Spyware ) - "c:\progra~1\trendm~1\intern~1\pcscnsrv.exe" (file missing)
S4 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe (file missing)
S4 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe (file missing)
S4 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11b/g WLAN
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&5A988DE&0&18F0
Manufacturer: Broadcom
Name: Broadcom 802.11b/g WLAN
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C&REV_02\4&5A988DE&0&18F0
Service: BCM43XX


-- Scheduled Tasks -------------------------------------------------------------

2008-01-31 18:45:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-20 07:00:28 2028 --a------ C:\WINDOWS\Tasks\wrSpySweeper20060502143530.job


-- Files created between 2008-01-05 and 2008-02-05 -----------------------------

2008-02-04 09:49:17 0 dr-hs---- C:\cmdcons
2008-02-04 09:49:15 0 d-------- C:\WINDOWS\setup.pss
2008-02-04 09:49:05 0 d-------- C:\WINDOWS\setupupd
2008-01-30 10:30:36 0 d-------- C:\Program Files\CCleaner
2008-01-23 03:48:34 0 d-------- C:\Program Files\Lavasoft
2008-01-23 03:48:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 03:47:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 16:30:50 0 d-------- C:\Program Files\Trend Micro
2008-01-21 09:41:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 06:04:24 0 d-------- C:\Program Files\WinHex
2008-01-19 14:36:51 0 dr-h----- C:\$VAULT$.AVG
2008-01-19 13:41:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-19 13:41:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-19 13:40:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-18 12:12:52 0 d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-13 13:59:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 00:14:21 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-01-11 00:13:31 0 d-------- C:\Program Files\MSECACHE
2008-01-09 15:22:01 0 d-------- C:\Program Files\WinASO
2008-01-09 13:29:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 12:55:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-01-09 12:55:19 0 d-------- C:\Program Files\BillP Studios
2008-01-09 11:51:25 0 d-------- C:\WINDOWS\pss
2008-01-08 12:10:23 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-01-08 12:06:42 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-01-08 12:06:42 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-01-07 16:24:42 5505024 --a------ C:\Documents and Settings\Administrator\ntuser.dat
2008-01-07 13:51:27 1291662 --a------ C:\Install
2008-01-06 03:14:44 10752 --a------ C:\WINDOWS\DCEBoot.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-30 10:12:22 0 d-------- C:\Program Files\Java
2008-01-23 03:47:57 0 d-------- C:\Program Files\Common Files
2008-01-09 15:59:08 0 d-------- C:\Program Files\Online Services
2008-01-09 14:53:12 188 --a------ C:\CMDR950I.DAT
2008-01-07 12:45:03 0 d-------- C:\Program Files\Nxdfiedj
2008-01-07 10:59:55 0 d-------- C:\Program Files\America Online 9.0
2008-01-07 10:27:58 0 d-------- C:\Program Files\Common Files\AOL
2008-01-07 09:51:54 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-07 09:51:53 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-12-18 21:54:40 0 d-------- C:\Program Files\Yahoo!
2007-12-18 21:54:40 0 d-------- C:\Program Files\Pure Networks
2007-12-18 21:40:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2007-12-18 21:23:12 0 d-------- C:\Program Files\MSBuild
2007-12-18 21:15:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-18 21:14:56 0 d-------- C:\Program Files\Reference Assemblies
2007-12-18 21:05:56 0 d-------- C:\Program Files\Three Rings Design
2007-12-18 20:57:37 0 d-------- C:\Program Files\HPQ
2007-12-18 20:55:27 0 d-------- C:\Program Files\R4 Controller
2007-12-18 20:52:00 0 d-------- C:\Program Files\MSXML 6.0
2007-12-18 19:29:07 0 d-------- C:\Program Files\MSD
2007-12-18 19:28:40 0 d-------- C:\Program Files\Maxthon
2007-12-18 19:12:22 0 d-------- C:\Program Files\Google
2007-12-18 19:08:35 0 d-------- C:\Program Files\HandyBits
2007-12-18 19:06:34 0 d-------- C:\Program Files\AOL Deskbar
2007-12-17 17:51:42 0 --a------ C:\127924536
2007-11-14 08:55:01 164 --a------ C:\install.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02/02/2005 04:12 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/15/2007 02:27 AM]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [10/14/2004 12:54 PM]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 02:04 AM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 12:51 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 12:50 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 02:29 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe" [09/25/2006 04:52 PM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [10/26/2007 08:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/19/2008 01:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 06:00 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 07:05 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-02-05 14:34:08 ------------
 
DSS extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 510.48 MiB / 150.06 MiB
Pagefile Memory (total/avail): 1245.2 MiB / 921.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.6 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 51.83 GiB free.
D: is CDROM (No Media)
F: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8026GAX - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE1 - USB Device - 972.69 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 976.47 MiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.) Disabled
AV: AVG 7.5.516 v7.5.516 (Grisoft)
AV: Trend Micro PC-cillin Internet Security 2007 v15.30.1239 (Trend Micro, Inc.) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PAVILION
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\PAVILION
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\web_dev\imagemagick;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\TortoiseCVS;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\AOL\System Information
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=PAVILION
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type93 / Error
Event Submitted/Written: 02/04/2008 10:10:12 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application lsburnwatcher.exe, version 4.10.14.0, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [lsburnwatcher.exe!ws!]

Event Record #/Type87 / Warning
Event Submitted/Written: 02/04/2008 10:03:34 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type80 / Warning
Event Submitted/Written: 02/03/2008 03:15:40 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type58 / Warning
Event Submitted/Written: 01/29/2008 00:18:16 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type44 / Warning
Event Submitted/Written: 01/24/2008 01:27:40 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22459 / Warning
Event Submitted/Written: 02/04/2008 09:38:59 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CD69B4F5-DB67-41A5-B134-5279BE8FCEE7}

Host Name : pavilion

Primary Domain Suffix : feddema.local

DNS server list :

68.87.69.146, 68.87.85.98

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type22436 / Warning
Event Submitted/Written: 02/04/2008 09:00:19 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CD69B4F5-DB67-41A5-B134-5279BE8FCEE7}

Host Name : pavilion

Primary Domain Suffix : feddema.local

DNS server list :

68.87.69.146, 68.87.85.98

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type22422 / Warning
Event Submitted/Written: 02/04/2008 10:21:40 AM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CD69B4F5-DB67-41A5-B134-5279BE8FCEE7}

Host Name : pavilion

Primary Domain Suffix : feddema.local

DNS server list :

68.87.69.146, 68.87.85.98

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type22403 / Error
Event Submitted/Written: 02/04/2008 10:02:29 AM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_BWQECBQE\0000 disappeared from the system without first being prepared for removal.

Event Record #/Type22402 / Error
Event Submitted/Written: 02/04/2008 10:02:28 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-02-05 14:34:08 ------------
 
Well, that doesn't show much that would be causing trouble ???
Are you using IE for all these scans ?
Check that Active X is allowed.


Lets try this

Run Panda Online Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
Please post the log in your reply
 
Yes, using IE7, ActiveX = Enabled, Security = Medium

I verified the IE7 > Tools > Internet Options > Security > Custom Level settings do allow ActiveX controls (and even Scriptlets) to run without prompting.

I will run the Panda process and report back.
 
The Panda process failed

From the Panda site you gave me in the link, the procedure you outlined in your instructions was not strictly followed by the website. There was an attempt to d/l and install an ActiveX control, and I allowed it. The process failed with an error message stating the following:

"Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... "

There is no antivirus or antispyware running.
WinPatrol is not running. The Windows XP SP2 Firewall is the only firewall that is running. All TrendMicro products have been uninstalled but some persistent remnants exist in the Registry and there are two Run links (that don't work) in the Windows Security Center.

This machine was previously used by a 14 years old male with Asperger's Syndrome (a savant with a talent for getting in trouble with computers) and the machine came to me from his grandfather asking for help after the machine became mostly unusable with multiple malware infections, most of which I removed before coming to your group for the last piece of help needed.

I needed to ask for your help for the persistent malware file, adsld.dll and its unidentified tag-team of friends.

There are a lot of quirks in this machine that has suffered from many installs and uninstalls of all kinds of security products and this is obvious from inspecting the Registry. Before I cam to this forum, I had used WINASO v2.7, a fairly reliable registry cleaner. But, like all registry cleaners, there are a lot of things they don't check for.

I feel like we are 'almost home' with this problem machine, but this quirky ActiveX problem is just strange, since the settings seem to be correct.

So now I am going to follow the instruction in the error message and restart the system and try again. More to follow later when results after the restart are known.
 
Hard Disk C: has 51.8 GB Free

In answer to the error message received from the failed Panda process, the following is noted:

There is ample space on the hard disk. There is nothing wrong with the internet connection (Comcast Broadband, my LAN). I am logged-on to Windows XP as the built-in Administrator user account.

Privileges might be an issue, since I noticed previously and reported it here, that AdAware found three Registry entries that could not be edited nor deleted. Those registry keys (reported previosuly on maybe page 1 of this thread) had Permissions set to "Special Permissions" for the built-in Administrator user account.

Maybe this is nothing, but I found it curious that the SYSTEM user account and members of the Local Administrators Group have Full Control; but the built-in Administrator user account only has "Special Permissions".

Here again is what I wrote from that previous entry:

Adaware 2007 with latest updates finds three registry entries that can't be handled by either quarantine or removal. After Exporting to a .reg file, attempted manual removal using regedit also fails (Access Denied) even when IE7 is closed (logged in normally to built-in Administrator user account). The three suspicious keys reported by Adaware 2007 that can't be modified or deleted are:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

In checking the Permissions for this Hive and Key, the only entities that have Full Control is SYSTEM and the local Administrators Group on the local machine. Everyone else (including CREATOR-OWNER) has Read Permission and Special Permissions. But the built-in Administrator user account has an entry showing its permissions set to "Special Permissions" even though this user account is a member of the local Administrators Group. This probably explains why the keys can't be accessed or modified (the most restrictive permissions apply).
 
Those three Registry Keys are no longer present.

Regedit shows that the three subkeys previously mentioned no longer exist. Neither does the parent key. One or another of the tools we have used must have taken them out.
 
Well it certainly seems to be messed up somewhere :sick:

These permissions issues may cause trouble in the future, so it is up to you if you want to try and sort them now.

I can see two options to try at the moment.
1) reinstall/repair IE
2) Create a new user account with Admin rights and see if the scans will work from that account.
 
Let's try the easy way first.

It is much easier to just create a new user account as a member of the local Administrator's Group than it is to repair/reinstall IE7. So I will try that easier attack first and then see if we can install ActiveX controls and run Kaspersky or Panda. If that fails too, then we can try doing it the harder way. I will try the easy way first and report back to you.
 
Successful Kaspersky Online Scan

I used a different (previously created but never used) user account with Administrator privileges and was successful in downloading, installing, and updating the Kaspersky Online Scanner. The scan proceeded normally and produced a log file that is appended below. This happy result makes it appear to me that the built-in Administrator user account is damaged in some unidentified way that interferes with ActiveX controls. This different user account suffered no such problems.

Here below is the Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 12:31:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/02/2008
Kaspersky Anti-Virus database records: 550947
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 62220
Number of viruses found: 16
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 01:18:06

Infected Object Name / Virus Name / Last Action
C:\60df39ba65287d8504\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_ac629541-b47f-414b-a05a-c1f555477fe4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert N. Browning\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robert N. Browning\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\maps.exe.vir/stream/data0008 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\maps.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\My Documents\maps.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\fcoaugqg.dat.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip/fcoaugqg.dat Infected: Rootkit.Win32.Agent.tw skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip/fcoaugqg.dat.1 Infected: Rootkit.Win32.Agent.tw skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip/adsld.dll Infected: Trojan.Win32.BHO.agz skipped
C:\QooBox\Quarantine\catchme2008-02-04_100654.04.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP164\A0032884.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP167\A0033959.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035040.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035045.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035051.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036023.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036024.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039164.exe Infected: not-a-virus:FraudTool.Win32.RegCleanFix.a skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041653.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041654.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041659.exe Infected: Trojan-Spy.Win32.BZub.buz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041660.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041661.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041662.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041663.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041664.exe Infected: not-virus:Hoax.Win32.Renos.apg skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041665.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP181\A0042335.sys Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042343.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042344.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042345.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042346.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042347.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042348.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP212\change.log Object is locked skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FE150C09-67CE-4BC1-A7E3-F64C4CBFE62B}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Security\Spyware\Removal\EClea2_0.exe Infected: not-a-virus:FraudTool.Win32.ErrorDoctor.b skipped

Scan process completed.
 
I would consider moving all the files you want over to this other admin account and deleting the original one.
We have no way of knowing what else has been done with the permissions to it.

After all that the only thing it found was F:\Security\Spyware\Removal\EClea2_0.exe. This will need deleting.

Congratulations your logs look clean :bigthumb:

Let's see if I can help you keep it that way

First lets tidy up :)

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • AVG Anti-Spyware 7.5 <<< A good "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 3.5.1
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep


Also PLEASE read this article.......So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
 
The infected user acount can't be deleted.

The user account that has the problem with ActiveX controls is the built-in Administrator user account that comes standard with the XP operating system. That account cannot be deleted. But some files can indeed be moved to the alternate user account, and this will be done.
 
Everything looks good now.

The machine seems to be clean now and is working as it should. I want to thank you very much for your able assistance. I would also like to make a modest donation to help support the work of the forum. If you can pass me a link where I can do that, I will be pleased to do so.

Lastly, your work with me has inspired me to want to study the curriculum at the MRU. I feel like I have a good technical understanding that goes well beyond an ordinary user and it would be good give something back and to enhance and apply my skills in this ongoing worldwide battle against the malware authors. I would be grateful to hear your remarks about your own experience in the MRU, for example how difficult is the curriculum and how long does it take to become qualified?

Yes, this thread can now be archived. Please tell me how to find the archives so I can research some other cases and learn that way too. Thanks again.

Howard Leighty, Vancouver, Washington USA GMT-8
 
We are always grateful of donations, they help keep this service available for everybody's benefit.
http://www.spybot.info/en/donate/index.html
On behalf of myself and the rest of the staff,
Thankyou Very Much !!!


As for wanting to learn, and join the fight, that is far more valuable to us :bigthumb:

I can honestly say that my experience at MRU and all the other forums where I help was/is fantastic !!
You will meet a bunch of people who are more than willing to share their knowledge. And believe me some have an awful lot to share !
The teachers are very patient and helpful, and will guide you through the test logs.
Asking questions is expected, and their moto is,
"The only stupid question is the one you don't ask"
So don't be shy.
How long it takes is entirely up to you, there is no time limit on how fast you go.

Be prepared though, the work is not all easy !
Malware is by it's nature a tricky beast to deal with, and it is getting harder every day.

Now, having just said that it is not easy, be prepared to laugh a lot :laugh:
The antimalware community is made up of people who do this because we ENJOY IT !!! and we generally have fun.

Most forums have an archive section for the completed threads, and you will soon learn how to find them.
The Spybot one is here:-
http://forums.spybot.info/forumdisplay.php?f=23

If you have any other questions, just ask :cool:

I hope to see you enrolled soon :bigthumb::bigthumb:

Edit:- just a tip, but don't use a screen name that can be traced to you when you enroll.
The bad boys have been known to cause hassle.
 
Last edited:
Thanks again and Bye for now.

Katana:

Thanks for your remarks and for the tip about a screen name. I will be exploring the MRU forums and, since the main computer I have could possibly have some unknown malware, I know that MRU wants me to make sure my own computer is clean first before enrolling. So I will probably start a new thread over there for getting my own box certified as clean, even though I have no symptoms that I am aware of. I'm a little different in that I run Windows 2000 Professional SP4 (great O/S).

Thanks again for all you do.
I'm going to enroll in MRU and get edjumicated.

Howard Leighty, Vancouver, WA USA UTC-8
 
You must log in or register to reply here.
Back
Top