Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

resources hog. Maybe svchost problem [RESOLVED]


  • This topic is locked This topic is locked

#1
drakken

drakken

    Member

  • Member
  • PipPip
  • 56 posts
Something is hogging a lot of resources and I can see what it is. I've run spybot SD, Ad-aware and Trend micro 2008 and they say the system is clean but it's still running slow. Hopfully the hijackthis log shows something I can't find.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:00 PM, on 1/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.*; 127.*;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{905BB048-8422-433F-9FA2-57AC7FE47495}: NameServer = 192.168.2.1,192.168.1.1
O18 - Protocol: start - (no CLSID) - (no file)
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - C:\WINDOWS\system32\wqzdtjg.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7989 bytes

Edited by drakken, 01 June 2008 - 09:12 PM.

  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello drakken, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..

Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Regards
fenzodahl512
  • 0

#3
drakken

drakken

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
MAIN:

Deckard's System Scanner v20071014.68
Run by Vicki on 2008-06-05 07:09:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
60: 2008-06-04 23:09:57 UTC - RP87 - Deckard's System Scanner Restore Point
59: 2008-06-01 03:40:46 UTC - RP86 - Software Distribution Service 3.0
58: 2008-06-01 02:15:11 UTC - RP85 - Software Distribution Service 3.0
57: 2008-05-31 15:51:27 UTC - RP84 - Software Distribution Service 3.0
56: 2008-05-31 15:05:31 UTC - RP83 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-04-05 08:59:17 UTC - RP28 - Software Distribution Service 2.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Vicki.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:35 AM, on 5/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Documents and Settings\Vicki\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Vicki.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.*; 127.*;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{905BB048-8422-433F-9FA2-57AC7FE47495}: NameServer = 192.168.2.1,192.168.1.1
O18 - Protocol: start - (no CLSID) - (no file)
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - C:\WINDOWS\system32\wqzdtjg.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7881 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IdeBusDr - c:\windows\system32\drivers\idebusdr.sys <Not Verified; Intel Corporation; Intel Application Accelerator Driver>
R0 IdeChnDr (Intel® Ultra ATA Controller) - c:\windows\system32\drivers\idechndr.sys
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 Fallback - c:\windows\system32\drivers\fallback.sys <Not Verified; Conexant; SoftK56>
R2 Fsks - c:\windows\system32\drivers\fsksnt.sys <Not Verified; Conexant; SoftK56>
R2 K56 - c:\windows\system32\drivers\k56nt.sys <Not Verified; Conexant; SoftK56>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R2 SoftFax - c:\windows\system32\drivers\faxnt.sys <Not Verified; Conexant; SoftK56>
R2 Tones - c:\windows\system32\drivers\tonesnt.sys <Not Verified; Conexant; SoftK56>
R2 V124 - c:\windows\system32\drivers\v124nt.sys <Not Verified; Conexant; SoftK56>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 basic2 - c:\windows\system32\drivers\basic2.sys <Not Verified; Conexant; SoftK56>
S3 BEHRINGER_2902 (usb-audio.de driver for BEHRINGER USB AUDIO) - c:\windows\system32\drivers\busb2902.sys <Not Verified; BEHRINGER; BEHRINGER USB AUDIO DRIVER>
S3 BrScnUsb (Brother USB Still Image driver) - c:\windows\system32\drivers\brscnusb.sys <Not Verified; Brother Industries Ltd.; Brother MFC Scanner>
S3 CnxTrLan (NetComm USB Network Adapter Driver) - c:\windows\system32\drivers\cnxtrlan.sys <Not Verified; Conexant; Conexant USB Network Device>
S3 CnxTrUsb (NetComm USB Network Interface Device Driver) - c:\windows\system32\drivers\cnxtrusb.sys <Not Verified; Conexant; Conexant USB Network Device>
S3 Rksample - c:\windows\system32\drivers\rksample.sys <Not Verified; Conexant; SoftK56>
S3 Ser2pl (Prolific Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 U81xbus (LGE U8110 driver (WDM)) - c:\windows\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110>
S3 U81xmdfl (LGE U8110 USB WMC Modem Filter) - c:\windows\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver>
S3 U81xmdm (LGE U8110 USB WMC Modem Driver) - c:\windows\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem>
S3 U81xmgmt (LGE U8110 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management>
S3 U81xobex (LGE U8110 USB WMC OBEX Interface) - c:\windows\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N95 8GB
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N95 8GB
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2007-07-26 18:42:52 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-04 11:58:29 0 d-------- C:\Program Files\FLV Player
2008-06-01 10:53:14 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-01 10:20:20 0 d-------- C:\Program Files\CONEXANT
2008-06-01 00:22:11 0 d-------- C:\WINDOWS\system32\scripting
2008-06-01 00:22:07 0 d-------- C:\WINDOWS\l2schemas
2008-06-01 00:22:06 0 d-------- C:\WINDOWS\system32\en
2008-06-01 00:15:03 0 d-------- C:\WINDOWS\network diagnostic
2008-05-31 19:48:05 0 d-------- C:\Documents and Settings\Vicki\.housecall6.6
2008-05-31 17:16:26 0 d-------- C:\Program Files\Lavasoft
2008-05-31 17:16:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 17:12:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 09:18:04 0 dr-h----- C:\Documents and Settings\Vicki\Recent
2008-05-28 08:36:34 0 d-------- C:\Documents and Settings\Vicki\Application Data\WinRAR
2008-05-26 09:22:51 0 d-------- C:\Program Files\ophcrack
2008-05-25 14:36:28 0 d-------- C:\Log
2008-05-25 14:30:21 0 d-------- C:\WINDOWS\LocalSSL
2008-05-25 14:26:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-09 17:24:23 0 d-------- C:\Boyce's Auto Library


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
15/02/2008 08:38 PM 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2004 06:23 PM C:\WINDOWS\soundman.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [07/09/2004 09:25 PM]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [08/12/2003 05:35 PM]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [02/08/2007 08:30 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [16/02/2008 12:56 AM]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [22/03/2002 12:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [22/09/2004 04:10 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]
"TClockEx"="C:\Program Files\TClockEx\TCLOCKEX.EXE" [09/03/2000 01:15 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 7:56:20 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{143404b0-ee92-40a7-8705-06fba9a7abf4}"= C:\WINDOWS\system32\wqzdtjg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com

8559 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-05 07:15:42 ------------


EXTRA

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 511.49 MiB / 197.98 MiB
Pagefile Memory (total/avail): 1249.73 MiB / 798.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1816.95 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 57.25 GiB total, 19.45 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L060AVV207-0 - 57.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 57.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Vicki\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SWEETPEA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Vicki
LOGONSERVER=\\SWEETPEA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Vicki\LOCALS~1\Temp
TMP=C:\DOCUME~1\Vicki\LOCALS~1\Temp
USERDOMAIN=SWEETPEA
USERNAME=Vicki
USERPROFILE=C:\Documents and Settings\Vicki
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Vicki (admin)
Rhys (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ArcSoft PhotoImpression --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C5D7191-140A-11D6-B5A0-0050DA208A93}\setup.exe" -l0x9 -uninst
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
Audacity 1.2.3 --> "C:\Program Files\Audacity\unins000.exe"
AVIConverter 2.0 --> C:\Program Files\AVIConverter\uninst.exe
BEHRINGER USB AUDIO DRIVER --> C:\WINDOWS\usb-audio.deBehringer2902\Setup.exe /l1
Blox 1.1 --> "C:\Program Files\GameYard.com\Blox\unins000.exe"
Boyce's Auto Library Version 1.0.1.0 --> "C:\Boyce's Auto Library\unins000.exe"
Corel Graphics Suite 11 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{07A540AB-D785-11D5-8E89-0090275862A0}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
FLV Player 2.0, build 24 --> C:\Program Files\FLV Player\uninst.exe
Gearhead Garage Demo --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\HeadGames\Gearhead Garage Demo\Uninst.isu"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Document Viewer 7.0 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Image Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}\Setup.exe" UNINSTALL
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
KRISTAL Audio Engine --> C:\Program Files\Kreatives.org\KRISTAL Audio Engine\Uninstall.exe
Macromedia Flash Player --> MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
Macromedia Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Works 4.5 --> C:\Program Files\MSWorks\Setup45\setup.exe
MicroStaff WINASPI --> C:\MWASPI\uninst.exe
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Native Instruments Guitar Combos Behringer Edition --> C:\PROGRA~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetComm NB1300 USB Network Adapter --> C:\Program Files\NetComm\NetComm USB Network\CnxUnist.exe -w7 NetComm\NetComm USB Network
Nokia Connectivity Cable Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4AD35E01-9BA9-4F0C-B6B7-09C6C8F20D15}
Nokia Connectivity Cable Driver --> RUNDLL32.EXE nsesetup.dll,DoNTUninst
Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500}
Nokia NSeries Application Installer --> MsiExec.exe /I{FD349381-D79C-4E5C-8980-015DFFB962D5}
Nokia NSeries Content Copier --> MsiExec.exe /X{F779EC8D-6703-4C4A-817C-37B07898E647}
Nokia NSeries Multimedia Player --> MsiExec.exe /I{FA25FAF6-3097-43C9-BBB2-A77CE8AF1881}
Nokia NSeries One Touch Access --> MsiExec.exe /I{F4EE8763-EAA8-4BC1-8594-8501F5F00414}
Nokia NSeries System Utilities --> MsiExec.exe /X{F1932E56-8A95-40E0-A15B-E06B45969845}
Nokia Software Launcher --> MsiExec.exe /I{B53F4598-B3D9-41DF-911E-523FA91EE464}
Nokia Software Updater --> MsiExec.exe /X{20BCD471-7897-481D-ACF2-CB9BABF6A6CF}
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
ophcrack 3.0 --> C:\Program Files\ophcrack\uninst.exe
PC Connectivity Solution --> MsiExec.exe /I{6094AB91-4CC8-498E-9DFF-134CC0B159DE}
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -IPSCRCSR5K.inf
PL-2303 USB-to-Serial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
proDAD Heroglyph 1.0 --> "C:\Program Files\proDAD\Heroglyph-1.0\uninstall.exe" uninstall spcp
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Repair Tool for Outlook Express v.1.5 --> "C:\Program Files\Repair Tool for OE\unins000.exe"
RTLSetup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\setup.exe" -l0x9 REMOVE
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
Serials 2000 v6.0 --> C:\PROGRA~1\SERIAL~1\UNWISE.EXE C:\PROGRA~1\SERIAL~1\INSTALL.LOG
SmartUndelete --> "C:\Program Files\SmartUndelete\unins000.exe"
SolSuite --> C:\PROGRA~1\SOLSUITE\UNWISE.EXE C:\PROGRA~1\SOLSUITE\INSTALL.LOG
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Studio 9 Content CD/DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B67624DE-75CE-4FAD-9F29-5C115773CE61}\Setup.exe" -l0x9 UNINSTALL
TClockEx --> "C:\Program Files\TClockEx\unins000.exe"
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Family Fun Stuff --> C:\Program Files\EA GAMES\The Sims 2 Family Fun Stuff\EAUninstall.exe
The Sims 2 Nightlife --> C:\Program Files\EA GAMES\The Sims 2 Nightlife\EAUninstall.exe
Theme Hospital --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Bullfrog\Hospital\DeIsL2.isu"
Trend Micro Internet Security Pro --> C:\Program Files\Trend Micro\Internet Security\remove.exe
Trend Micro Internet Security Pro --> MsiExec.exe /X{A621B45A-D138-4A95-BE10-7CABA05EF94E}
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Zoo Tycoon 2 --> "C:\Program Files\Microsoft Games\Zoo Tycoon 2\UNINSTAL.EXE" /runtemp /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type6430 / Warning
Event Submitted/Written: 06/04/2008 03:12:24 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type6429 / Warning
Event Submitted/Written: 06/04/2008 03:12:24 PM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .

Event Record #/Type6424 / Warning
Event Submitted/Written: 06/03/2008 07:01:25 PM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type6423 / Warning
Event Submitted/Written: 06/03/2008 07:01:25 PM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .

Event Record #/Type6420 / Error
Event Submitted/Written: 06/02/2008 11:34:45 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20060.42618, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x0001b1fa.
Processing media-specific event for [firefox.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type201612 / Error
Event Submitted/Written: 06/05/2008 07:12:12 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type201611 / Warning
Event Submitted/Written: 06/05/2008 04:51:37 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type201552 / Warning
Event Submitted/Written: 06/04/2008 11:29:04 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type201549 / Warning
Event Submitted/Written: 06/04/2008 10:11:09 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type201548 / Warning
Event Submitted/Written: 06/04/2008 09:43:17 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-06-05 07:15:42 ------------
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply. Please do the following..

Please go to Start >> Run and type or copy/paste the following in the run box: "%userprofile%\desktop\dss.exe" /daft . Then press Enter
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.



NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O18 - Protocol: start - (no CLSID) - (no file)
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - C:\WINDOWS\system32\wqzdtjg.dll (file missing)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the following logs in your next reply..

1. MalwareBytes' Anti-Malware
2. A fresh Deckard System Scanner (after MalwareBytes' step)


Regards
fenzodahl512
  • 0

#5
drakken

drakken

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Malwarebytes' Anti-Malware 1.14
Database version: 826

4:05:05 PM 5/06/2008
mbam-log-6-5-2008 (16-05-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 155953
Time elapsed: 43 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\VirusLocker (Rogue.Virus.Locker) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\VirusLocker\vl.ini (Rogue.Virus.Locker) -> Quarantined and deleted successfully.
C:\Program Files\VirusLocker\vl.dat.old (Rogue.Virus.Locker) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\LittleDaysAlt.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\notethis.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\YippySkippyAlt.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ziggyzoe.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\joedimaggio.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\abagail.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\angular.zip (Trojan.Downloader) -> Quarantined and deleted successfully.


Deckard's System Scanner v20071014.68
Run by Vicki on 2008-06-05 16:15:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 85% (more than 75%).


-- HijackThis (run as Vicki.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:21 PM, on 5/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vicki\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Vicki.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.*; 127.*;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{905BB048-8422-433F-9FA2-57AC7FE47495}: NameServer = 192.168.2.1,192.168.1.1
O18 - Protocol: start - (no CLSID) - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8103 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 14:20:00 0 d-------- C:\Documents and Settings\Vicki\Application Data\Malwarebytes
2008-06-05 14:19:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 14:19:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 11:58:29 0 d-------- C:\Program Files\FLV Player
2008-06-01 10:53:14 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-01 10:20:20 0 d-------- C:\Program Files\CONEXANT
2008-06-01 00:22:11 0 d-------- C:\WINDOWS\system32\scripting
2008-06-01 00:22:07 0 d-------- C:\WINDOWS\l2schemas
2008-06-01 00:22:06 0 d-------- C:\WINDOWS\system32\en
2008-06-01 00:15:03 0 d-------- C:\WINDOWS\network diagnostic
2008-05-31 19:48:05 0 d-------- C:\Documents and Settings\Vicki\.housecall6.6
2008-05-31 17:16:26 0 d-------- C:\Program Files\Lavasoft
2008-05-31 17:16:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 17:12:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 09:18:04 0 dr-h----- C:\Documents and Settings\Vicki\Recent
2008-05-28 08:36:34 0 d-------- C:\Documents and Settings\Vicki\Application Data\WinRAR
2008-05-26 09:22:51 0 d-------- C:\Program Files\ophcrack
2008-05-25 14:36:28 0 d-------- C:\Log
2008-05-25 14:30:21 0 d-------- C:\WINDOWS\LocalSSL
2008-05-25 14:26:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-09 17:24:23 0 d-------- C:\Boyce's Auto Library


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
15/02/2008 08:38 PM 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2004 06:23 PM C:\WINDOWS\soundman.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [07/09/2004 09:25 PM]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [08/12/2003 05:35 PM]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [02/08/2007 08:30 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [16/02/2008 12:56 AM]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [22/03/2002 12:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [22/09/2004 04:10 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]
"TClockEx"="C:\Program Files\TClockEx\TCLOCKEX.EXE" [09/03/2000 01:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 08:12 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 7:56:20 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-05 16:18:33 ------------
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Tell me about your computer condition..

Regards
fenzodahl512
  • 0

#7
drakken

drakken

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
It's gotten better since all the scanning. Still takes awhile to do a lot of things


KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 12:58:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/06/2008
Kaspersky Anti-Virus database records: 832763


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 119232
Number of viruses found 19
Number of infected objects 152
Number of suspicious objects 0
Duration of the scan process 02:12:39

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\drivers\etc\hosts.20040904-230834.backup Infected: not-a-virus:AdWare.Win32.XmlMimeFilter.a skipped

C:\WINDOWS\system32\drivers\etc\hosts.20040904-231738.backup Infected: not-a-virus:AdWare.Win32.XmlMimeFilter.a skipped

C:\WINDOWS\system32\drivers\etc\hosts.old Infected: not-a-virus:AdWare.Win32.XmlMimeFilter.a skipped

C:\WINDOWS\system32\drivers\IdeChnDr.sys Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_210.dat Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Vicki\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temp\~DF8AA3.tmp Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temp\~DFDEE.tmp Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temp\~DF8ABC.tmp Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temp\~DFA63E.tmp Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temp\~DFA657.tmp Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\Vicki\Local Settings\Application Data\Trend Micro\TrendSecure\Log\TS-CF-20080525-150422-015.log Object is locked skipped

C:\Documents and Settings\Vicki\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy Lockhart Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy Lockhart ... /[From [email protected]][Date Wed, 20 Oct 2004 08:24:39 +0100]/datfiles.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine ( .. ... /[From [email protected]][Date Sun, 24 Oct 2004 ... /undefinied.rtf.com Infected: Email-Worm.Win32.NetSky.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine ( .. ... /[From [email protected]][Date Sun, 24 Oct 2004 21: ... /undefinied.zip Infected: Email-Worm.Win32.NetSky.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[ ... /[From Citibank ][Date Tue, 26 Oct 2004 06:12:11 +050 ... /html Infected: Trojan-Spy.HTML.Citifraud.aq skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[ ... /[From Smith Barney ][Date Mon, 25 Oct 2004 13:34:55 -070 ... /html Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[ ... /[From Smith Barney ][Date Mon, 25 Oct 2004 13:34:55 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[ ... /[From Citibank ][Date Tue, 26 Oct 2004 06:12:11 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "C ... /[From "Marina C ... /[From [email protected]][Date Mon, 25 Oct 2004 14:56:06 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "C ... /[From "Marina Corkery" ][Date Mon, 25 Oct 2004 18:30:09 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine ( ... /[From "joyce" ][Date Sun, 24 Oct 2004 13:15:50 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine ( .. ... /[From [email protected]][Date Sun, 24 Oct 2004 21:42:43 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine ( ... /[From "Maxie" ][Date Sun, 24 Oct 2004 10:45:52 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine (Armadale)" ][Date Fri, 22 Oct 2004 08:41:10 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Clarke, Maxine (Armadale)" ][Date Fri, 22 Oct 2004 13:02:04 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy L ... /[From "Scrapbooks From The Heart" ][Date Wed, 20 Oct 2004 14:09:47 +0800]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy Lockhart ][Date Thu, 21 Oct 2004 18:1 ... /[From Chris][Date 21 Oct 2004 13:41:45 -0700]/text Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED/[From Ivy Lockhart ][Date Thu, 21 Oct 2004 18:17:21 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED/[From "ro[V]er" ][Date Fri, 22 Oct 2004 10:13:30 +1000]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED/[From Goldmark ][Date Tue, 19 Oct 2004 20:25:01 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED/[From WELLS FARGO ][Date Mon, 18 Oct 2004 12:41:47 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items/[From Cora Coley ][Date Tue, 19 Oct 2004 05:58:13 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items MailBerkeleymboxx: infected - 22 skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\parent.lock Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\history.dat Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\cert8.db Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\key3.db Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Mozilla\Firefox\Profiles\fge8eoeh.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Vicki\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-30463386.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped

C:\Documents and Settings\Vicki\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-30463386.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Vicki\ntuser.dat Object is locked skipped

C:\Documents and Settings\Rhys\Local Settings\Temp\bar.exe/data0001 Infected: not-a-virus:AdWare.Win32.IeSearchBar skipped

C:\Documents and Settings\Rhys\Local Settings\Temp\bar.exe Inno: infected - 1 skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 2 May 2004 10:20:38 +0800]/UNNAMED/document09.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 2 May 2004 10:20:38 +0800]/UNNAMED/document09.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 2 May 2004 10:20:38 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Mon, 3 May 2004 13:59:15 +0800]/UNNAMED/attach.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Mon, 3 May 2004 13:59:15 +0800]/UNNAMED/attach.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Mon, 3 May 2004 13:59:15 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Wed, 5 May 2004 08:30:39 +0800]/UNNAMED/letter.scr Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Wed, 5 May 2004 08:30:39 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Thu, 6 May 2004 13:31:42 +0800]/UNNAMED/message.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Thu, 6 May 2004 13:31:42 +0800]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Thu, 6 May 2004 13:31:42 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sat, 8 May 2004 10:55:48 +0800]/UNNAMED/website_eh_wgn_mad.txt.exe Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sat, 8 May 2004 10:55:48 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 9 May 2004 23:54:06 +0800]/UNNAMED/old_photos.txt Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Sun, 9 May 2004 23:54:06 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Mon, 10 May 2004 20:58:02 +0800]/UNNAMED/websites01.exe Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Mon, 10 May 2004 20:58:02 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 11 May 2004 22:52:44 +0800]/UNNAMED/information.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 11 May 2004 22:52:44 +0800]/UNNAMED/information.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 11 May 2004 22:52:44 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 14 May 2004 08:33:44 +0800]/UNNAMED/important.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 14 May 2004 08:33:44 +0800]/UNNAMED/important.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 14 May 2004 08:33:44 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 18 May 2004 03:25:47 +0800]/UNNAMED/letter.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 18 May 2004 03:25:47 +0800]/UNNAMED/letter.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 18 May 2004 03:25:47 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 18 May 2004 03:44:28 +0800]/UNNAMED/important_eh_wgn_mad.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 18 May 2004 03:44:28 +0800]/UNNAMED/important_eh_wgn_mad.zip Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Tue, 18 May 2004 03:44:28 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 21 May 2004 22:23:07 +0800]/UNNAMED/message.txt Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Fri, 21 May 2004 22:23:07 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: infected - 31 skipped

C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp ZIP: infected - 3 skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\29.tmp CryptFF.b: infected - 3 skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\2A.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\2B.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\2C.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\2D.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\2E.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\2F.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\30.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\31.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\32.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\33.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\34.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\35.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\36.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\37.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\38.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\39.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\3A.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\3B.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\3C.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\3D.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\3E.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\3F.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\40.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\41.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\42.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\43.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\44.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\45.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\46.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\47.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\48.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\49.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\4A.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\4B.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\4C.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\4D.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\4E.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\4F.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\50.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\51.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\52.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\53.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\54.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\55.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\56.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\57.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\58.tmp Infected: Trojan-Downloader.Win32.Bojo.e skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\59.tmp Infected: Trojan-Downloader.Win32.Zlob.cqd skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\5A.tmp Infected: Trojan-Downloader.Win32.Zlob.cqf skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\5B.tmp Infected: Trojan-Downloader.Win32.Zlob.cqc skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\5C.tmp Infected: Trojan-Downloader.Win32.Zlob.cqb skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\5D.tmp Infected: Trojan-Downloader.Win32.Zlob.cqa skipped

C:\Program Files\Trend Micro\Internet Security\Quarantine\5E.tmp Infected: not-a-virus:FraudTool.Win32.SpySheriff.f skipped

C:\Program Files\ophcrack\pwdump\pwdump6_setup.exe Object is locked skipped

C:\Program Files\ophcrack\pwdump\imokav.exe Infected: not-a-virus:PSWTool.Win32.PWDump.f skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025027.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025048.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025061.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025077.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025093.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025109.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025123.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025139.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025154.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025169.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025183.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025199.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025217.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025231.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025249.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025264.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025281.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025295.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025310.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025325.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025342.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025360.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP55\A0025371.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP56\A0025386.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP56\A0025387.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP56\A0025388.exe Infected: not-virus:Hoax.Win32.Gavec.c skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP56\A0025389.exe Infected: Trojan-Downloader.Win32.Zlob.cqe skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP80\A0032963.exe/data0013 Infected: not-a-virus:PSWTool.Win32.PWDump.h skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP80\A0032963.exe/data0014 Infected: not-a-virus:PSWTool.Win32.PWDump.f skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP80\A0032963.exe/data0015 Infected: not-a-virus:PSWTool.Win32.PWDump.f skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP80\A0032963.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP87\change.log Object is locked skipped

C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP87\A0039445.exe Object is locked skipped

Scan process completed.
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for your reply.. Please do the following..


Please empty your TrendMicro Internet Security quarantine folder. Please navigate C:\Program Files\Trend Micro\Internet Security\Quarantine and delete everything inside. Please don't delete the folder. Just leave the folder empty..



NEXT


Please show hidden files and folders. Please visit HERE if you don't know how.

Please empty your Ms Outlook deleted items.. Please navigate the following folders and delete everything inside. Please don't delete the folder. Just leave it empty..

C:\Documents and Settings\Vicki\Application Data\Mozilla\Profiles\default\ttnioebw.slt\Mail\Local Folders\Outlook Express Mail.sbd\Deleted Items
C:\Documents and Settings\Rhys\Local Settings\Application Data\Identities\{5526A586-6C3A-4586-A8B5-B62045D70E08}\Microsoft\Outlook Express\Deleted Items.dbx





NEXT


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\drivers\etc\hosts.20040904-230834.backup
    C:\WINDOWS\system32\drivers\etc\hosts.20040904-231738.backup
    C:\WINDOWS\system32\drivers\etc\hosts.old
    C:\Documents and Settings\Vicki\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-30463386.zip
    C:\Documents and Settings\Rhys\Local Settings\Temp\bar.exe
    C:\Program Files\ophcrack\pwdump\imokav.exe
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Dr.Web CureIt to the Desktop:
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Please post the following logs in your next reply.. Please post each log in separate post..

1. OTMoveIt2
2. Dr Web
3. A fresh Deckard System Scanner (after DrWeb step)

Regards
fenzodahl512
  • 0

#9
drakken

drakken

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
OTMoveIt2

Explorer killed successfully
C:\WINDOWS\system32\drivers\etc\hosts.20040904-230834.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20040904-231738.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.old moved successfully.
C:\Documents and Settings\Vicki\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-30463386.zip moved successfully.
C:\Documents and Settings\Rhys\Local Settings\Temp\bar.exe moved successfully.
C:\Program Files\ophcrack\pwdump\imokav.exe moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Vicki\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF8AF5.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DFDEE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF8BD2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF2750.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF28D8.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_210.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06072008_103410

Files moved on Reboot...
C:\DOCUME~1\Vicki\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF8AF5.tmp not found!
File C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DFDEE.tmp not found!
File C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF8BD2.tmp not found!
File C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF2750.tmp not found!
File C:\DOCUME~1\Vicki\LOCALS~1\Temp\~DF28D8.tmp not found!
C:\WINDOWS\temp\Perflib_Perfdata_210.dat moved successfully.

Dr Web


slghex.dll;C:\Program Files\Common Files\Sandlot Shared;Adware.SpywareStorm;Incurable.Moved.;
A0025388.exe;C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP56;Trojan.Popuper;Deleted.;
A0025389.exe;C:\System Volume Information\_restore{0C412C6E-AB97-49DB-9E65-3E0BA655C652}\RP56;Trojan.Popuper;Deleted.;
bar.exe\data001;C:\_OTMoveIt\MovedFiles\06072008_103410\Documents and Settings\Rhys\Local Settings\Temp\bar.exe;Adware.IESearch;;
bar.exe;C:\_OTMoveIt\MovedFiles\06072008_103410\Documents and Settings\Rhys\Local Settings\Temp;Archive contains infected objects;Moved.;


Deckard

Deckard's System Scanner v20071014.68
Run by Vicki on 2008-06-07 16:06:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Vicki.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:05 PM, on 7/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vicki\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Vicki.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.*; 127.*;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{905BB048-8422-433F-9FA2-57AC7FE47495}: NameServer = 192.168.2.1,192.168.1.1
O18 - Protocol: start - (no CLSID) - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8129 bytes

-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 11:00:16 0 d-------- C:\Documents and Settings\Vicki\DoctorWeb
2008-06-06 09:07:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-06 09:07:21 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-05 14:20:00 0 d-------- C:\Documents and Settings\Vicki\Application Data\Malwarebytes
2008-06-05 14:19:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 14:19:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 11:58:29 0 d-------- C:\Program Files\FLV Player
2008-06-01 10:53:14 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-01 10:20:20 0 d-------- C:\Program Files\CONEXANT
2008-06-01 00:22:11 0 d-------- C:\WINDOWS\system32\scripting
2008-06-01 00:22:07 0 d-------- C:\WINDOWS\l2schemas
2008-06-01 00:22:06 0 d-------- C:\WINDOWS\system32\en
2008-06-01 00:15:03 0 d-------- C:\WINDOWS\network diagnostic
2008-05-31 19:48:05 0 d-------- C:\Documents and Settings\Vicki\.housecall6.6
2008-05-31 17:16:26 0 d-------- C:\Program Files\Lavasoft
2008-05-31 17:16:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 17:12:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 09:18:04 0 dr-h----- C:\Documents and Settings\Vicki\Recent
2008-05-28 08:36:34 0 d-------- C:\Documents and Settings\Vicki\Application Data\WinRAR
2008-05-26 09:22:51 0 d-------- C:\Program Files\ophcrack
2008-05-25 14:36:28 0 d-------- C:\Log
2008-05-25 14:30:21 0 d-------- C:\WINDOWS\LocalSSL
2008-05-25 14:26:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-05-09 17:24:23 0 d-------- C:\Boyce's Auto Library


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
15/02/2008 08:38 PM 103760 --a------ C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/07/2004 06:23 PM C:\WINDOWS\soundman.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [07/09/2004 09:25 PM]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [08/12/2003 05:35 PM]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [02/08/2007 08:30 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [16/02/2008 12:56 AM]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [22/03/2002 12:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [22/09/2004 04:10 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]
"TClockEx"="C:\Program Files\TClockEx\TCLOCKEX.EXE" [09/03/2000 01:15 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 08:12 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 7:56:20 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-07 16:11:26 ------------
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. I have a good news to you.. Your log looks clean to my eyes..


Now for some cleanup..
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6

NEXT


Let's clean your Restore Points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous Restore Points which are likely to be infected)
To create a new Restore Point.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK. This will flush your old System Restore.
  • Then please UNCHECK the Turn off System Restore.
  • Click again on Apply, and then click OK. This will create a new Restore Point
System Restore will now be active again

If you are using Windows Vista, please go HERE for tutorial on how to use, disable and enable System Restore


NEXT


I noticed that you already have:

1. TrendMicro Internet Security consisting of your antivirus and firewall
2. MalwareBytes' Anti-Malware as your antispyware..


And now, to help protect your computer in the future I would like to recommend you these following free programs. Please do remember to use only ONE "Real-Time Protection" software for EACH Antivirus, AntiSpyware and Firewall.
  • SpywareBlaster 4.0 to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#11
drakken

drakken

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Thank you for that. Everything seems to be running fine now.

Your ace
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP