Solved No Control Panel, recurrent security alert, Virusprotect v3.8

[Resolved] No Control Panel, recurrent security alert, Virusprotect v3.8

Note : this seems to be the same problem posted by treend at http://www.windowsbbs.com/showthread.php?t=69068, which I am assuming is thread 69068?

I have what I believe to be VirusProtect v3.8 which has removed my ability to add/delete programs, a window pops up twice saying the operation has ben cancelled due to restrictions on the computer - contact system administrator. It also pops up a security alert warning "Potential Spyware operation!" about every 5 minutes.

Have run Symentaic and AVG virus checker mulitple times and adaware (by lavasoft). which has cleaned many items. Everytime I reboot I got another wave of virus to cleanup though.

I am prepared to follow instructions provided by Geri at http://www.windowsbbs.com/showthread.php?t=69068 but would like someone to review the output from Hijack provided below.

Thanks for the support.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:09 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
J:\ActiveSync4.2\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
J:\ACTIVE~1.2\rapimgr.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\ActiveSync4.2\wcescomm.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - M:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol491.txt
O22 - SharedTaskScheduler: ineffulgent - {b585105c-0e84-4ef0-9c6a-fbe134a72945} - C:\WINDOWS\system32\ivrllc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11406 bytes

 

Welcome to WindowsBBS gkyoder

Download SmitfraudFix by S!Ri, saving it to the desktop.

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

• Restart the computer in Safe Mode by tapping the F8 key upon startup and selecting Safe Mode from the Advanced Startup Menu. Logon to your account.
• Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.
• You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.
• If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.
• Reboot to normal mode when the tool completes.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt and C:\rapport.txt

 

Smitfraudfix and DSS logs

Contents of rapport.txt

SmitFraudFix v2.253

Scan done at 14:31:33.01, Sat 11/24/2007
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b585105c-0e84-4ef0-9c6a-fbe134a72945} "= "ineffulgent "

[HKEY_CLASSES_ROOT\CLSID\{b585105c-0e84-4ef0-9c6a-fbe134a72945}\InProcServer32]
@= "C:\WINDOWS\system32\ivrllc.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b585105c-0e84-4ef0-9c6a-fbe134a72945}\InProcServer32]
@= "C:\WINDOWS\system32\ivrllc.dll "


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\ivrllc.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\ivrllc.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\bronto.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\Program Files\Video Add-on\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{281D5AA7-DCED-41EC-83A3-B11FFAF0D992}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\..\{281D5AA7-DCED-41EC-83A3-B11FFAF0D992}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\..\{281D5AA7-DCED-41EC-83A3-B11FFAF0D992}: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.92.226.9 24.92.226.102


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


MAIN.TXT-output--------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-24 14:47:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2007-11-24 19:47:17 UTC - RP430 - Deckard's System Scanner Restore Point
88: 2007-11-24 02:03:06 UTC - RP429 - Installed AVG 7.5
87: 2007-11-23 22:47:35 UTC - RP428 - Installed Ad-Aware 2007
86: 2007-11-23 15:35:11 UTC - RP427 - System Checkpoint
85: 2007-11-22 15:03:21 UTC - RP426 - System Checkpoint


-- First Restore Point --
1: 2007-08-26 22:38:46 UTC - RP342 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:40 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
J:\ActiveSync4.2\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
J:\ACTIVE~1.2\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\SmitfraudFix\dss.exe
C:\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\ActiveSync4.2\wcescomm.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - M:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol491.txt
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10967 bytes

-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20071124-142020-258 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-19 21:30:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-10-24 and 2007-11-24 -----------------------------

2007-11-24 14:44:44 156336 --a------ C:\WINDOWS\dracee.exe
2007-11-24 14:32:38 4320 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-24 14:31:06 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-24 14:31:06 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-24 14:31:06 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-24 14:31:06 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-24 14:31:06 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-24 14:16:42 0 d-------- C:\SmitfraudFix <SMITFR~1>
2007-11-24 12:55:44 0 d-------- C:\HiJackThis
2007-11-24 00:06:10 0 dr-h----- C:\$VAULT$.AVG
2007-11-23 21:03:54 0 d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\AVG7
2007-11-23 21:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 21:03:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 21:03:07 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 19:01:58 166 --a------ C:\WINDOWS\system32\msftedswc.dll
2007-11-23 18:54:03 3811 --a------ C:\WINDOWS\system32\msdtexch.dll
2007-11-23 17:47:36 0 d-------- C:\Program Files\Lavasoft
2007-11-23 17:47:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 17:46:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 17:10:58 0 d-------- C:\Program Files\Enigma Software Group
2007-11-23 15:59:27 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-23 15:51:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2007-11-24 14:44:26 0 d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\OpenOffice.org2
2007-11-24 14:44:17 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-23 17:46:10 0 d-------- C:\Program Files\Common Files
2007-11-23 15:59:45 0 d-------- C:\Program Files\QuickTime
2007-11-14 19:14:31 0 d-------- C:\Program Files\Java
2007-10-31 20:17:07 0 d-------- C:\Program Files\Viewpoint
2007-10-31 20:16:55 0 d-------- C:\Program Files\AIM6
2007-09-25 18:19:11 0 d-------- C:\Program Files\7-Zip


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DABCE839-3831-3818-AF3A-3837BCD324D2}]
C:\WINDOWS\system32\mskvtns.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 10:56 PM]
"Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/10/2006 09:57 AM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"readericon "= "C:\Program Files\Digital Media Reader\readericon45G.exe" [12/09/2005 08:44 PM]
"CHotkey "= "zHotkey.exe" [12/08/2004 07:57 PM C:\WINDOWS\zHotkey.exe]
"RTHDCPL "= "RTHDCPL.EXE" [11/09/2005 07:14 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr "= "ALCMTR.EXE" [05/02/2005 02:43 PM C:\WINDOWS\Alcmtr.exe]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" []
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [11/30/2005 09:02 AM]
"nwiz "= "nwiz.exe" [11/30/2005 09:02 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [11/30/2005 09:02 AM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 PM]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MSKDetectorExe "= "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 06:16 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/30/2006 05:02 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [09/07/2007 03:55 PM]
"SpyHunter "= "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [04/26/2007 06:03 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/23/2007 09:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress "= "NA" []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"H/PC Connection Agent "= "J:\ActiveSync4.2\wcescomm.exe" [06/26/2006 03:13 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 PM]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 08:50 PM]

C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [12/14/2005 4:01:20 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [8/10/2006 10:05:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel "=1 (0x1)
"NoWindowsUpdate "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\sol491.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44099d41-287f-11db-8c3a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def16138-9322-11db-80f7-0016ece6d4d9}]
AutoRun\command- N:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2007-11-24 14:49:25 ------------

 

Please upload the following files to my submission channel. Leave a link back to this topic.

C:\WINDOWS\dracee.exe
C:\WINDOWS\system32\sol491.txt << if present

Thanks!


Scan again with HijackThis and fix the following entries.

O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol491.txt


Highlight and copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Double click fix.reg and allow it to merge with the registry.

Delete the file C:\Info.exe if present

Create a fresh dss log and post it's contents.

 

main.txt after running fix.reg as requested

Uploaded the 2 requested files.

There was no c:/info.exe to delete


Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-24 15:37:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:04 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
J:\ActiveSync4.2\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
J:\ACTIVE~1.2\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\SmitfraudFix\dss.exe
C:\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\ActiveSync4.2\wcescomm.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - M:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol491.txt
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10766 bytes

-- Files created between 2007-10-24 and 2007-11-24 -----------------------------

2007-11-24 14:44:44 156336 --a------ C:\WINDOWS\dracee.exe
2007-11-24 14:32:38 4320 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-24 14:31:06 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-24 14:31:06 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-24 14:31:06 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-24 14:31:06 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-24 14:31:06 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-24 14:16:42 0 d-------- C:\SmitfraudFix <SMITFR~1>
2007-11-24 12:55:44 0 d-------- C:\HiJackThis
2007-11-24 00:06:10 0 dr-h----- C:\$VAULT$.AVG
2007-11-23 21:03:54 0 d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\AVG7
2007-11-23 21:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 21:03:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 21:03:07 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 19:01:58 166 --a------ C:\WINDOWS\system32\msftedswc.dll
2007-11-23 18:54:03 3811 --a------ C:\WINDOWS\system32\msdtexch.dll
2007-11-23 17:47:36 0 d-------- C:\Program Files\Lavasoft
2007-11-23 17:47:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 17:46:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 17:10:58 0 d-------- C:\Program Files\Enigma Software Group
2007-11-23 15:59:27 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-23 15:51:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2007-11-24 14:44:26 0 d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\OpenOffice.org2
2007-11-24 14:44:17 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-23 17:46:10 0 d-------- C:\Program Files\Common Files
2007-11-23 15:59:45 0 d-------- C:\Program Files\QuickTime
2007-11-14 19:14:31 0 d-------- C:\Program Files\Java
2007-10-31 20:17:07 0 d-------- C:\Program Files\Viewpoint
2007-10-31 20:16:55 0 d-------- C:\Program Files\AIM6
2007-09-25 18:19:11 0 d-------- C:\Program Files\7-Zip


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 10:56 PM]
"Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/10/2006 09:57 AM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"readericon "= "C:\Program Files\Digital Media Reader\readericon45G.exe" [12/09/2005 08:44 PM]
"CHotkey "= "zHotkey.exe" [12/08/2004 07:57 PM C:\WINDOWS\zHotkey.exe]
"RTHDCPL "= "RTHDCPL.EXE" [11/09/2005 07:14 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr "= "ALCMTR.EXE" [05/02/2005 02:43 PM C:\WINDOWS\Alcmtr.exe]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" []
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [11/30/2005 09:02 AM]
"nwiz "= "nwiz.exe" [11/30/2005 09:02 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [11/30/2005 09:02 AM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 PM]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MSKDetectorExe "= "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 06:16 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/30/2006 05:02 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [09/07/2007 03:55 PM]
"SpyHunter "= "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [04/26/2007 06:03 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/23/2007 09:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress "= "NA" []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"H/PC Connection Agent "= "J:\ActiveSync4.2\wcescomm.exe" [06/26/2006 03:13 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 PM]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 08:50 PM]

C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [12/14/2005 4:01:20 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [8/10/2006 10:05:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\sol491.txt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def16138-9322-11db-80f7-0016ece6d4d9}]
AutoRun\command- N:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2007-11-24 15:37:37 ------------

 

Thanks for the uploads! The sol491.txt file is definitely infected. The dracee.exe file came in at zero bytes, which means it didn't upload properly. Lets attack this another way.

Download ComboFix by sUBs from here or here, saving the file to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/showthread.php?p=373189#post373189

File::
C:\WINDOWS\system32\sol491.txt
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
Suspect::[22]
C:\WINDOWS\dracee.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh dss log. Let me know how things are working now.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect the suspect file. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned file. Please copy the path shown in the prompt and paste it into the box, then click Send.
Thanks!

 

Output from Combofix

First I am not sure I have said thanks for all your help. So Thanks so much.
1.) zip file has been submitted
2.) on reboot I have a "Windows Security Alert ", " Windows firewall has blocked some features of this program. Do you want to keep blocking this program? Name : ActiveSync RAPI Manager, Publisher Microsoft Corporation." Options are Keep Blocking, Unblock, Ask me later. We do use Active Sync with our hand held PDA's for business purposes.
3.) I am no longer getting the 5 minute pop up that I have a security warning that was taking me to the VirusProtect v3.8 website. I have not tried to go to the add/delete programs as am following your instructions without deviating. Let me know if you want me to try other things to see how we are doing. - Thanks again

4.) Update - Just tried add/delete and was able to enter and display installed programs. So all seems well at this point. I will wait for you lead to go further.


------ ComboFix Log ------------------------------------------------------

ComboFix 07-11-19.3 - Owner 2007-11-24 16:09:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.441 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\sol491.txt
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\sol491.txt
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-24 14:45 <DIR> d-------- C:\Deckard
2007-11-24 14:44 156,336 --a------ C:\WINDOWS\dracee.exe
2007-11-24 14:32 0 --a------ C:\WINDOWS\system32\tmp.txt
2007-11-24 14:16 <DIR> d-------- C:\SmitfraudFix
2007-11-24 12:55 <DIR> d-------- C:\HiJackThis
2007-11-23 21:03 <DIR> d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\AVG7
2007-11-23 21:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 19:01 166 --a------ C:\WINDOWS\system32\msftedswc.dll
2007-11-23 18:54 3,811 --a------ C:\WINDOWS\system32\msdtexch.dll
2007-11-23 17:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-23 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 17:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 17:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-23 15:51 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-14 19:14 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 21:12 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-24 19:44 --------- d-----w C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\OpenOffice.org2
2007-11-24 02:00 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-23 20:59 --------- d-----w C:\Program Files\QuickTime
2007-11-15 00:14 --------- d-----w C:\Program Files\Java
2007-11-01 01:17 --------- d-----w C:\Program Files\Viewpoint
2007-11-01 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-01 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-11-01 01:16 --------- d-----w C:\Program Files\AIM6
2007-09-25 23:19 --------- d-----w C:\Program Files\7-Zip
2006-10-26 10:38 35,032 ----a-w C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\GDIPFONTCACHEV1.DAT
2006-06-06 14:43 32,768 ----a-w C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\rndcinscheck.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress "= "NA" []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"H/PC Connection Agent "= "J:\ActiveSync4.2\wcescomm.exe" [2006-06-26 15:13]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 20:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56]
"Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-10 09:57]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [2005-08-02 18:19 C:\WINDOWS\arpwrmsg.exe]
"readericon "= "C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44]
"CHotkey "= "zHotkey.exe" [2004-12-08 19:57 C:\WINDOWS\zHotkey.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2005-11-09 07:14 C:\WINDOWS\RTHDCPL.exe]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" []
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon "= "RUNDLL32.exe" [2004-08-10 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz "= "nwiz.exe" [2005-11-30 09:02 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "RUNDLL32.exe" [2004-08-10 14:00 C:\WINDOWS\system32\rundll32.exe]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 14:52]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 11:30]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"MSKDetectorExe "= "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 18:16]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-30 05:02]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"SpyHunter "= "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 18:03]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-23 21:03]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-23 21:03]

C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 16:01:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-08-10 10:05:36]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme
C:\WINDOWS\system32\NavLogon.dll 2005-04-17 11:30 43712 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def16138-9322-11db-80f7-0016ece6d4d9}]
\Shell\AutoRun\command - N:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 02:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 16:13:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 16:15:27 - machine was rebooted
.
--- E O F ---

------------ DSS LOG post ComboFix run ---------------------------------
Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-24 16:28:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:50 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Messenger\msmsgs.exe
J:\ActiveSync4.2\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\BigFix\bigfix.exe
J:\ACTIVE~1.2\rapimgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\SmitfraudFix\dss.exe
C:\HIJACK~1\Owner.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\ActiveSync4.2\wcescomm.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - M:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10678 bytes

-- Files created between 2007-10-24 and 2007-11-24 -----------------------------

2007-11-24 14:44:44 156336 --a------ C:\WINDOWS\dracee.exe
2007-11-24 14:16:42 0 d-------- C:\SmitfraudFix <SMITFR~1>
2007-11-24 12:55:44 0 d-------- C:\HiJackThis
2007-11-24 00:06:10 0 dr-h----- C:\$VAULT$.AVG
2007-11-23 21:03:54 0 d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\AVG7
2007-11-23 21:03:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 21:03:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 21:03:07 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 19:01:58 166 --a------ C:\WINDOWS\system32\msftedswc.dll
2007-11-23 18:54:03 3811 --a------ C:\WINDOWS\system32\msdtexch.dll
2007-11-23 17:47:36 0 d-------- C:\Program Files\Lavasoft
2007-11-23 17:47:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-23 17:46:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 17:10:58 0 d-------- C:\Program Files\Enigma Software Group
2007-11-23 15:59:27 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-23 15:51:28 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP


-- Find3M Report ---------------------------------------------------------------

2007-11-24 16:14:42 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-24 16:14:34 0 d-------- C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\OpenOffice.org2
2007-11-23 17:46:10 0 d-------- C:\Program Files\Common Files
2007-11-23 15:59:45 0 d-------- C:\Program Files\QuickTime
2007-11-14 19:14:31 0 d-------- C:\Program Files\Java
2007-10-31 20:17:07 0 d-------- C:\Program Files\Viewpoint
2007-10-31 20:16:55 0 d-------- C:\Program Files\AIM6
2007-09-25 18:19:11 0 d-------- C:\Program Files\7-Zip


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 10:56 PM]
"Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/10/2006 09:57 AM]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [08/02/2005 06:19 PM C:\WINDOWS\arpwrmsg.exe]
"readericon "= "C:\Program Files\Digital Media Reader\readericon45G.exe" [12/09/2005 08:44 PM]
"CHotkey "= "zHotkey.exe" [12/08/2004 07:57 PM C:\WINDOWS\zHotkey.exe]
"RTHDCPL "= "RTHDCPL.EXE" [11/09/2005 07:14 AM C:\WINDOWS\RTHDCPL.exe]
"Reminder "= "%WINDIR%\Creator\Remind_XP.exe" []
"Recguard "= "%WINDIR%\SMINST\RECGUARD.EXE" []
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [11/30/2005 09:02 AM]
"nwiz "= "nwiz.exe" [11/30/2005 09:02 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [11/30/2005 09:02 AM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 PM]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MSKDetectorExe "= "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 06:16 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/30/2006 05:02 AM]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [09/07/2007 03:55 PM]
"SpyHunter "= "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [04/26/2007 06:03 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/23/2007 09:03 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress "= "NA" []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 06:24 PM]
"H/PC Connection Agent "= "J:\ActiveSync4.2\wcescomm.exe" [06/26/2006 03:13 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 02:00 PM]
"Aim6 "= "C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/27/2007 08:50 PM]

C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [12/14/2005 4:01:20 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [8/10/2006 10:05:36 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{def16138-9322-11db-80f7-0016ece6d4d9}]
AutoRun\command- N:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2007-11-24 16:29:09 ------------

 

Alright! Looking good.

dracee.exe is definitely bad as well. Delete it!

Better have a closer look at these. Please upload them for me.

C:\WINDOWS\system32\msftedswc.dll
C:\WINDOWS\system32\msdtexch.dll

We're ready to see if things are working properly again. Go ahead and see if you have access to the things you were blocked from.

 

Things are better

I deleted the dracee.exe file.

I uploaded the 2 files mentioned in your last reply.

I have unblocked active Sync so it can reach the internet. Hope that is okay.

I will wait on your response too the 2 files I uploaded.

Thanks again.

 

Those two files have my suspicions aroused. Open them with notepad and tell me what you make of them. You know what you've done on your comp. Were they created by AVG or are they rogues collecting info?

 

I have no idea what msftedswc.dll is. The content has no meaning to me.

The msdtexch.dll looks to be searches I did last night on AVG site to see if they had any fixes for the problems I was having. So it appears that this is a file created by the AVG web site.

Would there be harm in deleting both of these?

I am currently running Lavasofts free version of AD-Aware and it has found 8 infections so far.

Greg

 

I find it a tough pill to swallow that AVG's website would create or even append to a dll, searches you've done on their website, or any other info. Did you notice this in the msdtexch.dll?

Action: http://www.trialpay.com/checkout/

As well as the info that follows? I believe these files were created by an info stealer, which we likely already killed off. Delete them, then lets make sure!

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

Was I suppose to do something with the Action for trialpay?

Dave

I am not sure if you wanted me to do something with trialpay or was this information for me? I'm not sure what I was suppose to do with the ACTION: The rest of the reply was clear and I will go forward with that while I await your instructions on the following.


Action: http://www.trialpay.com/checkout/

As well as the info that follows? I believe these files were created by an info stealer, which we likely already killed off. Delete them, then lets make sure!

 

I was just asking if you noticed that entry in the file, and the information that immediately follows it. That's personally identifiable information, and I think it was collected by an infostealer then saved to that file. You only need to delete those two files, then proceed with the KAV scan.

 

trailpay

Yes "URL: http://www.trialpay.com/checkout/?c=ad54776 is in msdtexch.dll? However I was not that website.

I will delete the files now.

Kaspersky just finished downloading, I will start the scan in a moment. This will probably take a few hous as I have a few disks.

Thanks

 

Kaspersky and hijack logs

I will follow with the Hijack logs as the data was to big.

M drive was saved from old computer and is now used as a backup device. I should be able to delete all the m:* files that are showing up here. there is plenty of files on the M: drive that should be deleted, I just have not got around to it yet.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 24, 2007 9:42:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465139
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan Statistics:
Total number of scanned objects: 232772
Number of viruses found: 14
Number of infected objects: 40
Number of suspicious objects: 0
Duration of the scan process: 02:45:15

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20071124153701\backup\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\jar_cache43052.tmp Infected: Trojan.Win32.Qhost.zs skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840000\4FC7F9EF.VBN Infected: Trojan-Downloader.Win32.Agent.fej skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840001\4FC7F9F7.VBN Infected: Trojan-Downloader.Win32.Agent.fej skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840002\4FC7FA09.VBN Infected: Trojan-Dropper.Win32.Small.avb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840003\4FC7FAFF.VBN Infected: Trojan-Downloader.Win32.Agent.fej skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08840004\4FC7FB09.VBN Infected: Trojan-Dropper.Win32.Small.avb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B740000\4F7C7F6F.VBN Infected: Trojan-Downloader.Win32.Agent.fej skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B740001\4F7C7F78.VBN Infected: Trojan-Dropper.Win32.Small.avb skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Desktop\[22]-Submit_2007-11-24@16.09.zip/dracee.exe.vir Infected: Trojan-Spy.Win32.BZub.bun skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Desktop\[22]-Submit_2007-11-24@16.09.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Local Settings\Application Data\AOL OCP\AIM\Storage\data\littleyoder25\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.YOUR-D3D3F0FEB8\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0356NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0967NAV~.TMP Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sol491.txt.vir Infected: Trojan.Win32.Qhost.zs skipped
C:\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP427\A0035290.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP427\A0035291.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP427\A0035292.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP427\A0035309.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP427\A0035310.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP427\A0035311.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP428\A0035506.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP428\A0035507.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP428\A0035508.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035513.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035514.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035515.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035516.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035517.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035518.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP429\A0035529.dll Infected: Trojan.Win32.Qhost.zs skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP431\A0035607.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP431\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{299007F3-44AD-4737-B394-1F21F5D381AD}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_700.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
K:\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
K:\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
K:\Gregory Yoder\Desktop\bouncinggolfballs.exe WiseSFX: infected - 3 skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
M:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
M:\Documents and Settings\All Users\Documents\Temp\Brilliant\bdeplayer\BDEPlayer2.cab/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
M:\Documents and Settings\All Users\Documents\Temp\Brilliant\bdeplayer\BDEPlayer2.cab CAB: infected - 1 skipped
M:\Documents and Settings\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
M:\Documents and Settings\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
M:\Documents and Settings\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
M:\Documents and Settings\Gregory Yoder\Desktop\bouncinggolfballs.exe WiseSFX: infected - 3 skipped
M:\Documents and Settings\Gregory Yoder\Local Settings\Application Data\Identities\{9C192F70-BDF2-4AB1-859F-A26932905A1A}\Microsoft\Outlook Express\Sent Items.dbx/[From "Julie Yoder" <yoderjm@twcny.rr.com>][Date Sat, 19 Jun 2004 22:39:51 -0400]/UNNAMED/jennifer Infected: Email-Worm.Win32.Zafi.b skipped
M:\Documents and Settings\Gregory Yoder\Local Settings\Application Data\Identities\{9C192F70-BDF2-4AB1-859F-A26932905A1A}\Microsoft\Outlook Express\Sent Items.dbx/[From "Julie Yoder" <yoderjm@twcny.rr.com>][Date Sat, 19 Jun 2004 22:39:51 -0400]/UNNAMED Infected: Email-Worm.Win32.Zafi.b skipped
M:\Documents and Settings\Gregory Yoder\Local Settings\Application Data\Identities\{9C192F70-BDF2-4AB1-859F-A26932905A1A}\Microsoft\Outlook Express\Sent Items.dbx/[From "Julie Yoder" <yoderjm@twcny.rr.com>][Date Sat, 19 Jun 2004 22:41:05 -0400]/UNNAMED/www.ecard.com.funny.picture.index.nude.php356.pif Infected: Email-Worm.Win32.Zafi.b skipped
M:\Documents and Settings\Gregory Yoder\Local Settings\Application Data\Identities\{9C192F70-BDF2-4AB1-859F-A26932905A1A}\Microsoft\Outlook Express\Sent Items.dbx/[From "Julie Yoder" <yoderjm@twcny.rr.com>][Date Sat, 19 Jun 2004 22:41:05 -0400]/UNNAMED Infected: Email-Worm.Win32.Zafi.b skipped
M:\Documents and Settings\Gregory Yoder\Local Settings\Application Data\Identities\{9C192F70-BDF2-4AB1-859F-A26932905A1A}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 4 skipped
M:\Documents and Settings\Gregory Yoder\My Documents\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
M:\Documents and Settings\Gregory Yoder\My Documents\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped
M:\Documents and Settings\Gregory Yoder\My Documents\Gregory Yoder\Desktop\bouncinggolfballs.exe/WISE0021.BIN Infected: Trojan-Downloader.Win32.Agent.er skipped
M:\Documents and Settings\Gregory Yoder\My Documents\Gregory Yoder\Desktop\bouncinggolfballs.exe WiseSFX: infected - 3 skipped
M:\WINDOWS\$NtUninstallKB824141$\sysmain.sdb Object is locked skipped
M:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
M:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
M:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\ssdpapi.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ309521$\ssdpsrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
M:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
M:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\acgenral.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\aclayers.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\aclua.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\acspecfc.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\acverfyr.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\acxtrnal.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\apphelp.sdb Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\apps.chm Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\d3d8.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\drvmain.sdb Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\msimain.sdb Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\qdvd.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.exe Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.inf Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\sysmain.sdb Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\udfs.sys Object is locked skipped
M:\WINDOWS\$NtUninstallQ313484$\vbscript.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
M:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
M:\WINDOWS\$NtUninstallQ315000$\netsetup.exe Object is locked skipped
M:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe Object is locked skipped
M:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf Object is locked skipped
M:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ315000$\upnp.dll Object is locked skipped
M:\WINDOWS\$NtUninstallQ319580$\reg00003 Object is locked skipped
M:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
M:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
M:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
M:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
M:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
M:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
M:\WINDOWS\$NtUninstallQ328940$\reg00003 Object is locked skipped
M:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
M:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
M:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons skipped
M:\WINDOWS\EbatesMoeMoneyMaker.exe/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
M:\WINDOWS\EbatesMoeMoneyMaker.exe NSIS: infected - 1 skipped
M:\WINDOWS\SYSTEM32\bdeinsta.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
M:\WINDOWS\SYSTEM32\NN_Bar31.dll Infected: not-a-virus:AdWare.Win32.NetNucleus skipped

Scan process completed.

 

followup hijack log

------------ hijack log ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:09 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
J:\ActiveSync4.2\wcescomm.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
J:\ACTIVE~1.2\rapimgr.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\ActiveSync4.2\wcescomm.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\ACTIVE~1.2\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - M:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10978 bytes

 

Logs look great!

Click Start>Run and type ComboFix /u then hit enter.

Delete the following files/folders.

[22]-Submit_2007-11-24@16.09.zip on your desktop
dss.exe
C:\SmitfraudFix
K:\Gregory Yoder\Desktop\bouncinggolfballs.exe
M:\Documents and Settings\All Users\Documents\Temp\Brilliant\bdeplayer\BDEPlayer 2.cab
M:\Documents and Settings\Gregory Yoder\Desktop\bouncinggolfballs.exe
M:\Documents and Settings\Gregory Yoder\My Documents\Gregory Yoder\Desktop\bouncinggolfballs.exe
M:\WINDOWS\cpbrkpie.ocx
M:\WINDOWS\EbatesMoeMoneyMaker.exe
M:\WINDOWS\SYSTEM32\bdeinsta.dll
M:\WINDOWS\SYSTEM32\NN_Bar31.dll

Open the Symantec Antivirus interface and delete all of the quarantined items.

There are 2 infected emails in the sent items dbx file from Julie Yoder, dated Sat, 19 Jun 2004. It is located at M:\Documents and Settings\Gregory Yoder\Local Settings\Application Data\Identities\{9C192F70-BDF2-4AB1-859F-A26932905A1A}\Microsoft\Outlook Express\Sent Items.dbx

You know how to handle those, or would you like specific instructions?

Once done with the above, empty the recycle bin.

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

 

Thanks

Thanks Dave

All seems to be running fine now. I am off to bed as it is 0030 here in Syracuse. I appreciate all your support this afternoon. Your work was excellent and everything worked well.

Happy Holidays.

 

Happy to help. You're most welcome!