The service 'comlog' is enabled and/or running. Disable it first, using Hijack This itself (from the scan results) or the Services.msc window.
I can try to do this myself but I thought I'd better ask you first.
Not sure what's wrong, but I think I've got something...
Started by
freespirit_90210
, Nov 07 2006 10:56 PM
#16
Posted 13 November 2006 - 11:39 PM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
The service 'comlog' is enabled and/or running. Disable it first, using Hijack This itself (from the scan results) or the Services.msc window.
I can try to do this myself but I thought I'd better ask you first.
#17
Posted 14 November 2006 - 04:40 AM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
Ah,I didnt think it would still be running.
Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet
O23 - Service: COM+ Event log (comlog) - Unknown owner - C:\WINNT\system32\catroot\svchost.exe (file missing)
Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Click Start-> Run-> Type in Services.msc and Click OK
Scroll that list and locate this entry
comlog
Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled
Click Apply-> OK and Exit the Services Page
Now try the Delete and NT Service.
Have you tried the Online Scanner yet?
Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet
O23 - Service: COM+ Event log (comlog) - Unknown owner - C:\WINNT\system32\catroot\svchost.exe (file missing)
Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Click Start-> Run-> Type in Services.msc and Click OK
Scroll that list and locate this entry
comlog
Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled
Click Apply-> OK and Exit the Services Page
Now try the Delete and NT Service.
Have you tried the Online Scanner yet?
#18
Posted 15 November 2006 - 09:32 AM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
OK, I got it all done.
1 Scanning Report
1.1 Tuesday, November 14, 2006 23:23:34 - 07:27:50
Computer name: SARAH-498413221
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
1.2 Result: 4 malware found
Backdoor.Win32.ServU-based (virus)
· C:\WINNT\SYSTEM32\SCVHOSTA.EXE (Renamed & Submitted)
Tracking Cookie (spyware)
· System (Disinfected)
· System
· System
1.3 Statistics
Scanned:
· Files: 42199
· System: 5206
· Not scanned: 2
Actions:
· Disinfected: 1
· Renamed: 1
· Deleted: 0
· None: 2
· Submitted: 1
Files not scanned:
· C:\PAGEFILE.SYS
· C:\WINNT\SYSTEM32\CONFIG\DEFAULT
1.4 Options
Scanning engines:
· F-Secure AVP: 7.0.171, 2006-11-15
· F-Secure Blacklight: 1.0.31, 0000-00-00
· F-Secure Draco: 1.0.35, 0260-02-44
· F-Secure Libra: 2.4.2, 2006-11-14
· F-Secure Orion: 1.2.37, 2006-11-14
· F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
· Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
· Use Advanced heuristics
1 Scanning Report
1.1 Tuesday, November 14, 2006 23:23:34 - 07:27:50
Computer name: SARAH-498413221
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
1.2 Result: 4 malware found
Backdoor.Win32.ServU-based (virus)
· C:\WINNT\SYSTEM32\SCVHOSTA.EXE (Renamed & Submitted)
Tracking Cookie (spyware)
· System (Disinfected)
· System
· System
1.3 Statistics
Scanned:
· Files: 42199
· System: 5206
· Not scanned: 2
Actions:
· Disinfected: 1
· Renamed: 1
· Deleted: 0
· None: 2
· Submitted: 1
Files not scanned:
· C:\PAGEFILE.SYS
· C:\WINNT\SYSTEM32\CONFIG\DEFAULT
1.4 Options
Scanning engines:
· F-Secure AVP: 7.0.171, 2006-11-15
· F-Secure Blacklight: 1.0.31, 0000-00-00
· F-Secure Draco: 1.0.35, 0260-02-44
· F-Secure Libra: 2.4.2, 2006-11-14
· F-Secure Orion: 1.2.37, 2006-11-14
· F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
· Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
· Use Advanced heuristics
#19
Posted 15 November 2006 - 01:26 PM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
Better results than I was expecting. 
Since F-Secure renamed that file,search for and delete:
C:\WINNT\SYSTEM32\SCVHOSTA.0XE
Be sure to match the name exactly as I have it spelled.
Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe
Doubleclick combofix.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt
Please post that log in the next reply along with a fresh HijackThis log.
Since F-Secure renamed that file,search for and delete:
C:\WINNT\SYSTEM32\SCVHOSTA.0XE
Be sure to match the name exactly as I have it spelled.
Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe
Doubleclick combofix.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt
Please post that log in the next reply along with a fresh HijackThis log.
#20
Posted 16 November 2006 - 09:27 AM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
Hi,
I did what you asked, but my roommate got on the internet on my machine while i was out last night, before I had a chance to perform the tasks in your last reply. Now it sounds like the internet connection is running all the time again, when there is no reason to.
Here are the logs.
S.
Sarah Leedy - Thu 11/16/2006 7:15:20.81 Service Pack 4
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Sarah Leedy\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))
2006-10-23 21:23 24,528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2006-10-23 21:23 13,744 --a------ C:\WINNT\system32\drivers\kbdhid.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-06 18:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-06 07:45 -------- d-------- C:\Program Files\Ad-Aware SE Plus
2006-11-05 05:13 -------- d-------- C:\Program Files\Winamp
2006-11-04 15:35 -------- d-a------ C:\Program Files\Common Files
2006-11-04 15:12 -------- d-------- C:\Program Files\Shockwave.com
2006-11-04 15:12 -------- d-------- C:\Program Files\ReadMagic
2006-11-04 15:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 14:32 -------- d-------- C:\Program Files\Citrix
2006-11-04 14:30 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Aim
2006-11-04 14:23 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-23 23:52 -------- d-------- C:\Program Files\eMule
2006-10-14 00:39 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-10-09 19:19 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-10-04 22:13 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Adobe
2006-09-28 04:48 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-27 01:00 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\AdobeUM
2006-09-22 23:53 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Google
2006-09-22 23:49 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-09-22 23:09 -------- d-------- C:\Program Files\Google
2006-09-19 07:35 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\TrojanHunter
2006-09-19 06:24 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-19 05:35 -------- d-------- C:\Program Files\Common Files\Sandlot Shared
2006-09-17 20:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-17 20:44 -------- d-------- C:\Program Files\ArtisanDVDPlayer
2006-09-17 20:36 -------- d-------- C:\Program Files\CleanUp!
2006-09-14 13:38 16896 --a------ C:\WINNT\system32\kill.exe
2006-09-13 08:43 114688 --a------ C:\WINNT\system32\fport.exe
2006-09-12 03:48 1713536 --------- C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 03:48 1690880 --------- C:\WINNT\system32\NTOSKRNL.EXE
2006-09-05 20:58 1110528 --a------ C:\WINNT\system32\msxml3.dll
2006-08-28 00:44 530192 --a------ C:\WINNT\system32\comctl32.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"SigmaTel StacMon"="C:\\Program Files\\SigmaTel\\SigmaTel AC97 Audio Drivers\\stacmon.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BJCFD"="C:\\Program Files\\BellSouth\\Client Foundation\\CFD.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcwmplayer
Completion time: Thu 2006-11-16 7:17:42.96
C:\ComboFix.txt ... 06-11-16 07:17
Logfile of HijackThis v1.99.1
Scan saved at 7:25:55 AM, on 11/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\acs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Wiperaser 2004\WiperaserSvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BellSouth\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Sarah Leedy\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O15 - Trusted Zone: *.real.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Wiperaser Secure Deletion Service (Wiperaser) - Liveye - C:\Program Files\Wiperaser 2004\WiperaserSvc.exe
I did what you asked, but my roommate got on the internet on my machine while i was out last night, before I had a chance to perform the tasks in your last reply. Now it sounds like the internet connection is running all the time again, when there is no reason to.
Here are the logs.
S.
Sarah Leedy - Thu 11/16/2006 7:15:20.81 Service Pack 4
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Sarah Leedy\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))
2006-10-23 21:23 24,528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2006-10-23 21:23 13,744 --a------ C:\WINNT\system32\drivers\kbdhid.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-06 18:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-06 07:45 -------- d-------- C:\Program Files\Ad-Aware SE Plus
2006-11-05 05:13 -------- d-------- C:\Program Files\Winamp
2006-11-04 15:35 -------- d-a------ C:\Program Files\Common Files
2006-11-04 15:12 -------- d-------- C:\Program Files\Shockwave.com
2006-11-04 15:12 -------- d-------- C:\Program Files\ReadMagic
2006-11-04 15:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 14:32 -------- d-------- C:\Program Files\Citrix
2006-11-04 14:30 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Aim
2006-11-04 14:23 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-23 23:52 -------- d-------- C:\Program Files\eMule
2006-10-14 00:39 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-10-09 19:19 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-10-04 22:13 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Adobe
2006-09-28 04:48 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-27 01:00 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\AdobeUM
2006-09-22 23:53 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Google
2006-09-22 23:49 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-09-22 23:09 -------- d-------- C:\Program Files\Google
2006-09-19 07:35 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\TrojanHunter
2006-09-19 06:24 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-19 05:35 -------- d-------- C:\Program Files\Common Files\Sandlot Shared
2006-09-17 20:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-17 20:44 -------- d-------- C:\Program Files\ArtisanDVDPlayer
2006-09-17 20:36 -------- d-------- C:\Program Files\CleanUp!
2006-09-14 13:38 16896 --a------ C:\WINNT\system32\kill.exe
2006-09-13 08:43 114688 --a------ C:\WINNT\system32\fport.exe
2006-09-12 03:48 1713536 --------- C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 03:48 1690880 --------- C:\WINNT\system32\NTOSKRNL.EXE
2006-09-05 20:58 1110528 --a------ C:\WINNT\system32\msxml3.dll
2006-08-28 00:44 530192 --a------ C:\WINNT\system32\comctl32.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"SigmaTel StacMon"="C:\\Program Files\\SigmaTel\\SigmaTel AC97 Audio Drivers\\stacmon.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BJCFD"="C:\\Program Files\\BellSouth\\Client Foundation\\CFD.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcwmplayer
Completion time: Thu 2006-11-16 7:17:42.96
C:\ComboFix.txt ... 06-11-16 07:17
Logfile of HijackThis v1.99.1
Scan saved at 7:25:55 AM, on 11/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\acs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Wiperaser 2004\WiperaserSvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BellSouth\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Sarah Leedy\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O15 - Trusted Zone: *.real.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Wiperaser Secure Deletion Service (Wiperaser) - Liveye - C:\Program Files\Wiperaser 2004\WiperaserSvc.exe
#21
Posted 16 November 2006 - 12:54 PM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
Click Start--> Click Run--> Type in regedit and Click OK.
Look in the smaller left hand pane and find the key--> HKEY_USERS
Right Click and Select Export--> Select the Desktop as the destination to save the file.
File Name--> Backup
Save as type--> Registration File (*.reg)
Next,Copy&Paste all the text in the Code Box below to Notepad and Save it to the Desktop with the name Fix.reg
Double Click Fix.reg and allow it to merge into the registry.
Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html
You must use Internet Explorer for this scanner.
Install the ActiveX and Click on "Click here to Scan"
Allow it to update and Scan the Machine.
It should disinfect or delete whatever it finds that is infected.
Save the report in generates in a text format please and post it back here
Look in the smaller left hand pane and find the key--> HKEY_USERS
Right Click and Select Export--> Select the Desktop as the destination to save the file.
File Name--> Backup
Save as type--> Registration File (*.reg)
Next,Copy&Paste all the text in the Code Box below to Notepad and Save it to the Desktop with the name Fix.reg
REGEDIT4 [-HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] [-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcwmplayer]
Double Click Fix.reg and allow it to merge into the registry.
Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html
You must use Internet Explorer for this scanner.
Install the ActiveX and Click on "Click here to Scan"
Allow it to update and Scan the Machine.
It should disinfect or delete whatever it finds that is infected.
Save the report in generates in a text format please and post it back here
#22
Posted 17 November 2006 - 08:20 PM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
I did them both, but in the middle of the bit defender scan, microsoft did an automatic update!
Anyway I didn't repeat the registry step, but I started the bit defender scan over...here's the report.
Thanks again for all of your help.
S.
BitDefender Online Scanner
Scan report generated at: Fri, Nov 17, 2006 - 10:14:06
Scan path: C:\;D:\;
Statistics
Time
02:45:10
Files
777591
Folders
6675
Boot Sectors
2
Archives
4772
Packed Files
112688
Results
Identified Viruses
5
Infected Files
5
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
3
Engines Info
Virus Definitions
316623
Engine build
AVCORE v1.0 (build 2355) (i386) (Sep 25 2006 13:46:24)
Scan plugins
13
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Infected with: Dropped:Application.Adware.NewDotNet.A
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Disinfection failed
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Deleted
C:\setup.exe=>(Instyler o)
Update failed
C:\System Volume Information\Speedtest\HideRun.exe
Infected with: Trojan.HideRun.A
C:\System Volume Information\Speedtest\HideRun.exe
Disinfection failed
C:\System Volume Information\Speedtest\HideRun.exe
Delete failed
C:\System Volume Information\Speedtest\samdump.dll
Infected with: Trojan.Hacktool.Pwdump.A
C:\System Volume Information\Speedtest\samdump.dll
Disinfection failed
C:\System Volume Information\Speedtest\samdump.dll
Delete failed
C:\WINNT\cluster\log\radmin.reg
Infected with: Trojan.Reg.Radmin.A
C:\WINNT\cluster\log\radmin.reg
Disinfection failed
C:\WINNT\cluster\log\radmin.reg
Deleted
C:\WINNT\system32\svcwmplayer.ini
Infected with: Generic.Hacdef.INI.7884FF57
C:\WINNT\system32\svcwmplayer.ini
Disinfection failed
C:\WINNT\system32\svcwmplayer.ini
Deleted
Anyway I didn't repeat the registry step, but I started the bit defender scan over...here's the report.
Thanks again for all of your help.
S.
BitDefender Online Scanner
Scan report generated at: Fri, Nov 17, 2006 - 10:14:06
Scan path: C:\;D:\;
Statistics
Time
02:45:10
Files
777591
Folders
6675
Boot Sectors
2
Archives
4772
Packed Files
112688
Results
Identified Viruses
5
Infected Files
5
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
3
Engines Info
Virus Definitions
316623
Engine build
AVCORE v1.0 (build 2355) (i386) (Sep 25 2006 13:46:24)
Scan plugins
13
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Infected with: Dropped:Application.Adware.NewDotNet.A
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Disinfection failed
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Deleted
C:\setup.exe=>(Instyler o)
Update failed
C:\System Volume Information\Speedtest\HideRun.exe
Infected with: Trojan.HideRun.A
C:\System Volume Information\Speedtest\HideRun.exe
Disinfection failed
C:\System Volume Information\Speedtest\HideRun.exe
Delete failed
C:\System Volume Information\Speedtest\samdump.dll
Infected with: Trojan.Hacktool.Pwdump.A
C:\System Volume Information\Speedtest\samdump.dll
Disinfection failed
C:\System Volume Information\Speedtest\samdump.dll
Delete failed
C:\WINNT\cluster\log\radmin.reg
Infected with: Trojan.Reg.Radmin.A
C:\WINNT\cluster\log\radmin.reg
Disinfection failed
C:\WINNT\cluster\log\radmin.reg
Deleted
C:\WINNT\system32\svcwmplayer.ini
Infected with: Generic.Hacdef.INI.7884FF57
C:\WINNT\system32\svcwmplayer.ini
Disinfection failed
C:\WINNT\system32\svcwmplayer.ini
Deleted
#23
Posted 17 November 2006 - 08:45 PM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
This next step I may have to ask you to repeat a time or 2,I have to get into my 2000 machine and double check some things.
Create a new folder on the desktop.
Copy the contents of this next code box to Notepad.
Name the file inspect.bat
Save as Type: All files
Save in that new folder on the desktop.
Double click on inspect.bat and let it run.
When finished it will open a file in Notepad.
That file will be named lsa.txt
Please post the contents of lsa.txt into your next reply here.
Create a new folder on the desktop.
Copy the contents of this next code box to Notepad.
Name the file inspect.bat
Save as Type: All files
Save in that new folder on the desktop.
Double click on inspect.bat and let it run.
When finished it will open a file in Notepad.
That file will be named lsa.txt
Please post the contents of lsa.txt into your next reply here.
If not exist Files MkDir Files regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center" Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall regedit /a /e files\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess Copy files\*.txt = lsa.txt rmdir /s /q files Start Notepad lsa.txt
#24
Posted 18 November 2006 - 12:52 AM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
Here ya go...I should be able to get your instructions done a bit quicker now that it's the weekend! Thanks for sticking with me.
Should I avoid using the machine on the Net altogether until we are done? I've been assuming I should.
S.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"="Y"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,00,00
"LsaPid"=dword:000000f8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"fullprivilegeauditing"=hex:00
"lmcompatibilitylevel"=dword:00000000
"restrictanonymous"=dword:00000000
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"SecureLsaInterfaceSupport"=dword:00000001
"enabledcom"="y"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:de,bb,d5,59,d7,ae,d9,58,9e,ec,66,c2,ac,7f,f4,7e,32,61,65,34,62,\
39,36,64,00,fd,06,00,01,00,00,00,b0,00,00,00,bc,00,00,00,58,fa,06,00,65,82,\
5a,78,04,00,00,00,b4,fd,06,00,ac,fd,06,00,15,40,18,51
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:a3,fe,60,83,db,f4,cd,56,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:c4,8a,38,be,24,d6
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:f8,56,e0,7b,01,78,db,5e,6a,06,6d,a5,2b,f6,55,9a
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:10,22,16,96,6d,97,c4,01
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,43,8a,cc,78,41,c3,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d6,3a,b0,79,41,c3,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,69,17,c5,79,41,c3,01
"Type"=dword:00000031
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Should I avoid using the machine on the Net altogether until we are done? I've been assuming I should.
S.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"="Y"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,00,00
"LsaPid"=dword:000000f8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"fullprivilegeauditing"=hex:00
"lmcompatibilitylevel"=dword:00000000
"restrictanonymous"=dword:00000000
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"SecureLsaInterfaceSupport"=dword:00000001
"enabledcom"="y"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:de,bb,d5,59,d7,ae,d9,58,9e,ec,66,c2,ac,7f,f4,7e,32,61,65,34,62,\
39,36,64,00,fd,06,00,01,00,00,00,b0,00,00,00,bc,00,00,00,58,fa,06,00,65,82,\
5a,78,04,00,00,00,b4,fd,06,00,ac,fd,06,00,15,40,18,51
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:a3,fe,60,83,db,f4,cd,56,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:c4,8a,38,be,24,d6
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:f8,56,e0,7b,01,78,db,5e,6a,06,6d,a5,2b,f6,55,9a
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:10,22,16,96,6d,97,c4,01
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,43,8a,cc,78,41,c3,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d6,3a,b0,79,41,c3,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,69,17,c5,79,41,c3,01
"Type"=dword:00000031
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
#25
Posted 18 November 2006 - 01:59 PM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
Amazing,nothing appears changed so far!
One more scan then you can put the PC back to the Internet so we can test things.
Tell me what Firewall and Antivirus you have installed and is it up to date?
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
One more scan then you can put the PC back to the Internet so we can test things.
Tell me what Firewall and Antivirus you have installed and is it up to date?
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post along woth a fresh HijackThis log.
#26
Posted 19 November 2006 - 05:47 PM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
Here you go...
Re: your firewall and virus scanner question, I'm embarrassed to say I don't have a firewall. Can you recommend one?
I use Spybot Search and Destroy, Ad-Aware Plus, and AVG. I was using Trojan Hunter till the demo period ran out.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 19, 2006 3:44:09 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/11/2006
Kaspersky Anti-Virus database records: 242905
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 80845
Number of viruses found: 10
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:28:04
Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/bka/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/rahide.reg Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip/avenger/bka/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/rahide.reg Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip ZIP: infected - 9 skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe//Disk1/ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx.b skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe CAB: infected - 1 skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe InstallShield: infected - 1 skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\Acr314E.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF2BE7.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF2D29.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF30F7.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF885.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DFD36D.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sarah Leedy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Office\Office\Startup\PDFMaker.dot Object is locked skipped
C:\Program Files\TechSmith\SnagIt 8\SnagIt Add-in.dot Object is locked skipped
C:\Program Files\Wiperaser 2004\language.set Object is locked skipped
C:\setup.exe/data0013 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\setup.exe/data0021/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0021/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0021 Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0024 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\setup.exe Inno: infected - 5 skipped
C:\System Volume Information\Speedtest\HideRun.exe Infected: not-a-virus:RiskTool.Win32.HideRun skipped
C:\System Volume Information\Speedtest\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\WINNT\cluster\log\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\cluster\log\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\PCHEALTH\helpctr\logs\logging\staubi\Scan\SCANXXX.exe Infected: not-a-virus:NetTool.Win32.DFind skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
Re: your firewall and virus scanner question, I'm embarrassed to say I don't have a firewall. Can you recommend one?
I use Spybot Search and Destroy, Ad-Aware Plus, and AVG. I was using Trojan Hunter till the demo period ran out.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 19, 2006 3:44:09 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/11/2006
Kaspersky Anti-Virus database records: 242905
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 80845
Number of viruses found: 10
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:28:04
Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/bka/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/rahide.reg Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip/avenger/bka/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/rahide.reg Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip ZIP: infected - 9 skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe//Disk1/ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx.b skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe CAB: infected - 1 skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe InstallShield: infected - 1 skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\Acr314E.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF2BE7.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF2D29.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF30F7.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF885.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DFD36D.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sarah Leedy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Office\Office\Startup\PDFMaker.dot Object is locked skipped
C:\Program Files\TechSmith\SnagIt 8\SnagIt Add-in.dot Object is locked skipped
C:\Program Files\Wiperaser 2004\language.set Object is locked skipped
C:\setup.exe/data0013 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\setup.exe/data0021/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0021/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0021 Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0024 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\setup.exe Inno: infected - 5 skipped
C:\System Volume Information\Speedtest\HideRun.exe Infected: not-a-virus:RiskTool.Win32.HideRun skipped
C:\System Volume Information\Speedtest\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\WINNT\cluster\log\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\cluster\log\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\PCHEALTH\helpctr\logs\logging\staubi\Scan\SCANXXX.exe Infected: not-a-virus:NetTool.Win32.DFind skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.
#27
Posted 20 November 2006 - 04:54 AM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
Lets get rid of these items first.
C:\setup.exe<-- File
C:\avenger<-- Folder
C:\WINNT\cluster<-- Folder
Free Firewall I think you find most user friendly of the 3 free ones I know off.
ZoneAlarm Free
Get that installed,then Update AVG and do a full System Scan.
Post back and let me know how the computer is acting and if AVG found anything?
C:\setup.exe<-- File
C:\avenger<-- Folder
C:\WINNT\cluster<-- Folder
Free Firewall I think you find most user friendly of the 3 free ones I know off.
ZoneAlarm Free
Get that installed,then Update AVG and do a full System Scan.
Post back and let me know how the computer is acting and if AVG found anything?
#28
Posted 20 November 2006 - 08:50 AM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
I've deleted the files, I'm installing ZoneAlarm now and I'll run the AVG scan while I'm at work today.
Do you feel Zone Alarm is enough, or should I buy a hardware firewall too? I'm certainly willing after all this happening. Let me know what you think.
Thanks again, I'll let you know if AVG finds anything.
S.
Do you feel Zone Alarm is enough, or should I buy a hardware firewall too? I'm certainly willing after all this happening. Let me know what you think.
Thanks again, I'll let you know if AVG finds anything.
S.
#29
Posted 20 November 2006 - 02:38 PM
Wizard
-
- Retired Staff
-
- 5,661 posts
Retired Staff
Tell me a little more about the machine and its usage?
Is it a desktop or laptop?
How many people have access?
How does it connect to the Internet?
I am pretty confident with AVG and Zone Alarm.
Is it a desktop or laptop?
How many people have access?
How does it connect to the Internet?
I am pretty confident with AVG and Zone Alarm.
#30
Posted 20 November 2006 - 08:26 PM
freespirit_90210
- Topic Starter
-
- Member
-
- 20 posts
Member
It's a laptop, only my roommate and I have access and she's cool. It's connected to a Cable DSL modem.
It was better after the first couple of cleanups you had me do, but now it seems slow again and that the modem is transmitting something all the time, even when I'm not doing anything. Is that necessarily a problem? Maybe it isn't and I'm just paranoid.
Here's what AVG found...
Partition table (MBR) - OK - Quick checked
Boot sector of disk C: - OK - Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
System registry inffile\shell\open\command Scanned
System registry vbsfile\shell\open\command Scanned
System registry vbefile\shell\open\command Scanned
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe - OK - Quick checked
C:\Program Files\BellSouth\Client Foundation\CFD.exe - OK - Quick checked
C:\Program Files\Dell\AccessDirect\DadApp.exe - OK - Quick checked
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe - OK - Quick checked
C:\Program Files\Internet Explorer\IEXPLORE.EXE - OK - Quick checked
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe - OK - Quick checked
C:\Program Files\Microsoft IntelliType Pro\type32.exe - OK - Quick checked
C:\Program Files\Microsoft Office\Office\WINWORD.EXE - OK - Quick checked
C:\Program Files\QuickTime\qttask.exe - OK - Quick checked
C:\Program Files\Real\RealPlayer\realplay.exe - OK - Quick checked
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe - OK - Quick checked
C:\Program Files\Support.com\BellSouth\hcenter.exe - OK - Quick checked
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe - OK - Quick checked
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe - OK - Quick checked
C:\Program Files\TrojanHunter 4.6\THGuard.exe - OK - Quick checked
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe - OK - Quick checked
C:\Program Files\iTunes\iTunesHelper.exe - OK - Quick checked
C:\WINNT\BCMSMMSG.exe - OK - Quick checked
C:\WINNT\regedit.exe - OK - Quick checked
C:\WINNT\system32\CTFMON.EXE - OK - Quick checked
C:\WINNT\system32\SHELL32.DLL - OK - Quick checked
C:\WINNT\system32\hkcmd.exe - OK - Quick checked
C:\WINNT\system32\igfxtray.exe - OK - Quick checked
C:\WINNT\system32\mobsync.exe - OK - Quick checked
C:\WINNT\system32\mshta.exe - OK - Quick checked
C:\WINNT\system32\rundll32.exe - OK - Quick checked
C:\WINNT\system32\kernel32.dll Change Changed
C:\WINNT\system32\wsock32.dll - OK - Quick checked
C:\WINNT\system32\user32.dll Change Changed
C:\WINNT\system32\shell32.dll Change Changed
C:\WINNT\system32\ntoskrnl.exe Change Changed
It was better after the first couple of cleanups you had me do, but now it seems slow again and that the modem is transmitting something all the time, even when I'm not doing anything. Is that necessarily a problem? Maybe it isn't and I'm just paranoid.
Here's what AVG found...
Partition table (MBR) - OK - Quick checked
Boot sector of disk C: - OK - Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
System registry inffile\shell\open\command Scanned
System registry vbsfile\shell\open\command Scanned
System registry vbefile\shell\open\command Scanned
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe - OK - Quick checked
C:\Program Files\BellSouth\Client Foundation\CFD.exe - OK - Quick checked
C:\Program Files\Dell\AccessDirect\DadApp.exe - OK - Quick checked
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe - OK - Quick checked
C:\Program Files\Internet Explorer\IEXPLORE.EXE - OK - Quick checked
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe - OK - Quick checked
C:\Program Files\Microsoft IntelliType Pro\type32.exe - OK - Quick checked
C:\Program Files\Microsoft Office\Office\WINWORD.EXE - OK - Quick checked
C:\Program Files\QuickTime\qttask.exe - OK - Quick checked
C:\Program Files\Real\RealPlayer\realplay.exe - OK - Quick checked
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe - OK - Quick checked
C:\Program Files\Support.com\BellSouth\hcenter.exe - OK - Quick checked
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe - OK - Quick checked
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe - OK - Quick checked
C:\Program Files\TrojanHunter 4.6\THGuard.exe - OK - Quick checked
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe - OK - Quick checked
C:\Program Files\iTunes\iTunesHelper.exe - OK - Quick checked
C:\WINNT\BCMSMMSG.exe - OK - Quick checked
C:\WINNT\regedit.exe - OK - Quick checked
C:\WINNT\system32\CTFMON.EXE - OK - Quick checked
C:\WINNT\system32\SHELL32.DLL - OK - Quick checked
C:\WINNT\system32\hkcmd.exe - OK - Quick checked
C:\WINNT\system32\igfxtray.exe - OK - Quick checked
C:\WINNT\system32\mobsync.exe - OK - Quick checked
C:\WINNT\system32\mshta.exe - OK - Quick checked
C:\WINNT\system32\rundll32.exe - OK - Quick checked
C:\WINNT\system32\kernel32.dll Change Changed
C:\WINNT\system32\wsock32.dll - OK - Quick checked
C:\WINNT\system32\user32.dll Change Changed
C:\WINNT\system32\shell32.dll Change Changed
C:\WINNT\system32\ntoskrnl.exe Change Changed
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
