Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"infected by unknown trojan..." [RESOLVED]

Started by shawshank24 , Mar 19 2008 12:03 AM

  • This topic is locked This topic is locked

#16
shawshank24
Posted 22 March 2008 - 06:10 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
nothing runs when i use combofix, even as admin. right away it shows a small progress bar that fills up and then dissapears, but then nothing happens. it is running a process, but not a program...
  • 0

Advertisements

#17
shawshank24
Posted 22 March 2008 - 06:25 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
i don't know why, but i just restarted and my desktop background isn't showing... ugh.
  • 0

#18
andrewuk
Posted 22 March 2008 - 06:29 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets try this......not yet completely exhausted all routes.

As a Vista user I will require that all the programmes I ask you to run, be run by right clicking the icon and selecting Run as Administrator. Otherwise some programmes may fail to do their job properly


Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do not run it yet



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: Media Player Classic - {CE0487CA-8B02-431E-BA63-D38844E020B5} - C:\Windows\ausctv32a.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\ausctv32a.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c99946e6-ed44-11dc-b26c-806e6f6e6963}]
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


In your next reply could i see:
1. the OTMoveIT log
2. a new hyjackthis log

andrewuk
  • 0

#19
shawshank24
Posted 22 March 2008 - 06:41 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
File/Folder C:\Windows\ausctv32a.dll not found.
[Custom Input]
< purity >
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c99946e6-ed44-11dc-b26c-806e6f6e6963}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c99946e6-ed44-11dc-b26c-806e6f6e6963}] not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_184100

_________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:01 PM, on 3/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.c...Now?lnkctr=mhWN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\Windows\TEMP\E_S3B1C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5714 bytes

Edited by shawshank24, 22 March 2008 - 06:42 PM.

  • 0

#20
andrewuk
Posted 22 March 2008 - 07:19 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

i don't know why, but i just restarted and my desktop background isn't showing... ugh.

we will deal with that later.

in this post we will clear a Registry Point (sorry, i got the wrong format in the prior post) and do some scans to see what else is lurking on your machine.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

As a Vista user I will require that all the programmes I ask you to run, be run by right clicking the icon and selecting Run as Administrator. Otherwise some programmes may fail to do their job properly

====STEP 1====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c99946e6-ed44-11dc-b26c-806e6f6e6963}
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 4====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your next reply could i see:
1. the malwarebytes log
2. the SUPERantispyware log
3. the kaspersky log

there may be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#21
shawshank24
Posted 22 March 2008 - 08:53 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
i'll post em as i get em:

Malwarebytes' Anti-Malware 1.09
Database version: 522

Scan type: Quick Scan
Objects scanned: 27216
Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ausctv32a.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ce0487ca-8b02-431e-ba63-d38844e020b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ausctv32a.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ausctv32a.Video (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


(looks like that got the one that's been bothering me... i'll still do the other 2 as well)

Edited by shawshank24, 22 March 2008 - 08:54 PM.

  • 0

#22
andrewuk
Posted 22 March 2008 - 09:06 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
yep....interesting how it was not picked up in a prior scan....i will have to ponder that one.

i will be here for your other scans.

andrewuk
  • 0

#23
shawshank24
Posted 22 March 2008 - 09:17 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 09:05 PM

Application Version : 4.0.1154

Core Rules Database Version : 3423
Trace Rules Database Version: 1415

Scan type : Complete Scan
Total Scan Time : 01:16:00

Memory items scanned : 584
Memory threats detected : 0
Registry items scanned : 6049
Registry threats detected : 0
File items scanned : 263726
File threats detected : 0
  • 0

#24
shawshank24
Posted 22 March 2008 - 10:15 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 10:15:47 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/03/2008
Kaspersky Anti-Virus database records: 654984
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
R:\

Scan Statistics:
Total number of scanned objects: 76975
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:25:02

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\Windows\temp\MpCmdRun.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\MpSigStub.log Object is locked skipped
C:\ProgramData\avg7\Log\emc.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\UsrClass.dat{0a6389be-f545-11dc-a103-001a9255f1f3}.TM.blf Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\UsrClass.dat{0a6389be-f545-11dc-a103-001a9255f1f3}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows\UsrClass.dat{0a6389be-f545-11dc-a103-001a9255f1f3}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows Defender\FileTracker\{0D349285-153E-4B58-BA5E-83442E45E0C5} Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows Defender\FileTracker\{C99CAD08-6CC9-484D-AC49-78FC2162D0B9} Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Mozilla\Firefox\Profiles\73v3umu9.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Mozilla\Firefox\Profiles\73v3umu9.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Mozilla\Firefox\Profiles\73v3umu9.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Hello Matthew!\AppData\Local\Mozilla\Firefox\Profiles\73v3umu9.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\cert8.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\formhistory.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\history.dat Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\key3.db Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\parent.lock Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\search.sqlite Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\Mozilla\Firefox\Profiles\73v3umu9.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Hello Matthew!\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-22-2008( 19-47-21 ).LOG Object is locked skipped
C:\Users\Hello Matthew!\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Users\Hello Matthew!\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Users\Hello Matthew!\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Users\Hello Matthew!\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Users\Hello Matthew!\NTUSER.DAT Object is locked skipped
C:\Users\Hello Matthew!\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Hello Matthew!\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Hello Matthew!\NTUSER.DAT{0a6389bc-f545-11dc-a103-001a9255f1f3}.TM.blf Object is locked skipped
C:\Users\Hello Matthew!\NTUSER.DAT{0a6389bc-f545-11dc-a103-001a9255f1f3}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Hello Matthew!\NTUSER.DAT{0a6389bc-f545-11dc-a103-001a9255f1f3}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS.OLD Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT.OLD Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SAM.OLD Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY.OLD Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE.OLD Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM.OLD Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Portable Devices\wpdlog16.sqm Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Portable Devices\wpdlog17.sqm Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2F4B1D39F0694C6CDB433BC3CCF1418 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFC456E7E410D69E2C6F3E2DB75C7DB3 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2F4B1D39F0694C6CDB433BC3CCF1418 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFC456E7E410D69E2C6F3E2DB75C7DB3 Object is locked skipped
C:\Windows\System32\config\TxR\{0a6389ad-f545-11dc-a103-001a9255f1f3}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{0a6389ad-f545-11dc-a103-001a9255f1f3}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{0a6389ad-f545-11dc-a103-001a9255f1f3}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{0a6389ad-f545-11dc-a103-001a9255f1f3}.TxR.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\SystemTask Object is locked skipped
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries Object is locked skipped
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin Object is locked skipped
C:\Windows\System32\WDI\ERCQueuedResolutions.dat Object is locked skipped
C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin Object is locked skipped
C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\WinPEpge.sys Object is locked skipped

Scan process completed.
  • 0

#25
shawshank24
Posted 22 March 2008 - 10:56 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
that's all 3. i want to thank you andrewuk for your help so far.
  • 0

Advertisements

#26
andrewuk
Posted 22 March 2008 - 10:57 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the malwarebytes scan cleared some malware, the SUPERantispyware scan was clean and kaspersky scan only found some smitfraudfix tools we used.

in this post we will get another DSS scan and check on those host files again.

would i be right in assuming you still dont have your desktop background back?

out of interest, did you run smitfraudfix in mode 2 before? (do not try to at the moment)


====STEP 1====
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


====STEP 2====
could you run DSS again and post the main.txt that comes up.


andrewuk
  • 0

#27
shawshank24
Posted 22 March 2008 - 11:02 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
no i ran smitfraud as option 1 the first time.

let me get you those scans...
  • 0

#28
shawshank24
Posted 22 March 2008 - 11:03 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
smitfraud:

SmitFraudFix v2.307

Scan done at 23:04:43.69, Sat 03/22/2008
Run from C:\Users\Hello Matthew!\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Hello Matthew!


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Hello Matthew!\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\HELLOM~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G PCI Adapter
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{349B2BDD-A05E-4C71-8EA3-B12F2BCD23E7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8BE4722-0951-4D7C-859C-EB1D68322EE7}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{349B2BDD-A05E-4C71-8EA3-B12F2BCD23E7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8BE4722-0951-4D7C-859C-EB1D68322EE7}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{349B2BDD-A05E-4C71-8EA3-B12F2BCD23E7}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8BE4722-0951-4D7C-859C-EB1D68322EE7}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#29
shawshank24
Posted 22 March 2008 - 11:05 PM

shawshank24

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
main.txt:

Deckard's System Scanner v20071014.68
Run by Hello Matthew! on 2008-03-22 23:05:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Hello Matthew!.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:47 PM, on 3/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Hello Matthew!\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HELLOM~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.c...Now?lnkctr=mhWN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX6000 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\Windows\TEMP\E_S3B1C.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6236 bytes

-- Files created between 2008-02-22 and 2008-03-22 -----------------------------

2008-03-22 21:20:06 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-03-22 19:47:20 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-03-22 19:43:21 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 19:42:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 19:27:40 0 d-------- C:\Users\All Users\Malwarebytes
2008-03-22 19:27:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-22 18:04:27 39 --a------ C:\MUI00
2008-03-22 18:04:23 3592 --a------ C:\Start_.cmd
2008-03-22 18:04:22 0 d-------- C:\327882R2FWJFW
2008-03-22 16:03:57 0 d-------- C:\HostsXpert
2008-03-22 14:34:39 3206 --a------ C:\Windows\system32\tmp.reg
2008-03-20 13:55:13 0 d-------- C:\Users\All Users\LightScribe
2008-03-19 21:17:27 0 d-------- C:\Program Files\Soldier of Fortune II - Double Helix
2008-03-19 13:30:51 0 d-------- C:\Program Files\Firaxis Games
2008-03-19 01:16:04 32768 --a------ C:\Program Files\SleepTimer.exe <Not Verified; Barry; Sleep Timer>
2008-03-19 00:39:38 0 d-a------ C:\Users\All Users\TEMP
2008-03-18 23:56:57 0 d-------- C:\Program Files\Trend Micro
2008-03-18 23:21:29 0 d-------- C:\Users\All Users\vsosdk
2008-03-18 23:10:38 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-03-18 22:57:25 0 d-------- C:\Program Files\DVDFab Platinum 4
2008-03-18 19:45:35 0 d-------- C:\Program Files\Sierra
2008-03-18 19:21:30 0 d-------- C:\Program Files\The Witcher
2008-03-18 19:17:55 0 d-------- C:\Program Files\Prey
2008-03-18 18:58:03 0 d-------- C:\Windows\WinRAR
2008-03-18 18:55:42 0 d-------- C:\Users\All Users\Adobe Systems
2008-03-18 18:53:42 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-18 18:46:25 0 d-------- C:\Users\All Users\Media Center Programs
2008-03-18 18:41:38 0 d-------- C:\Program Files\Sierra Entertainment
2008-03-18 18:27:10 0 d-------- C:\Program Files\Eidos
2008-03-18 17:51:27 0 d-------- C:\Program Files\Ubisoft
2008-03-18 17:41:07 0 d-------- C:\Program Files\Auslogics
2008-03-18 17:40:41 0 d-------- C:\Program Files\CCleaner
2008-03-18 17:40:15 0 d-------- C:\Program Files\DNA
2008-03-18 17:40:15 0 d-------- C:\Program Files\BitTorrent
2008-03-18 17:16:06 55 --a------ C:\xmp.bat
2008-03-18 17:09:52 0 d-------- C:\Program Files\Analog Devices
2008-03-18 16:39:43 0 d-------- C:\Users\All Users\LogiShrd
2008-03-18 16:37:47 0 d-------- C:\Program Files\Common Files\Logishrd
2008-03-18 15:39:00 0 d-------- C:\Program Files\Microsoft Works
2008-03-18 15:38:48 0 d-------- C:\Windows\PCHEALTH
2008-03-18 15:38:48 0 d-------- C:\Program Files\Microsoft.NET
2008-03-18 15:37:45 0 d-------- C:\Users\All Users\Microsoft Help
2008-03-18 15:37:22 0 dr-h----- C:\MSOCache
2008-03-18 15:25:47 0 d-------- C:\Users\All Users\EPSON
2008-03-18 14:55:32 0 --a------ C:\Windows\nsreg.dat
2008-03-18 14:49:15 0 d-------- C:\Users\All Users\Grisoft
2008-03-18 14:49:15 0 d-------- C:\Users\All Users\avg7
2008-03-18 14:42:14 0 d-------- C:\Users\All Users\Logitech
2008-03-18 14:42:13 0 d-------- C:\Program Files\Logitech
2008-03-18 14:42:11 0 d-------- C:\Program Files\Common Files\Logitech
2008-03-12 15:58:58 0 d-------- C:\Program Files\RegCleaner
2008-03-08 15:47:21 0 d-------- C:\Windows\pss
2008-03-08 15:43:14 0 d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 15:40:27 0 d-------- C:\Users\All Users\Nero
2008-03-08 15:40:26 0 d-------- C:\Program Files\Nero
2008-03-08 15:40:26 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-08 15:39:39 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-03-08 15:39:39 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-03-08 15:39:39 0 d-------- C:\Program Files\Xvid
2008-03-08 15:38:19 0 d-------- C:\Users\All Users\Adobe
2008-03-08 15:38:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-08 15:33:53 262144 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-08 15:33:53 86016 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-08 15:29:58 0 d-------- C:\Windows\system32\Futuremark
2008-03-08 15:29:58 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2008-03-08 15:29:58 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2008-03-08 15:29:58 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2008-03-08 15:28:49 0 d-------- C:\Program Files\Futuremark
2008-03-08 13:24:21 0 d-------- C:\Windows\SoftwareDistribution
2008-03-08 13:21:07 0 d--hs---- C:\System Volume Information
2008-03-08 13:15:13 268435456 --ahs---- C:\WinPEpge.sys
2008-03-08 13:05:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 13:05:49 0 d-------- C:\Program Files\ASUS
2008-03-08 12:07:26 0 d-------- C:\Windows\MVUNINST
2008-03-08 12:07:26 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-03-08 12:07:04 0 d-------- C:\Windows\RegisteredPackages
2008-03-08 12:07:02 0 d-------- C:\Program Files\Windows Media Components
2008-03-08 12:06:41 0 d--hs---- C:\Windows\Installer
2008-03-08 12:04:47 0 d--h----- C:\Windows\msdownld.tmp
2008-03-08 12:04:45 0 d-------- C:\Windows\system32\directx
2008-03-08 11:30:12 0 d-------- C:\Linksys Driver
2008-03-08 11:27:53 0 d-------- C:\Users\All Users\NVIDIA
2008-03-08 11:25:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 11:20:35 3636 --a------ C:\Windows\system32\drivers\nvphy.bin
2008-03-08 11:19:58 0 d-------- C:\NVIDIA
2008-03-08 11:15:20 0 d-------- C:\Windows\system32\Macromed
2008-03-08 10:56:41 0 dr------- C:\Users\Hello Matthew!\Searches
2008-03-08 10:56:33 0 dr------- C:\Users\Hello Matthew!\Contacts
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Videos
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Templates
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Start Menu
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\SendTo
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Saved Games
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Recent
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\PrintHood
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Pictures
2008-03-08 10:56:30 2621440 --a------ C:\Users\Hello Matthew!\NTUSER.DAT
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\NetHood
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\My Documents
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Music
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Local Settings
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Links
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Favorites
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Downloads
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Documents
2008-03-08 10:56:30 0 dr------- C:\Users\Hello Matthew!\Desktop
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Cookies
2008-03-08 10:56:30 0 d--hs---- C:\Users\Hello Matthew!\Application Data
2008-03-08 10:56:30 0 d--h----- C:\Users\Hello Matthew!\AppData
2008-02-25 10:01:41 0 d-------- C:\PerfLogs
2008-02-25 09:48:57 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-25 09:27:50 0 d-------- C:\Windows\Debug
2008-02-25 09:26:59 0 d-------- C:\Windows\Prefetch
2008-02-25 09:26:03 0 d-------- C:\Windows\Panther
2008-02-25 09:25:49 0 d--hs---- C:\Boot


-- Find3M Report ---------------------------------------------------------------

2008-03-22 19:43:21 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\SUPERAntiSpyware.com
2008-03-22 19:42:54 0 d-------- C:\Program Files\Common Files
2008-03-22 19:27:44 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Malwarebytes
2008-03-22 12:23:51 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\AVG7
2008-03-20 13:55:21 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Ahead
2008-03-19 12:06:47 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Grisoft
2008-03-18 22:57:50 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\BitTorrent
2008-03-18 22:57:37 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Vso
2008-03-18 22:57:31 74 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.log
2008-03-18 22:57:27 47360 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-18 22:57:27 1144 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.inf
2008-03-18 22:57:27 7887 --a------ C:\Users\Hello Matthew!\AppData\Roaming\pcouffin.cat
2008-03-18 20:02:08 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Auslogics
2008-03-18 18:58:31 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\WinRAR
2008-03-18 18:57:08 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Adobe
2008-03-18 18:00:45 0 dr-h----- C:\Users\Hello Matthew!\AppData\Roaming\SecuROM
2008-03-18 14:55:29 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Mozilla
2008-03-18 14:46:57 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Logitech
2008-03-08 11:20:05 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\InstallShield
2008-03-08 11:15:21 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Macromedia
2008-03-08 10:56:34 0 d-------- C:\Users\Hello Matthew!\AppData\Roaming\Identities
2008-03-04 09:11:57 18804224 --a------ C:\Windows\system32\imageres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-25 10:05:54 174 --ahs---- C:\Program Files\desktop.ini
2008-02-25 10:02:14 0 d-------- C:\Program Files\Windows Calendar
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Sidebar
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Photo Gallery
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Mail
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Journal
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Defender
2008-02-25 10:02:13 0 d-------- C:\Program Files\Windows Collaboration
2008-02-25 10:02:13 0 d-------- C:\Program Files\Movie Maker


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 01:38 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/11/2007 04:06 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/11/2007 04:06 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/11/2007 04:06 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 09:16 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 02:40 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11/29/2007 12:17 AM C:\Windows\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/18/2008 02:50 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 07:34 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 01:33 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/23/2006 05:05 PM]
"EPSON Stylus CX6000 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [10/18/2006 02:01 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 01:33 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Users\Hello Matthew!\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 5:16:50 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [3/18/2008 4:38:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 03/18/2008 02:49 PM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-22 23:06:37 ------------
  • 0

#30
andrewuk
Posted 22 March 2008 - 11:58 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
seems we have just the corrupted hosts file to resolve, otherwise your logs are looking good.

have you still lost your desktop background?

====THE HOSTS FILE FIX====

there are some very brief instructions here, http://support.microsoft.com/kb/923947, but more fuller ones below.

there is also a short thread here http://thevistaforum...php/t14834.html about the Vista hosts file and what it should look like - worth a quick read, it is nicely short.

To successfully modify the hosts file, run notepad.exe as an administrator and open the file.
  • Browse to Start -> All Programs -> Accessories
  • Right click "Notepad" and select "Run as administrator"
  • Click "Continue" on the UAC prompt
  • Click File -> Open on the notepad
  • Then browse to "C:\Windows\System32\Drivers\etc"
  • Change the file filter drop down box from "Text Documents (*.txt)" to "All Files (*.*)"
  • Select "hosts" and click "Open"
  • could you then find and delete 127.0.0.1 www.legal-at-spybot.info and 127.0.0.1 legal-at-spybot.info
  • close the notepad and Save when prompted.


In your next reply could i see:
1. confirmation that your hosts file has been restored
2. an idea of your Desktop background
3. some idea of how your machine is running now

andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP