Problems with System Popups and ie. toolbar.

itisonlyatest · May 16, 2007

I have some video codec virus thingy, and Spybot said it removed it, but im still getting pop-ups, etc.

I am running Windows Vista, I had a Protection Center toolbar in i.e., but I disabled it, it still won't let me delete it though.

eTrust Antivirus Web Scanner
No Infections

HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:19:00 PM, on 5/15/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Video ActiveX Access\iesmn.exe
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Program Files\Video ActiveX Access\iesmin.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Program Files\Windows NT\Accessories\WORDPAD.EXE
V:\Windows\system32\SearchFilterHost.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - V:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - V:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] V:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8048 bytes

itisonlyatest · May 20, 2007

Also, it changed my IE homepage.

Shaba · May 21, 2007

Hi itisonlyatest

I'm pretty sure that Smitfraudfix won't work in Vista, but let's test it:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

itisonlyatest · May 21, 2007

When I run it it says: Unsupported Version, Windows 2000/XP required.

Shaba · May 22, 2007

Hi

Yes, that was expectable

Then we do this:

Please print these instructions because while in safe mode you can't read this forum.

Boot in safe mode, see here

Uninstall via add/remove programs if present:

Video ActiveX Access

Open HijackThis, click do a system scan onyly and checkmark these:

O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - V:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - V:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] V:\Program Files\Video ActiveX Access\iesmn.exe

Close all windows including browser and press fix checked

Delete if present:

V:\Program Files\Video ActiveX Access

Empty Recycle Bin

Reboot

Post a fresh HijackThis log.

itisonlyatest · May 22, 2007

There is no add or remove programs entry for Video ActiveX Access, but there is for:
IExplorer Security Plug-In

This is that dumb toolbar I disabled in I.E, and when I click uninstall it says:
You should reboot your computer prior to uninstalling this software. Reboot now?
The options are: Ok and Cancel, so I put cancel and nothing happens.

Onto the other stuff:
I removed the items you told me to in HiJack This, along with the VideoActiveXAccess folder in Program Files (did this all in safe mode), I also emptied the recycle bin.

Rebooted. I notice my IE start page is now back to normal, yay!

Ran HiJack this, here is the log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:41:35 PM, on 5/22/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Windows\system32\SearchFilterHost.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - V:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 7830 bytes

Shaba · May 23, 2007

Hi

Yes, log looks good now.

Not sure if Kaspersky online scanner works with Vista, but let's test it:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

itisonlyatest · May 24, 2007

This scan took forever!
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:52:55 AM, on 5/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Program Files\iTunes\iTunes.exe
V:\Program Files\Last.fm\LastFM.exe
V:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
V:\Users\Chris\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - V:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 8092 bytes

itisonlyatest · May 24, 2007

KASPERSKY ONLINE SCANNER REPORT
Thursday, May 24, 2007 7:48:11 AM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/05/2007
Kaspersky Anti-Virus database records: 328326

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
F:\
N:\
V:\

Scan Statistics
Total number of scanned objects 277578
Number of viruses found 14
Number of infected objects 1533
Number of suspicious objects 0
Duration of the scan process 06:15:58

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped

C:\Boot\BCD.LOG Object is locked skipped

C:\boot.ini Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.bak Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.ActiveKeyLogger.24 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe/stream Infected: not-a-virus:Monitor.Win32.ActiveKeyLogger.24 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42C57B68.exe CryptFF: infected - 2 skipped

C:\i386\closeapp.ex_/closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\i386\closeapp.ex_ CAB: infected - 1 skipped

C:\i386\vimc.ex_/vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\i386\vimc.ex_/vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\i386\vimc.ex_ CAB: infected - 2 skipped

C:\IRC Downloads\fullkeylogger.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.r skipped

C:\NTDETECT.COM Object is locked skipped

C:\ntldr Object is locked skipped

C:\pagefile.sys Object is locked skipped

C:\Program Files\Adobe\Adobe Bridge\install.adb Object is locked skipped

C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.ilg Object is locked skipped

C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.ilg Object is locked skipped

C:\Program Files\Norton Anti-Virus\Savrt\0381NAV~.TMP Object is locked skipped

C:\Program Files\Norton Anti-Virus\Savrt\0471NAV~.TMP Object is locked skipped

C:\Program Files\Real\RealPlayer\120.chl Object is locked skipped

C:\Program Files\Real\RealPlayer\155.chl Object is locked skipped

C:\Program Files\Real\RealPlayer\pref.gd Object is locked skipped

C:\Program Files\Speed Startup\Backup\Adobe Gamma.lnk Object is locked skipped

C:\SpyHiJack\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SpyHiJack\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SpyHiJack\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\WINDOWS\diagerr.xml Object is locked skipped

C:\WINDOWS\diagwrn.xml Object is locked skipped

C:\WINDOWS\Minidump\Mini102506-01.dmp Object is locked skipped

C:\WINDOWS\repair\autoexec.nt Object is locked skipped

C:\WINDOWS\repair\config.nt Object is locked skipped

C:\WINDOWS\repair\default Object is locked skipped

C:\WINDOWS\repair\DS_SAM Object is locked skipped

C:\WINDOWS\repair\DS_SECURITY Object is locked skipped

C:\WINDOWS\repair\DS_SOFTWARE Object is locked skipped

C:\WINDOWS\repair\ntuser.dat Object is locked skipped

C:\WINDOWS\repair\sam Object is locked skipped

C:\WINDOWS\repair\secsetup.inf Object is locked skipped

C:\WINDOWS\repair\security Object is locked skipped

C:\WINDOWS\repair\setup.log Object is locked skipped

C:\WINDOWS\repair\software Object is locked skipped

C:\WINDOWS\repair\system.bak Object is locked skipped

C:\WINDOWS\system32\closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.sav Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.sav Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\system.sav Object is locked skipped

C:\WINDOWS\system32\config\TempKey.LOG Object is locked skipped

C:\WINDOWS\system32\config\userdiff Object is locked skipped

C:\WINDOWS\system32\config\userdiff.LOG Object is locked skipped

itisonlyatest · May 24, 2007

C:\WINDOWS\system32\sys.exe Infected: Trojan.Win32.Delf.zw skipped

C:\WINDOWS\system32\vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\WINDOWS\system32\vimc.exe WiseSFX: infected - 1 skipped

C:\WINDOWS\system32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped

C:\WINDOWS\system32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped

C:\WINDOWS\system32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Freebay ][Date Thu, 25 Nov 2004 07:07:59 -0800 (PST)]/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Freebay ][Date Thu, 25 Nov 2004 07:07:59 -0800 (PST)]/document.zip Infected: Email-Worm.Win32.NetSky.q skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From mary@lycos.com][Date Fri, 26 Nov 2004 17:59:07 +0800]/UNNAMED/readme.scr Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From mary@lycos.com][Date Fri, 26 Nov 2004 17:59:07 +0800]/UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From helen@whoever.com][Date Fri, 26 Nov 2004 19:26:06 +0800]/UNNAMED/message.exe Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From helen@whoever.com][Date Fri, 26 Nov 2004 19:26:06 +0800]/UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][Date Fri, 26 Nov 2004 19:38:57 +0800]/UNNAMED/UNNAMED/body.pif Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][Date Fri, 26 Nov 2004 19:38:57 +0800]/UNNAMED/UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[From fred@msdirectservices.com][Date Fri, 26 Nov 2004 19:41: ... /message.scr Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[From fred@msdirectservices.com][Date Fri, 26 Nov 2004 19:41:01 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[F ... /[From jimmy@pldtdsl.net][Date Fri, 26 Nov 2004 19:45 ... /document.pif Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[F ... /[From jimmy@pldtdsl.net][Date Fri, 26 Nov 2004 19:45:29 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[ ... /[From brenda@info.com.ph][Date Fri, 26 Nov 2004 19:49:54 ... /data.scr Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... /[ ... /[From brenda@info.com.ph][Date Fri, 26 Nov 2004 19:49:54 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtd ... /document.htm .exe Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / ... /[From claudia@whoever.com][Date Fri, 26 Nov 2004 19:59:27 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / .. ... /[From tom@yahoo.com.sg][Date Fri, 26 Nov 2004 20:04:02 ... /body.scr Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / .. ... /[From tom@yahoo.com.sg][Date Fri, 26 Nov 2004 20:04:02 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl ... /readme.txt .pif Infected: Email-Worm.Win32.LovGate.w skipped

F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz/packed/backup-1.27.2005_19-46-28_hilarypi/homedir/mail/inbox/[From "lenders search" ][Date Thu, 25 Nov 2004 03:38:00 -0500 (EST)]/html/[From Spending Power ][Date Thu, 25 Nov 2004 09:08:46 -0800 (PST)]/html/[From MAILER-DAEMON@essonne.cci.fr (Mail Delivery System)][Date Fri, 26 Nov 2004 12:31:15 +0100 (CET)]/UNNAMED/[From steve@pldtdsl.net][ ... / .. .. ... /[From debby@aol.com][Date Fri, 26 Nov 2004 20:15:49 + ... /UNNAMED Infected: Email-Worm.Win32.LovGate.w skipped

itisonlyatest · May 24, 2007

Theres way more but I have to do it when I get home from work later today, because this site makes me do piece by piece, and its an html file not a txt.

itisonlyatest · May 24, 2007

Oh wait nevermind, here it is attached. I put the scan.txt inside a .zip file because its 51KB, and the forum said its too big.

Shaba · May 24, 2007

Hi

Scanning time depends on amount of files, you have lot of them. I've seen 24 hrs scanning times.

Scanning report doesn't look like complete:

Number of infected objects 1533

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Delete these:

C:\IRC Downloads\fullkeylogger.exe
C:\WINDOWS\system32\sys.exe
F:\Business Stuff\AC\CHRISLIMON\Duff\backup-1.27.2005_19-46-28_hilarypi.tar.gz

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

itisonlyatest · May 25, 2007

I did what you said, then ran another scan.
For the record I will be going out of town tomorrow evening, until Monday, so please don't lock the thread.

Here is the Kaspersky Scan Report:
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 24, 2007 10:01:05 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/05/2007
Kaspersky Anti-Virus database records: 328326

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
F:\
N:\
V:\

Scan Statistics
Total number of scanned objects 277887
Number of viruses found 3
Number of infected objects 12
Number of suspicious objects 0
Duration of the scan process 06:40:29

Infected Object Name Virus Name Last Action
C:\Boot\BCD Object is locked skipped

C:\Boot\BCD.LOG Object is locked skipped

C:\boot.ini Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.bak Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\i386\closeapp.ex_/closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\i386\closeapp.ex_ CAB: infected - 1 skipped

C:\i386\vimc.ex_/vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\i386\vimc.ex_/vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\i386\vimc.ex_ CAB: infected - 2 skipped

C:\NTDETECT.COM Object is locked skipped

C:\ntldr Object is locked skipped

C:\pagefile.sys Object is locked skipped

C:\Program Files\Adobe\Adobe Bridge\install.adb Object is locked skipped

C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.ilg Object is locked skipped

C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.ilg Object is locked skipped

C:\Program Files\Norton Anti-Virus\Savrt\0381NAV~.TMP Object is locked skipped

C:\Program Files\Norton Anti-Virus\Savrt\0471NAV~.TMP Object is locked skipped

C:\Program Files\Real\RealPlayer\120.chl Object is locked skipped

C:\Program Files\Real\RealPlayer\155.chl Object is locked skipped

C:\Program Files\Real\RealPlayer\pref.gd Object is locked skipped

C:\Program Files\Speed Startup\Backup\Adobe Gamma.lnk Object is locked skipped

C:\SpyHiJack\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SpyHiJack\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SpyHiJack\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\WINDOWS\diagerr.xml Object is locked skipped

C:\WINDOWS\diagwrn.xml Object is locked skipped

C:\WINDOWS\Minidump\Mini102506-01.dmp Object is locked skipped

C:\WINDOWS\repair\autoexec.nt Object is locked skipped

C:\WINDOWS\repair\config.nt Object is locked skipped

C:\WINDOWS\repair\default Object is locked skipped

C:\WINDOWS\repair\DS_SAM Object is locked skipped

C:\WINDOWS\repair\DS_SECURITY Object is locked skipped

C:\WINDOWS\repair\DS_SOFTWARE Object is locked skipped

C:\WINDOWS\repair\ntuser.dat Object is locked skipped

C:\WINDOWS\repair\sam Object is locked skipped

C:\WINDOWS\repair\secsetup.inf Object is locked skipped

C:\WINDOWS\repair\security Object is locked skipped

C:\WINDOWS\repair\setup.log Object is locked skipped

C:\WINDOWS\repair\software Object is locked skipped

C:\WINDOWS\repair\system.bak Object is locked skipped

C:\WINDOWS\system32\closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.sav Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SLEvtLog.evt Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.sav Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\system.sav Object is locked skipped

C:\WINDOWS\system32\config\TempKey.LOG Object is locked skipped

C:\WINDOWS\system32\config\userdiff Object is locked skipped

C:\WINDOWS\system32\config\userdiff.LOG Object is locked skipped

C:\WINDOWS\system32\vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\WINDOWS\system32\vimc.exe WiseSFX: infected - 1 skipped

C:\WINDOWS\system32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped

C:\WINDOWS\system32\wbem\AutoRecover\8A94AF24F162D580E3D9889344A3A317.mof Object is locked skipped

C:\WINDOWS\system32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped

V:\Program Files\Adobe\Adobe Device Central CS3\AMT\AUMProduct.cer Object is locked skipped

V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

V:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

V:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

V:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

V:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

V:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

V:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\07ba6cd04f4b286329885247df66b9c5_6be9b7ca-3cce-4567-ab73-ef173748f418 Object is locked skipped

V:\ProgramData\Microsoft\User Account Pictures\Danny.dat Object is locked skipped

V:\ProgramData\Microsoft\User Account Pictures\Games.dat Object is locked skipped

V:\ProgramData\Microsoft\User Account Pictures\Guest.dat Object is locked skipped

V:\ProgramData\Symantec\Common Client\settings.bak Object is locked skipped

V:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped

V:\ProgramData\Symantec\LiveUpdate\2007-05-24_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

V:\ProgramData\Symantec\Shared\QBackup\index.qbs Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped

V:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtETmp\3471FB21.TMP Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtETmp\385B71B4.TMP Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

V:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

V:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped

V:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped

V:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped

V:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped

V:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped

V:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped

V:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012007052420070525\index.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{530936A7-0B1D-4826-BC6E-A5EEDB701421}.tmp Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Fil

itisonlyatest · May 25, 2007

es\Low\Content.IE5\P1G5517R\instrumental[1].dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1G5517R\instrumental[2].dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJ29X6SA\instrumental[1].dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJ29X6SA\instrumental[2].dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat{8bd7ba9c-c56a-11db-937f-001676a1c907}.TM.blf Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat{8bd7ba9c-c56a-11db-937f-001676a1c907}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Windows\UsrClass.dat{8bd7ba9c-c56a-11db-937f-001676a1c907}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Outlook\Outlook.pst Object is locked skipped

V:\Users\Chris\AppData\Local\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\container.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\httpinput.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\iTunesPlugin.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\metadata.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\playback.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\sidebar.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\skype.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\transcode.log Object is locked skipped

V:\Users\Chris\AppData\Local\Last.fm\Client\webservice.log Object is locked skipped

V:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped

V:\Users\Chris\AppData\Local\Temp\~DFCB39.tmp Object is locked skipped

V:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

V:\Users\Chris\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped

V:\Users\Chris\AppData\Roaming\Microsoft\Outlook\Outlook.srs Object is locked skipped

V:\Users\Chris\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm Object is locked skipped

V:\Users\Chris\Downloads\backups\backup-20070522-153356-517.dll Infected: Trojan-Downloader.Win32.Zlob.bti skipped

V:\Users\Chris\Music\iTunes\iTunes Library.itl Object is locked skipped

V:\Users\Chris\NTUSER.DAT Object is locked skipped

V:\Users\Chris\ntuser.dat.LOG1 Object is locked skipped

V:\Users\Chris\ntuser.dat.LOG2 Object is locked skipped

V:\Users\Chris\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped

V:\Users\Chris\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

V:\Users\Chris\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

V:\Windows\Debug\PASSWD.LOG Object is locked skipped

V:\Windows\Debug\sam.log Object is locked skipped

V:\Windows\Debug\WIA\wiatrace.log Object is locked skipped

V:\Windows\Installer\MSI2FBD.tmp Object is locked skipped

V:\Windows\Installer\MSI57EF.tmp Object is locked skipped

V:\Windows\Installer\MSI6456.tmp Object is locked skipped

V:\Windows\Installer\MSI94A1.tmp Object is locked skipped

V:\Windows\Internet Logs\CHRIS-PC.ldb Object is locked skipped

V:\Windows\Internet Logs\fwdbglog.txt Object is locked skipped

V:\Windows\Internet Logs\fwpktlog.txt Object is locked skipped

V:\Windows\Internet Logs\IAMDB.RDB Object is locked skipped

V:\Windows\Internet Logs\tvDebug.log Object is locked skipped

V:\Windows\Internet Logs\ZALog2007.05.21.txt Object is locked skipped

V:\Windows\Logs\CBS\CBS.log Object is locked skipped

V:\Windows\Logs\DPX\setupact.log Object is locked skipped

V:\Windows\Logs\DPX\setuperr.log Object is locked skipped

V:\Windows\MEMORY.DMP Object is locked skipped

V:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped

V:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped

V:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped

V:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped

V:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped

V:\Windows\security\database\secedit.sdb Object is locked skipped

V:\Windows\SoftwareDistribution\EventCache\{22E98F57-873E-4DA1-AE20-59124EDEA767}.bin Object is locked skipped

V:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped

V:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

V:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

V:\Windows\System32\catroot2\edb.log Object is locked skipped

V:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

V:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

V:\Windows\System32\cleardll.reg Object is locked skipped

V:\Windows\System32\config\COMPONENTS Object is locked skipped

V:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

V:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

V:\Windows\System32\config\DEFAULT Object is locked skipped

V:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

V:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

V:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped

V:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped

V:\Windows\System32\config\RegBack\SAM Object is locked skipped

V:\Windows\System32\config\RegBack\SECURITY Object is locked skipped

V:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped

V:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped

V:\Windows\System32\config\SAM Object is locked skipped

V:\Windows\System32\config\SAM.LOG1 Object is locked skipped

V:\Windows\System32\config\SAM.LOG2 Object is locked skipped

V:\Windows\System32\config\SECURITY Object is locked skipped

V:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

V:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

V:\Windows\System32\config\SOFTWARE Object is locked skipped

V:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

V:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

V:\Windows\System32\config\SYSTEM Object is locked skipped

V:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

V:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped

V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped

V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped

V:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped

V:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

V:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

V:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

V:\Windows\System32\drivers\fidbox.dat Object is locked skipped

V:\Windows\System32\drivers\fidbox.idx Object is locked skipped

V:\Windows\System32\drivers\sptd.sys Object is locked skipped

V:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

V:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

V:\Windows\System32\restore\MachineGuid.txt Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1 Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2 Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.0.regtrans-ms Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.1.regtrans-ms Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.2.regtrans-ms Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694468-6a70-11db-8eb3-985e31beb686}.TxR.blf Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

V:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{0f694469-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

V:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped

V:\Windows\System32\wbem\AutoRecover\DE84A40F21BE6262068B17AF302B4E55.mof Object is locked skipped

V:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

V:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped

V:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped

V:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped

V:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped

V:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Admin.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker-DrivePreparationTool%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped

V:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

V:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped

V:\Windows\WindowsUpdate.log Object is locked skipped

V:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.

itisonlyatest · May 25, 2007

HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:04:58 PM, on 5/24/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
V:\Windows\system32\taskeng.exe
V:\Windows\system32\Dwm.exe
V:\Windows\Explorer.EXE
V:\Program Files\Analog Devices\Core\smax4pnp.exe
V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
V:\Program Files\iTunes\iTunesHelper.exe
V:\Program Files\Common Files\Symantec Shared\ccApp.exe
V:\Windows\System32\wpcumi.exe
V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
V:\Program Files\Brother\ControlCenter3\brccMCtl.exe
V:\Windows\ehome\ehtray.exe
V:\Program Files\Windows Media Player\wmpnscfg.exe
V:\Windows\ehome\ehmsas.exe
V:\Program Files\Internet Explorer\ieuser.exe
V:\Program Files\Internet Explorer\iexplore.exe
V:\Program Files\iTunes\iTunes.exe
V:\Program Files\Last.fm\LastFM.exe
V:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
V:\Program Files\Norton AntiVirus\navw32.exe
V:\Windows\system32\SearchFilterHost.exe
V:\Windows\System32\mobsync.exe
V:\Users\Chris\Downloads\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - V:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - V:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - V:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - V:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] V:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "V:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "V:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "V:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BrMfcWnd] V:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] V:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WPCUMI] V:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [QuickTime Task] "V:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "V:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ehTray.exe] V:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] V:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://V:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - V:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - V:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: v:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - V:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - V:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - V:\Windows\System32\DreamScene.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - V:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - V:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - V:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - V:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - V:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - V:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - V:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - V:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 8214 bytes

Shaba · May 25, 2007

Hi

Does Norton have also firewall?

Logs look good.

Still problems?

itisonlyatest · May 25, 2007

Don't think i'm having any more problems... I believe Norton has a basic firewall, but i'm using the Zone Alarm Beta for Vista as a firewall.

I just finished a scan with Norton and it said it detected this:
http://securityresponse.symantec.com/security_response/detected_writeup.jsp?name=Bloodhound.W32.EP

But that it could not fix it because it didn't recognize the file type.

Here's the Norton Scan Log:
Scan Stats:
Scan Time: 29930
Scan Options:
Scan Targets: C:, F:, V:
Counts:
Total items scanned: 350153
- Files & Directories: 344192
- Registry Entries: 182
- Processes & Start-up Items: 4557
- Network & Browser Items: 1217
- Other: 5

Total security risks detected: 2
Total items resolved: 2
Total items that require attention: 0

Resolved Threats:
Tracking Cookie
Virus ID: 4294909925
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Cookie
State: Fully Resolved
-----------
26 Tracking Cookies
Cookie:chris@ads.addynamix.com/ - Deleted
Cookie:chris@howardchui.us.intellitxt.com/ - Deleted
Cookie:chris@bleepingcomputer.us.intellitxt.com/ - Deleted
Cookie:chris@jkontherun.us.intellitxt.com/ - Deleted
Cookie:chris@juicy-news.blogspot.us.intellitxt.com/ - Deleted
Cookie:chris@tomsforumz.us.intellitxt.com/ - Deleted
Cookie:chris@ads.as4x.tmcs.net/ - Deleted
Cookie:chris@perezhilton.us.intellitxt.com/ - Deleted
Cookie:chris@wwtdd.us.intellitxt.com/ - Deleted
Cookie:chris@track.searchignite.com/ - Deleted
Cookie:chris@adopt.specificclick.net/ - Deleted
Cookie:chris@sales.liveperson.net/ - Deleted
Cookie:chris@rapgodfathers.us.intellitxt.com/ - Deleted
Cookie:chris@jupiter.us.intellitxt.com/ - Deleted
Cookie:chris@theautochannel.us.intellitxt.com/ - Deleted
Cookie:chris@hollywood.us.intellitxt.com/ - Deleted
Cookie:chris@x17online.us.intellitxt.com/ - Deleted
Cookie:chris@2dayblog.us.intellitxt.com/ - Deleted
Cookie:chris@womensforum.us.intellitxt.com/ - Deleted
Cookie:chris@sales.liveperson.net/hc/28856772 - Deleted
Cookie:chris@wincustomize.us.intellitxt.com/ - Deleted
Cookie:chris@fadedyouth.us.intellitxt.com/ - Deleted
Cookie:chris@edge.ru4.com/ - Deleted
Cookie:chris@neowin.us.intellitxt.com/ - Deleted
Cookie:chris@adopt.euroclick.com/ - Deleted

Unresolved Threats:
Bloodhound.W32.EP
Virus ID: 18960
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
State: Reviewed
-----------
1 File
[Restricted item (permission required)] - N/A

Shaba · May 25, 2007

Hi

Well Norton doesn't seem to give much details where that is present.

Run another scan with norton and tell me if it still finds the same.

itisonlyatest · May 25, 2007

The scan still finds the same, but it doesn't give any details as to where it was found, it just says:
Restricted File (Permission Required)

Problems with System Popups and ie. toolbar.

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member