Computer with ScreenSaver. Will Travel.

I clicked on a link to a nude photo for "Angelina Jolie "

The following day,when I started the computer,the Desktop Background had been replaced with a "Your Computer Has a Virus,Please Clean your Computer" [blue background,yellow/black lettering]...

I immediately scanned the computer with Avast anti-virus,wich found two files that it put into the 'Safe Area'following the scan.

However,on and off,the computer goes into ScreenSaver mode. I typically dont have the Screensaver in use.This ScreenSaver shows erroneous errors,that could not be taking place.At least for now that is what I think it is since,I do not understand how a program can just 'run'without someplace on the computer to do so.

Refered also here:
http://windowshelp.microsoft.com/co...en-us/default.mspx?query=Delete+A+Sceen+Saver


I later figured this must be a ScreenSaver. So then- the Display Properties,The "Desktop " tab,and "ScreenSaver "tabs are missing. I cannot change what is being shown on the computer at my Desktop. Or 'Change The Background'howebeit,there is still the individual file option that will set the Background.

If I right click to 'Show the Desktop',the option to do so does not work.

Refered also here:
http://support.microsoft.com/?kbid=328596


At present am scanning with Online,House Call.(Trend Micro).Dont know the extent of what is /has been done to computer from clicking this .avi.exe file as I did. Suggestions would be helpful. Dont have programming expertise below the interface.

Im under the impression that I will have to replace some files,but I dont know wich. Or replace the video driver files. Going on to Scan the hardrive/defrag. Since the two files found for/from the Avast Antivirus- were also in the Systems 'Restore'file. Since removed.


Have computer with ScreenSaver..perhaps. Will Travel.

 

Also Mentioned In:

BitDefender "Angelina Jolie used as Malware bait ":
http://www.prosecurityzone.com/Cust...tware/Angelina_Jolie_used_as_malware_bait.asp

This may not be a ScreenSaver. However.. I know that.. If the 'error message/-era maybe avi.com comes on...

I can..

er-a..usually..use 'Esc' key - or any other key to bring up the Windows Screen Desktop.

If I watch the thing run,too long.,this does not work so ...easily.. esc key.

I'm pretty sure that I have several video driver files damage. And maybe the ACPI(power) problems comming on,as a direct result of some damaged System Files,. Or more stooge lunacy from the aspects of the virus program.

Seems the more I let it run,the more difficult it is to get the Desktop back up. Still running the House Call (Trend Micro). Have not Defragged the Hardrive. Yet. Would like to run System File Checker.

XP SP3...machine.

 

So FarRevious to posting these requested logs:

Ran Avast Antivirus..found two files wich are locked up. Others were deleted when found.

Ran Spybot Search&Destroy .Innoculated Explorer.
.Stopped program after 5 hours of slow going.

Ran online version of Trend Micros ..Housecall. 2 hours slow going.

-Discovered Tabbs missing within Display Properties (ScreenSaver,and Appearance).

Rolled Video Driver Back to previous version.
Rolled Video Driver Forward (Using Microsofts UPdate)

- no change to Display panels.


Also found interesting reference Microsofts KNowledge base concerning running System File
Checker (with only the Restore option using re-installing the Op.Sys.)


+Creating a New User Account on My Computer.
+Ran System File Checker* Following doing this,for another angle.
*the specific command I found in XP Home Edition Cowart&Kittel page 875
...it did not run until a new Start-up.
**curious as to the differences between this and what Windows Update
may now see.
Result,..on the new user account,the Display Panel Tabs are back
User Icons are Displayed along with Desktop

-set sufficient power settings.

.....................Reading Your Post.....
Switching over to previous user account.With a Restart.

->This User: The Display Panel Tabs are still gone.
no access to the Desktop icons.Previously Hidden.

Run Hijack This
Run Deckards...

Note:Creating Restore Points this Computer is not advisable (restore points).
They are disabled for a reason ! These system files must be taking a beating,
with all these scans.As noted above,I have/had done several things previous
to Running Hijack This,and Deckards.The removed files via Avast Antivirus
are available for upload to Trend Micro if needed.
Creating a new User Account,Seemed (so far)to enable a running system.Intend
to run System File Checker,on This User Account.Also- XP Home Edition does
not have much control of User/User policies.With only two different Account
Types.

A)This entrie here*: "HijackThis Fixed Entries (I:\PROGRA~1\TRENDM~1\HIJACK~1\backups
.....J:\Program Files II\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
backup-20071210-083903-660 O23 - Service: Ulead Burning Helper....and
"O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. -

I:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe "
*was a program from a 'Trial Version',that insists on being part of the system.!

B)**** Declined By Poster. Thanks.

Comment:I'm posting this against my better judgement. With the disclaimer that the
'composition of its components are those of the poster.Illegal uses of the
information is prohibited.<KaleidiScope>




Deckard's System Scanner v20071014.68
Run by Mr. Mike on 2008-07-31 04:31:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mr. Mike.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:55 AM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
L:\Programs III\AvastAntiVirus\aswUpdSv.exe
L:\Programs III\AvastAntiVirus\ashServ.exe
I:\WINDOWS\system32\cisvc.exe
I:\WINDOWS\system32\CTsvcCDA.exe
I:\WINDOWS\system32\HPZipm12.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
I:\WINDOWS\system32\ZONELABS\vsmon.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\MsPMSPSv.exe
I:\Program Files\Canon\CAL\CALMAIN.exe
L:\Programs III\AvastAntiVirus\ashWebSv.exe
I:\WINDOWS\Explorer.EXE
I:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
I:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
I:\WINDOWS\CTHELPER.EXE
I:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
L:\Programs III\javaruntimeprogr\bin\jusched.exe
J:\Program Files II\Motherboard Monitor 5\MBM5.EXE
I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
I:\Program Files\HP\hpcoretech\hpcmpmgr.exe
L:\PROGRA~1\AVASTA~1\ashDisp.exe
I:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe
I:\WINDOWS\system32\ctfmon.exe
J:\Program Files II\PC Magazine Utilities\TitleBar Add-Ons\Titlebar Add-Ons.exe
L:\Programs III\ATIProgressMultiMediaC\main\ATIDtct.EXE
L:\Programs III\TurnFlash\tflash.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
I:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
I:\WINDOWS\system32\NOTEPAD.EXE
I:\WINDOWS\system32\cidaemon.exe
I:\Program Files\Internet Explorer\iexplore.exe
J:\Progress Explorer Temp\Temporary Internet Files\Content.IE5\SRVU64U5\dss[1].exe
I:\PROGRA~1\TRENDM~1\HIJACK~1\Mr. Mike.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page ****
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - L:\Programs

III\javaruntimeprogr\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - I:\Program

Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - I:\Program

Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [EM_EXEC] "I:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE "
O4 - HKLM\..\Run: [CTSysVol] "I:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe "
O4 - HKLM\..\Run: [UpdReg] "I:\WINDOWS\UpdReg.EXE "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "I:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "L:\Programs III\javaruntimeprogr\bin\jusched.exe "
O4 - HKLM\..\Run: [RoxioEngineUtility] "I:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [MimBoot] "I:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe "
O4 - HKLM\..\Run: [MBM 5] "J:\Program Files II\Motherboard Monitor 5\MBM5.EXE "
O4 - HKLM\..\Run: [DXDllRegExe] I:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] "I:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HP Component Manager] "I:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Programs III\AdobeProgress\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "L:\Programs III\QuicktimeProgress\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] L:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] I:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Titlebar Add-Ons] "J:\Program Files II\PC Magazine Utilities\TitleBar

Add-Ons\Titlebar Add-Ons.exe "
O4 - HKCU\..\Run: [ATI DeviceDetect] L:\Programs III\ATIProgressMultiMediaC\main\ATIDtct.EXE
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] J:\Program Files

II\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] J:\Program Files

II\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Zone Labs Security.lnk = J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: tflash.lnk = L:\Programs III\TurnFlash\tflash.exe
O4 - Global Startup: Zone Labs Security.lnk = J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Programs

III\javaruntimeprogr\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Programs

III\javaruntimeprogr\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - L:\Programs

III\ATIProgressMultiMediaC\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) -

https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -

http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -

http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120188110157
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) -

http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120189214625
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) -

http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) -

http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -

http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4999/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: zert_ani.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - L:\Programs

III\AvastAntiVirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - L:\Programs III\AvastAntiVirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - L:\Programs III\AvastAntiVirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - L:\Programs III\AvastAntiVirus\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - I:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - I:\Program

Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

I:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - M:\Progress Workshop PlanetG\Editing Table\didi\TelGifR.gif

--
End of file - 10836 bytes

-- HijackThis Fixed Entries (I:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071210-083903-648 O4 - HKLM\..\Run: [UVS10 Preload] J:\Program Files II\Ulead Systems\Ulead

VideoStudio 10\uvPL.exe
backup-20071210-083903-660 O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems,

Inc. - I:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL

"%1 ",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser

"%1 ",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - i:\windows\system32\drivers\bantext.sys
R1 mbmiodrvr - i:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows (R)

2000 DDK driver>
R2 pciinfo (HP Pci Information) - i:\docume~1\mrf476~1.mik\locals~1\temp\hpispz\hpdom\pciinfo.sys

(file missing)
R2 PMEM - i:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R)

Windows NT(TM) Operating System>

S2 ATIBTCAP (ATI TV Wonder Video Capture) - i:\windows\system32\drivers\atibtcap.sys <Not Verified;

ATI Technologies, Inc.; atibtcap.sys>
S3 grmnusb - i:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 PSI - i:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software

Inspector>
S3 RTCore32 - j:\program files ii\rightclckut\rtcore32.sys
S3 TVICHW32 - i:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32

Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - i:\program files\canon\cal\calmain.exe <Not Verified;

Canon Inc.; >


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-14 08:12:08 284 --a------ I:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-11-28 22:40:20 800 --a------ I:\WINDOWS\Tasks\Progress Toolbx Bcup.job
2007-11-24 15:46:48 258 --a------ I:\WINDOWS\Tasks\Calculator.job


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 03:40:01 0 d-------- I:\Documents and Settings\Presence\Application

Data\Macromedia
2008-07-31 03:37:26 0 d-------- I:\Documents and Settings\Presence\Application Data\Adobe
2008-07-31 02:27:18 0 d-------- I:\Documents and Settings\Presence\Application

Data\Identities
2008-07-31 02:26:43 0 d--h----- I:\Documents and Settings\Presence\PrintHood
2008-07-31 02:26:43 0 d--h----- I:\Documents and Settings\Presence\NetHood
2008-07-31 02:26:43 0 dr------- I:\Documents and Settings\Presence\My Documents
2008-07-31 02:26:43 0 dr------- I:\Documents and Settings\Presence\Favorites
2008-07-31 02:26:43 0 d-------- I:\Documents and Settings\Presence\Desktop
2008-07-31 02:26:43 0 d--hs---- I:\Documents and Settings\Presence\Cookies
2008-07-31 02:26:43 0 dr-h----- I:\Documents and Settings\Presence\Application Data
2008-07-31 02:26:43 0 d---s---- I:\Documents and Settings\Presence\Application

Data\Microsoft
2008-07-31 02:26:42 0 d--h----- I:\Documents and Settings\Presence\Templates
2008-07-31 02:26:42 0 dr------- I:\Documents and Settings\Presence\Start Menu
2008-07-31 02:26:42 0 dr-h----- I:\Documents and Settings\Presence\SendTo
2008-07-31 02:26:42 0 dr-h----- I:\Documents and Settings\Presence\Recent
2008-07-31 02:26:42 1310720 --ah----- I:\Documents and Settings\Presence\NTUSER.DAT
2008-07-31 02:26:42 0 d--h----- I:\Documents and Settings\Presence\Local Settings
2008-07-31 01:11:13 0 d-------- I:\WINDOWS\Logs
2008-07-30 19:32:06 0 d-------- I:\Documents and Settings\Mr. Mike\Application

Data\HouseCall 6.6
2008-07-30 03:22:42 60928 --a------ I:\WINDOWS\system32\blphcv4kj0e1ga.scr <Not Verified;

Sysinternals; Sysinternals Blue Screen>
2008-07-20 16:47:18 0 d-------- I:\WINDOWS\Prefetch
2008-07-20 16:35:45 0 d-------- I:\WINDOWS\system32\scripting
2008-07-20 16:35:44 0 d-------- I:\WINDOWS\l2schemas
2008-07-20 16:35:42 0 d-------- I:\WINDOWS\system32\en
2008-07-20 16:35:41 0 d-------- I:\WINDOWS\system32\bits
2008-07-20 16:30:27 0 d-------- I:\WINDOWS\ServicePackFiles
2008-07-20 16:14:15 0 d-------- I:\WINDOWS\EHome
2008-07-02 21:07:20 0 --a------ I:\Progress


-- Find3M Report ---------------------------------------------------------------

2008-07-09 22:26:12 4212 ---h----- I:\WINDOWS\system32\zllictbl.dat
2008-06-27 23:35:28 324 --a------ I:\ituninst.bat
2008-06-02 01:11:28 2546 --a------ I:\WINDOWS\unins000.dat
2008-06-02 01:09:30 691545 --a------ I:\WINDOWS\unins000.exe
2008-05-02 19:18:46 8192 --ahs---- I:\Documents and Settings\Mr. Mike\Application

Data\Thumbs.db


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8554 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-31 04:46:15 ------------

 

Also:Backing Up A..

Bad Registry is also not a good idea...

 

Hi KaleidiScope
First I have a question and some requests.

Is the I drive the one that was infected? I ask because normally the main Drive is C or sometimes D.

Next, You will need to run any tools while logged onto the user account that was first infected.

Please open Notepad and uncheck Word Wrap, it is found in the format tab.

dss.exe needs to be on your Desktop, not in a folder on the desktop or any other location The Green icon needs to be showing on the desktop.

Now please do this in the order given.

** dss.exe must be on the desktop for the following command to work. **

Highlight and copy the bolded command below.

"%userprofile%\desktop\dss.exe" /daft

• Click Start>Run and paste the command in the run box, then hit enter.
• An interface of Deckards file association fix will open.
• Click Scan.
• Check the box next to the following, then click Fix.
  • .cpl
• Exit when complete.

Now this.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Please post the MBAM log and a new dss log.

Thanks
Geri

 

Hi
Also
dss will try to enable system restore, please let it do so.

A infected system restore point is better then no restore point.

Geri

 

Thanks for reply

posting at your site is hit and miss 5:08 pm...got limitations to using two users. Considering the south bridge on a KT7 does not multi-task that well. Nor the applications ..Zone Alarm,Avast etc. Turn them on ,turn them off. (I might just say I'm jumping off the south bridge .With a Q9450 someday).

Wont be able to post for a couple of days till I get some more time. Thanks for help.

Wanted To Ad this link for
How To Install and Use The Recovery Console in Windows XP
http://support.microsoft.com/kb/KB307654..

For other readers.

Yeah I dont have a desktop..No Icons are available. To Do this !

As for backing up ,or turning on Restore Points. I usually have one,and one only. On a 6+ Drive/partitioned system. Problem being a Dual Boot machine/Fat32 - were while using Applications (and File System) Registry,and
Applications (saved files settings) ..I do not want to mesh.

+Think I will first: +Defrag the drive/Delete the User.
+Scan the Registry on a New User. And Migrate the settings to the new user.

Something such as this. When I return to use the Tools you showed me,. I will be doing a different user on the same machine. Need some schooling on how to run User Policies. Yet on a Home Edition machine,....

We'll have to agree to disagree on Backing Up an Infected set of information. Depends a lot on your setup.

note:The Screen Saver wich runs when switching between users...this may be a problem for securities sake. As well in addition it is a problem on a 1/8 operating machine such as mine still using a 200Mhz bus for sure.

Try Castigating from the hardware side....and PS: I'm listening. Will use your post very carefully. Sorry couldn't do that just now.

 

Hi KaleidiScope
If you are unwilling to do things in the order given, and no more than required to complete those instructions, I will be unable to assist you.

There's no way I'll be able to tell what you have or have not done and what the consequences of the changes you make may be, when telling you to run the tools I ask you to run.

You do what you feel you need to do, then after you have done all you feel you need to do, then come back if you still require help.

Geri

 

Thanks Gerry

Lets See..was no way to look at the desktop. However through Files/Folder could negotiate
seeing them.
DSS..exe did not want to start.Had to delete it. Then,download the file a second attempt.
Malware Bytes..the Updater - ..did not update. However with the larger application running,
simply updated it.Then run the program.
Desktop Right Click Menu- returned.
Desktop Icons - returned.
Holding for any of the error messages.Shown below deleted.

Will still run Defrag,System File checker.

Interesting. Groovy.

Note:Same disclaimer here as previous post. Composition of these files and stuctures are those of the poster <KaleidiScope>***.Illegal use of its contents are prohibited.

***Declined by poster.Thanks.

Results..Found two malware "Trojan Fake Alerts" (.bmp,and .scr).
Converted Original Wall Paper,Converted Wall Paper,
Screensaver.exe

Should I worry about "O24 - Desktop Component 0: (no name) - (no file) "?

[ ][ ][ ]
Malwarebytes' Anti-Malware 1.24
Database version: 1014

Malware bytes.....

Windows 5.1.2600 Service Pack 3

9:11:51 PM 7/31/2008
mbam-log-7-31-2008 (21-11-51).txt

Scan type: Quick Scan
Objects scanned: 46990
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
I:\WINDOWS\system32\phcv4kj0e1ga.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\blphcv4kj0e1ga.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.





Hijack This Fresh Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:26 PM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
L:\Programs III\AvastAntiVirus\aswUpdSv.exe
L:\Programs III\AvastAntiVirus\ashServ.exe
I:\WINDOWS\system32\cisvc.exe
I:\WINDOWS\system32\CTsvcCDA.exe
I:\WINDOWS\system32\HPZipm12.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
I:\WINDOWS\system32\ZONELABS\vsmon.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\MsPMSPSv.exe
I:\Program Files\Canon\CAL\CALMAIN.exe
I:\WINDOWS\Explorer.EXE
L:\Programs III\AvastAntiVirus\ashWebSv.exe
I:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
I:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
I:\WINDOWS\CTHELPER.EXE
I:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
L:\Programs III\javaruntimeprogr\bin\jusched.exe
I:\WINDOWS\system32\wscntfy.exe
J:\Program Files II\Motherboard Monitor 5\MBM5.EXE
I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
I:\Program Files\HP\hpcoretech\hpcmpmgr.exe
L:\PROGRA~1\AVASTA~1\ashDisp.exe
I:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
I:\WINDOWS\system32\ctfmon.exe
J:\Program Files II\PC Magazine Utilities\TitleBar Add-Ons\Titlebar Add-Ons.exe
L:\Programs III\ATIProgressMultiMediaC\main\ATIDtct.EXE
J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe
L:\Programs III\TurnFlash\tflash.exe
I:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
I:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
I:\WINDOWS\system32\wuauclt.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.***.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - L:\Programs III\javaruntimeprogr\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - I:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - I:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [EM_EXEC] "I:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE "
O4 - HKLM\..\Run: [CTSysVol] "I:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe "
O4 - HKLM\..\Run: [UpdReg] "I:\WINDOWS\UpdReg.EXE "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "I:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "L:\Programs III\javaruntimeprogr\bin\jusched.exe "
O4 - HKLM\..\Run: [RoxioEngineUtility] "I:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe "
O4 - HKLM\..\Run: [MimBoot] "I:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe "
O4 - HKLM\..\Run: [MBM 5] "J:\Program Files II\Motherboard Monitor 5\MBM5.EXE "
O4 - HKLM\..\Run: [HP Software Update] "I:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HP Component Manager] "I:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Programs III\AdobeProgress\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "L:\Programs III\QuicktimeProgress\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] L:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] I:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Titlebar Add-Ons] "J:\Program Files II\PC Magazine Utilities\TitleBar Add-Ons\Titlebar Add-Ons.exe "
O4 - HKCU\..\Run: [ATI DeviceDetect] L:\Programs III\ATIProgressMultiMediaC\main\ATIDtct.EXE
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] J:\Program Files II\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] J:\Program Files II\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Zone Labs Security.lnk = J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: tflash.lnk = L:\Programs III\TurnFlash\tflash.exe
O4 - Global Startup: Zone Labs Security.lnk = J:\Program Files II\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Programs III\javaruntimeprogr\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Programs III\javaruntimeprogr\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - L:\Programs III\ATIProgressMultiMediaC\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120188110157
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120189214625
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4999/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: zert_ani.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - L:\Programs III\AvastAntiVirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - L:\Programs III\AvastAntiVirus\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - L:\Programs III\AvastAntiVirus\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - L:\Programs III\AvastAntiVirus\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - I:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - I:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - I:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - I:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10290 bytes

++++++++++++++++++++++++++++++ Posted www.windowsbb.com....7-30-08++++++++++++++++++++

Thanks Gerry !! www.windowsbb.com !!

 

The Force Be With You Gerry.

Should I send their information to the malware application people from the scan ?

Wonder how come Avast didn't find screensaver.exe .?

Is this sufficient,should I be weary of simply continuing as normal now. Anything else I should do ? I wouldn't want to be putting crud out to anybody/everyone/anyone I visited . Or dump some unknown application on just running it.

Have run Avast,HouseCall,Hijack this,Malware Bytes,Spybott Search& Destroy.

Or should I be anything other than 'happy'',do have this stuff found ? I'll just leave this anwser to 'well enough alone'. To your reply..good day,good night.

Ps:Got Tabs Back On Display Properties
Icons Showing On Desktop
Show Icons' menu returned.

 

Hi

That's not necessary.


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.***.com/ <<Fix this if you don't know what it is, the board blocked out the name.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O24 - Desktop Component 0: (no name) - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now do this.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now a on-line scan.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks
Geri

 

Somehow the sequence of your instructions are off. In Panda ActiveScan.
Perhaps I might have been told to 'register'for the program wich 'Deletes'the found files. There are a couple of Options at that Panda Site.
One Option is the Freebie w/o Registration wich only scans and Sends data back to Panda. The The Other Option Is the Register ...Then Scan - wich has the Option of Cleaning files found.

I did the Scan,where I could not understand..Nothing asked for Email,address,and nothing for country etc (as you show). It is how I stated though. I would have to first 'Register,Receiving an Email for Verification,then,Sign In.

It would have of course been simpler to first,Register ,then Scan. Since even though there was a prompt to Register with the sequence I did AFTER Scanning. I did not receive an Email. Then upon attempting to Log In. I was told to wait for the Email. The browser shut down.

This after a 5 hr scan.

Oops! There's been an error...
Don't worry, we've taken note and we're working on a solution. Please try again later.


Annyway..
Im not complaining. Patience is like stone around here.

Try again tommorow.Maybe I'll have the email when I wake.

 

Panda Active Scan 2 with "Export File.txt" Results

This is the PandaActive Scan 2.Page I get from your link:

http://www.pandasecurity.com/homeusers/solutions/activescan/?


Scanned 1,200,000+ files.

3 Something or anothers (cant look back).

1 Suspicious.
At the end of the Panda Scan I have a:
\

"Sign Up Now "
Threats with free disinfection(1) Export ToSavesText)
+Low danger level(1)
Tree: TRj/CI.A Virus Latent Show +Info not disinfectable.
Threats disinfecton with paid version(2)
+Low danger level(1)
Tree: Cooke/BurstNe.. Tracking Cookie Laten Show+Info
Cookie/BurstBe.. Tracking Cookie Laten Show +Info

-Suspicous Files(1)
C:\Program Files\Viewpoint\Viewpoint Toolbar\Viewbar.dll

This is the ''Export To: Text File looks like:


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-02 07:40:48
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Zone Alarm Security Suite 7.0.483.000 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\WINDOWS\Cookies\***[2].txt[/email]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\WINDOWS\Cookies\***[2].txt[/email]
03074964 Trj/CI.A Virus/Trojan No 0 No No G:\More Archives\Camel XII To Jan 26 04d\Camel XII Workshop Nov 19 03\Working Downloads\newslimbrowser\sbrowser.exe[²≡\ExtractDLL.dll]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
Yes C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Maybe Panda Updated their web site since you last visited ? These cookies should have been searched and found first I think.


Could have typo'd my email address on signing in. The Virus was detected on the C: Drive. Where I have W98SE.

 

Hi KaleidiScope
Ok the Panda scan is good, nothing in it to worry about.

You can delete dss.exe and this folder J:\Deckard.

How are things running?

Thanks
Geri

 

Windows Task Manager ...shows the computer is reving around,
6 to 16% as I write this. Wich is a lot better than
100% most of the time.
It is also 10 degrees cooler.

Previous to the previous set of scans:

Defragged the System Drive,
Ran Registry Distiller. Deleting several Registry Straglers.
Created Custom Registry Backup.
Ran System File Checker with a /runonce . Scanning on a Reboot.
Changed the Videos Resolution Several Times.
Created a custom set of Restore points.
Lowered the size of the IE Internet Cache.

The Windows Task Manager BTW wont start unless I use the
Left Cntrl and Right Alt keys for the keyboard. Maybe something
stuck under one of my keys here.

Do you know where I could go to get some savy on running and
taking advantage of the more complex indicators on the XP Op.Sys.
Machine here ..Such as Computer Management Console ?

There are some indicators in the ''Alerts and Logs''
I would like to decipher.They show certain 'x' ''Errors''to
x-drive. I dont know what to make of.

Norton System Works,was a real winner on W98. Is a good
program I should take to manage XP.

- The computer does not run well if using and switching
between two open sessions with two
users (two accounts).Since some programs
continue to run ,Anti-Virus,Web Connection,
..the printer will freeze the system.[1][ ] and

[2][ ] Questions pertain to a computer '
account creation'. Be said that
running in Administrator mode
isn't a best option. However
only a Limited account is available.
This from a security standpoint.
Howebeit,choosing EXACTLY what do
be done,is only being savy of
Policies. Not available on a XP Home computer.

_________
Of course again,this is a 200 MHz system.
Aside from the more ludicrous misgivings of the OP.Sys.
(Everything running to Update at the start of a Connected
Session,.Wich Needs to be something considered in the
Add/Remove programs with an API- ''UPdate Control" (among
others such as File Associations as well.In Add/Remove,and APIs.)
*Cant use a Folder Background Customization to XP.

note:The Firewalls Logs can give a great deal of information
pertaining to program activity.Or behavior. Avast freebie
Anti-Virus is a great program. It actually is a 'suite'of
programs. With a Resident program that worked for me here.

 

Hi

Keyboard problem would be my guess also.

I would post over on the "Other Software" forum or maybe the XP forum, they would be better advised there then I would.

I would Google them to see what you come up with.

This could also be because of it being a 200 MHz system, that is not very comparative to a newer system.

These are not really security related problems and you will get better help on the other forums here then I would be able to give you, that is what they do there and they know more then I do about such things.

Geri

 

Can you tell me. The Fade Screen (much like that of the Windows Logoff just before choosing from Shut-Down on a Windows machine),wich takes place also following "Loging Off " at this forum. That is normal ? 1.[ ]

I have not ever seen that for a feature of a given site. So I'm not joking if you coud tell me yes or no for the screen that happens following logging off for the windowbbs.com site here . If you could tell me.

Takes code,got to know if its on your end or mine. Some kind of active-x maybe. Usually stuff like that will not run unless there is a specific indicator from the browser. IE here.

This Screen fades all of the color of the monitor shown on the screen within IE fading from a high color black white,to a somewhat low color black white. Replacing the colors on the screen when it does. It continues until finaly log off is done for the windowsbbs.com site here.

How can I turn this off. 2. [ ]

Thanks for your help. Gerry.

 

Hi KaleidiScope

This is a new feature here with the upgrade that Arie made to Windowsbbs. It will also happen switching between posts.
I'm not positive but I don't believe you can turn if off??

You can ask over on the Comments & Suggestions forum, Arie will see your post there before he will see it here I believe.

Geri

 

Now this is interesting. An Advertisement within your post "After" I sign in,and 'While''I'm posting.

Thanks Geri.
Uh. Roger that. hmmm. KaleidiScope out.