Options
Lag-tastic
My Father keeps complaining that his laptop keeps running super slow and I keep doing the basis clear cashe and cookie and check for virus and stuff, I thought y'all help me with my desktop maybe you can see something I am missing....Thanks for any help you can provide..
Eric
KASPERSKY ONLINE SCANNER REPORT Tuesday, March 13, 2007 10:48:03 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/03/2007
Kaspersky Anti-Virus database records: 281040
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerC:\
D:\ Scan StatisticsTotal number of scanned objects53032Number of viruses found6Number of infected objects15 / 0Number of suspicious objects0Duration of the scan process01:19:38
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10262006-030628.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Randall Simpson\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{89E4E62B-0926-4A20-9A51-32B1AF7AD4BB} Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\ntuser.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\ntuser.dat.LOG Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chandir.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chandir.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chn.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chn.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\D0000000.FCS Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\inuse.txt Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\L0000007.FCS Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\main.log Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_die.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_die.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_dnd.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_dnd.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_ext.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_ext.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_rcv.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_rcv.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\storydb.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\storydb.idx Object is locked skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\a-137[1].htm Infected: Trojan-Clicker.JS.Linker.u skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\indexit[1].htm Infected: Exploit.HTML.Mht skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk75.tmp Infected: Exploit.VBS.Phel.i skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk77.tmp Infected: Exploit.VBS.Phel.i skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk79.tmp Infected: Exploit.VBS.Phel.i skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc4\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc4\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\eifr[1].htm Infected: Trojan-Downloader.JS.Small.bp skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\b[1].htm Infected: Exploit.JS.CVE-2005-1790.b skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP145\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{B84FA19D-5E85-47E6-B77B-9803CEC772B2}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.
and
Logfile of HijackThis v1.99.1
Scan saved at 10:49:51 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Randall Simpson\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P42 "Auto EPSON Stylus CX4600 Series on DESKTOP" /O17 "[URL="file://\\DESKTOP\Printer"]\\DESKTOP\Printer[/URL]" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
Eric
KASPERSKY ONLINE SCANNER REPORT Tuesday, March 13, 2007 10:48:03 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/03/2007
Kaspersky Anti-Virus database records: 281040
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerC:\
D:\ Scan StatisticsTotal number of scanned objects53032Number of viruses found6Number of infected objects15 / 0Number of suspicious objects0Duration of the scan process01:19:38
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10262006-030628.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Randall Simpson\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{89E4E62B-0926-4A20-9A51-32B1AF7AD4BB} Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\ntuser.dat Object is locked skipped C:\Documents and Settings\Randall Simpson\ntuser.dat.LOG Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chandir.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chandir.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chn.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\chn.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\D0000000.FCS Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\inuse.txt Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\L0000007.FCS Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\main.log Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_die.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_die.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_dnd.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_dnd.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_ext.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_ext.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_rcv.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\prs_rcv.idx Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\storydb.dat Object is locked skipped C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Randall Simpson\Data\storydb.idx Object is locked skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\a-137[1].htm Infected: Trojan-Clicker.JS.Linker.u skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\indexit[1].htm Infected: Exploit.HTML.Mht skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk75.tmp Infected: Exploit.VBS.Phel.i skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk77.tmp Infected: Exploit.VBS.Phel.i skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk79.tmp Infected: Exploit.VBS.Phel.i skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc4\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc4\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\eifr[1].htm Infected: Trojan-Downloader.JS.Small.bp skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\b[1].htm Infected: Exploit.JS.CVE-2005-1790.b skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\f[1].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\f[2].htm Infected: Exploit.JS.CVE-2005-1790.d skipped C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP145\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{B84FA19D-5E85-47E6-B77B-9803CEC772B2}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.
and
Logfile of HijackThis v1.99.1
Scan saved at 10:49:51 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Randall Simpson\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P42 "Auto EPSON Stylus CX4600 Series on DESKTOP" /O17 "[URL="file://\\DESKTOP\Printer"]\\DESKTOP\Printer[/URL]" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
0
Comments
Please download eScan and follow instructions with care:
- Double-click the mwav.exe icon.
- Wait untill installation is complete.
- Select I accept the agreement and click OK.
- When eScan is started, please select:
- Memory
- Startup Folders
- Drive
- All Local Drives
- Registry
- System Folder
- Services
- Scan only
- Scan all files
- After that, click the Scan Only button.
- eScan begin to scan your system, please be patient.
- When scanning is complete, do following
- Copy all text under Virus Log Information (Ctrl + A and Ctrl + C)
- and post them here.
Note: mwav.exe is refreshed every Monday, Wednesday and Friday, so it is one-way scanner. If you want to use it a[SIZE=-1]t a later date, y[/SIZE]ou must download new upgradet version.Thu Mar 15 05:38:43 2007 => Total Objects Scanned: 80748
Thu Mar 15 05:38:43 2007 => Total Critical Objects: 19
Thu Mar 15 05:38:43 2007 => Total Disinfected Objects: 0
Thu Mar 15 05:38:43 2007 => Total Objects Renamed: 0
Thu Mar 15 05:38:43 2007 => Total Deleted Objects: 0
Thu Mar 15 05:38:43 2007 => Total Errors: 43
Thu Mar 15 05:38:43 2007 => Time Elapsed: 02:03:03
Thu Mar 15 05:38:43 2007 => Virus Database Date: 3/14/2007
Thu Mar 15 05:38:43 2007 => Virus Database Count: 281495
Thu Mar 15 05:38:43 2007 => Scan Completed.
[SIZE=-1]
[/SIZE]
Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\SysInfo.dll". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""C:\PROGRA~1\WINDOW~2\wmplayer.exe"". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\PROGRA~1\WINDOW~2\wmplayer.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Logitech\Desktop Messenger\8876480\7.2.0.137-8876480SL\Program\PrvCnt.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Logitech\Desktop Messenger\8876480\7.2.0.157-8876480SL\Program\PrvCnt.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\PrvCnt.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\msxml3a.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\SysInfo.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Nikon\Message Center\postinstall.bat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Nikon\Message Center\preinstall.bat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Easy Internet signup\FrontEnd\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Easy Internet signup\FrontEnd\en_us\offer_templates\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Easy Internet signup\FrontEnd\en_us\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Easy Internet signup\FrontEnd\en_us\offer_templates\hp\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton Internet Security\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\VirusDefs\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Norton Internet Security\Norton AntiVirus\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "LiveReg". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "LiveUpdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mah Jong Tiles Deluxe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{503AA035-41E2-4858-B31F-1E49AC66C309}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{536F7C74-844B-4683-B0C5-EA39E19A6FE3}". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\a-137[1].htm infected by "Trojan-Clicker.JS.Linker.u" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\f[1].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\f[2].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\indexit[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk75.tmp infected by "Exploit.VBS.Phel.i" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk77.tmp infected by "Exploit.VBS.Phel.i" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc3\wbk79.tmp infected by "Exploit.VBS.Phel.i" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc4\f[1].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc4\f[2].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\eifr[1].htm infected by "Trojan-Downloader.JS.Small.bp" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\f[1].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc5\f[2].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\b[1].htm infected by "Exploit.JS.CVE-2005-1790.b" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\f[1].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-506033597-3072882037-1065329449-500\Dc6\f[2].htm infected by "Exploit.JS.CVE-2005-1790.d" Virus! Action Taken: No Action Taken.
===============================================
- Run ATF-Cleaner.exe.
- Under "Main" choose Select All.
- Click Empty Selected.
- Click Opera at the top.
- Choose Select All.
- Click Empty Selected
- Click Exit on the Main menu.
===============================================If you use Firefox browser
- Click Firefox at the top.
- Choose Select All.
- Click Empty Selected
If you use Opera browserNote: If you would like to keep your saved
passwords, please click No at the prompt.
Note: If you would like to keep your saved
passwords, please click No at the prompt.
After that, download AVG Anti-Spyware and run it in save mode.
Configure AVG Anti-Spyware
- Start AVG Anti-Spyware
- Click the Update icon
- Click Start update
- Wait until updates are downloaded
- Click the Scanner icon
- Open the Settings tab
- Make sure that under "How to act?" read Quarantine
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" select Automatically generate report after every scan
- Under "What to scan?" select Scan every file
- Click the Shield icon
- Under the "Resident shield is" click active to make it inactive
- Close AVG Anti-Spyware
===============================================(If not, click the text and choose Quarantine)
and uncheck Only if threats were found
Reboot in save mode
- If the computer is running, shut down Windows, and then turn off the power
- Wait 30 seconds, and then turn the computer on
- Start tapping the F8 key
- The Windows Advanced Options Menu appears
- Ensure that the Safe Mode option is selected
- Press Enter. The computer then begins to start in Safe mode
- Login on your usual account
===============================================Scan in save mode
- Close all open windows / programs / folders
- Start AVG Anti-Spyware
- Click the Scanner icon
- Click Complete System Scan
- Let the program scan the machine
- When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop
===============================================(If not, click the text and choose Quarantine)
Reboot in normal mode and send fresh HijackThis log and the AVG Anti-Spyware report.
AVG Anti-Spyware - Scan Report
+ Created at: 5:13:17 AM 3/17/2007
+ Scan result:
Nothing found.
::Report end
and
Logfile of HijackThis v1.99.1
Scan saved at 5:19:27 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Documents and Settings\Randall Simpson\Desktop\HijackThis.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P42 "Auto EPSON Stylus CX4600 Series on DESKTOP" /O17 "[URL="file://\\DESKTOP\Printer"]\\DESKTOP\Printer[/URL]" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6 .
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement."
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Runtime Environment 5.0 Update 10
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Post new HijackThis log.Scan saved at 5:20:19 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Randall Simpson\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4600 Series on DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P42 "Auto EPSON Stylus CX4600 Series on DESKTOP" /O17 "[URL="file://\\DESKTOP\Printer"]\\DESKTOP\Printer[/URL]" /M "Stylus CX4600"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe