Options
my mistake earns me trojan.download.small.cml
Greetings all!
I made the mistake of trying to get some stuff on astalavista. I knew better but I did it anyway and ended up with a sick computer.
I'm running Vista and I realized I had an issue when IE opened on its own (I usually use Firefox) and it tried to visit a web page that only contained a couple lines of text. IE now opens and tries to access different similar pages of that same site every couple minutes. I could post the link but I'm guessing you wouldn't like me much after that.
Here is a summery of what I've done thus far. When you guys get a chance, could you take a look at it?
Thanks.
Precast
Summary of what I've done thus far:
1) I have run ATF Cleaner.
2) I have run Ad Aware SE (1 critical object in registry scan - Log below).
3) I ran Spybot Search & Destroy (which found "no immediate threats")
4) I ran Spyware Doctor (which found Trojan.Downloader.Small.CML - 9 infectons - log below)
5) I HAVE NOT run Online scans - Apparently IE 7.0.6 doesn't like online scans. I fooled with all the IE security settings and still couldn't get any of them past the Terms of Usage.
6) (Hijack log in next post.)
//////////////////////////////////
AD AWARE SE LOG FILE
Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, May 08, 2007 9:32:30 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R169 07.05.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
5-8-2007 9:32:30 PM - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 464
ThreadCreationTime : 5-9-2007 12:46:05 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : C:\Windows\system32\
ProcessID : 540
ThreadCreationTime : 5-9-2007 12:46:07 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Client Server Runtime Process
InternalName : CSRSS.Exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CSRSS.Exe.MUI
#:3 [wininit.exe]
FilePath : C:\Windows\system32\
ProcessID : 584
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : High
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Start-Up Application
InternalName : WinInit
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WinInit.exe.mui
#:4 [csrss.exe]
FilePath : C:\Windows\system32\
ProcessID : 596
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Client Server Runtime Process
InternalName : CSRSS.Exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CSRSS.Exe.MUI
#:5 [services.exe]
FilePath : C:\Windows\system32\
ProcessID : 628
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe.mui
#:6 [lsass.exe]
FilePath : C:\Windows\system32\
ProcessID : 644
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Local Security Authority Process
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe.mui
#:7 [lsm.exe]
FilePath : C:\Windows\system32\
ProcessID : 652
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Local Session Manager Service
InternalName : lsm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsm.exe.mui
#:8 [winlogon.exe]
FilePath : C:\Windows\system32\
ProcessID : 732
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : High
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Logon Application
InternalName : winlogon
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WINLOGON.EXE.MUI
#:9 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 836
ThreadCreationTime : 5-9-2007 12:46:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:10 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 924
ThreadCreationTime : 5-9-2007 12:46:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:11 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 980
ThreadCreationTime : 5-9-2007 12:46:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:12 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 1064
ThreadCreationTime : 5-9-2007 12:46:11 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:13 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 1156
ThreadCreationTime : 5-9-2007 12:46:12 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:14 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1184
ThreadCreationTime : 5-9-2007 12:46:12 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:15 [slsvc.exe]
FilePath : C:\Windows\system32\
ProcessID : 1288
ThreadCreationTime : 5-9-2007 12:46:14 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Software Licensing Service
InternalName : SLService
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SLService
#:16 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1328
ThreadCreationTime : 5-9-2007 12:46:15 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:17 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1496
ThreadCreationTime : 5-9-2007 12:46:16 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:18 [dwm.exe]
FilePath : C:\Windows\system32\
ProcessID : 1700
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Desktop Window Manager
InternalName : dwm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dwm.exe.mui
#:19 [explorer.exe]
FilePath : C:\Windows\
ProcessID : 1728
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE.MUI
#:20 [spoolsv.exe]
FilePath : C:\Windows\System32\
ProcessID : 1784
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe.mui
#:21 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1808
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:22 [taskeng.exe]
FilePath : C:\Windows\system32\
ProcessID : 1848
ThreadCreationTime : 5-9-2007 12:46:19 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskEng
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskeng.exe.mui
#:23 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1996
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
FileVersion : 0.1.0.3760
ProductVersion : 0.1.0.3760
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe
#:24 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2016
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
FileVersion : 7.1.1.5
ProductVersion : 7.1.1.5
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:25 [smanager.7.exe]
FilePath : C:\Windows\
ProcessID : 2028
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
#:26 [sdtrayapp.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 316
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
FileVersion : 5.0.0.37
ProductVersion : 5.0
CompanyName : PC Tools
FileDescription : Spyware Doctor Tray
LegalCopyright : Copyright ? 2007 PC Tools. All rights reserved.
#:27 [sidebar.exe]
FilePath : C:\Program Files\Windows Sidebar\
ProcessID : 384
ThreadCreationTime : 5-9-2007 12:46:22 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 1.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Sidebar
InternalName : Windows Sidebar
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : sidebar.EXE.MUI
#:28 [ehtray.exe]
FilePath : C:\Windows\ehome\
ProcessID : 472
ThreadCreationTime : 5-9-2007 12:46:22 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe
#:29 [pnagent.exe]
FilePath : C:\Program Files\Citrix\ICA Client\
ProcessID : 844
ThreadCreationTime : 5-9-2007 12:46:22 AM
BasePriority : Normal
FileVersion : 10.00.52110
ProductVersion : 10.00
ProductName : Citrix ICA Client
CompanyName : Citrix Systems, Inc.
FileDescription : Citrix ICA Client PNAgent (Win32)
InternalName : PNAGENT
LegalCopyright : Copyright (c) 1990-2006 Citrix Systems, Inc.
OriginalFilename : PNAGENT.EXE
#:30 [ehmsas.exe]
FilePath : C:\Windows\ehome\
ProcessID : 920
ThreadCreationTime : 5-9-2007 12:46:24 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe.mui
#:31 [sidebar.exe]
FilePath : C:\Program Files\Windows Sidebar\
ProcessID : 1384
ThreadCreationTime : 5-9-2007 12:46:27 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 1.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Sidebar
InternalName : Windows Sidebar
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : sidebar.EXE.MUI
#:32 [guard.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 2732
ThreadCreationTime : 5-9-2007 12:47:02 AM
BasePriority : Normal
FileVersion : 7, 5, 0, 47
ProductVersion : 7, 5, 0, 47
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : guard.exe
#:33 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 2748
ThreadCreationTime : 5-9-2007 12:47:05 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:34 [clcapsvc.exe]
FilePath : C:\Program Files\HP\QuickPlay\Kernel\TV\
ProcessID : 2764
ThreadCreationTime : 5-9-2007 12:47:06 AM
BasePriority : Normal
FileVersion : 5.00.3517
ProductVersion : 5.00.3517
ProductName : CLCapSvc Module
FileDescription : CLCapSvc Module
InternalName : CLCapSvc
LegalCopyright : Copyright 2004
OriginalFilename : CLCapSvc.EXE
#:35 [hphc_service.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Health Check\
ProcessID : 2800
ThreadCreationTime : 5-9-2007 12:47:06 AM
BasePriority : Normal
#:36 [lssrvc.exe]
FilePath : C:\Program Files\Common Files\LightScribe\
ProcessID : 2992
ThreadCreationTime : 5-9-2007 12:47:07 AM
BasePriority : Normal
FileVersion : 1.4.124.1
ProductName : LightScribe
CompanyName : Hewlett-Packard Company
LegalCopyright : © Copyright 2003-2006 Hewlett-Packard Development Company, LP
OriginalFilename : LSSrvc.exe
#:37 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 3024
ThreadCreationTime : 5-9-2007 12:47:07 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:38 [svcntaux.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 3096
ThreadCreationTime : 5-9-2007 12:47:07 AM
BasePriority : Normal
FileVersion : 5.0.0.21
ProductVersion : 5.0
CompanyName : PC Tools
LegalCopyright : Copyright ? 2006 PC Tools. All rights reserved.
#:39 [swdsvc.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 3168
ThreadCreationTime : 5-9-2007 12:47:08 AM
BasePriority : Normal
FileVersion : 5.0.0.57
ProductVersion : 5.0
CompanyName : PC Tools
FileDescription : Spyware Doctor Service
LegalCopyright : Copyright © 2006 PC Tools. All rights reserved.
#:40 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 3224
ThreadCreationTime : 5-9-2007 12:47:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:41 [tavsvc.exe]
FilePath : C:\Program Files\Trend Micro\AntiVirus 2007\
ProcessID : 3240
ThreadCreationTime : 5-9-2007 12:47:10 AM
BasePriority : Normal
FileVersion : 15.1.0.1206
ProductVersion : 15.1.0
ProductName : Trend Micro AntiVirus 2007
CompanyName : Trend Micro Inc.
FileDescription : Trend Micro AntiVirus Service Manager
InternalName : tavsvc
LegalCopyright : Copyright (C) 1995-2007 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) 1995-2007 Trend Micro Incorporated.
OriginalFilename : tavsvc.exe
#:42 [tmproxy.exe]
FilePath : C:\Program Files\Trend Micro\AntiVirus 2007\Components\
ProcessID : 3276
ThreadCreationTime : 5-9-2007 12:47:11 AM
BasePriority : Normal
FileVersion : 3.1.0.1013
ProductVersion : 3.1.0
ProductName : Trend Micro Network Security Components 3.1
CompanyName : Trend Micro Inc.
FileDescription : Trend Micro Proxy Service Controller
InternalName : TmProxy.exe
LegalCopyright : Copyright (C) 2001-2006 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Inc.
OriginalFilename : TmProxy.exe
#:43 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ProcessID : 3308
ThreadCreationTime : 5-9-2007 12:47:11 AM
BasePriority : Normal
FileVersion : 3,3,1,2592
ProductVersion : 3, 3
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper Engine
LegalCopyright : Copyright (C) 2002 - 2007, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe
#:44 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 3492
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:45 [searchindexer.exe]
FilePath : C:\Windows\system32\
ProcessID : 3516
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows Search Indexer
InternalName : SearchIndexer.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SearchIndexer.exe.mui
#:46 [xaudio.exe]
FilePath : C:\Windows\system32\DRIVERS\
ProcessID : 3556
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
#:47 [clsched.exe]
FilePath : C:\Program Files\HP\QuickPlay\Kernel\TV\
ProcessID : 3568
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 5.00.3517
ProductVersion : 5.00.3517
ProductName : CLSched Module
FileDescription : CLSched Module
InternalName : CLSched
LegalCopyright : Copyright 2004
OriginalFilename : CLSched.EXE
#:48 [hpqwmiex.exe]
FilePath : C:\Program Files\Hewlett-Packard\Shared\
ProcessID : 3588
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 2, 0, 1, 9
ProductVersion : 2, 0, 1, 9
ProductName : hpqwmiex Module
CompanyName : Hewlett-Packard Development Company, L.P.
FileDescription : hpqwmiex Module
InternalName : hpqwmiex
LegalCopyright : © Copyright 2003-2006 Hewlett-Packard Development Company, L.P.
OriginalFilename : hpqwmiex.EXE
#:49 [taskeng.exe]
FilePath : C:\Windows\system32\
ProcessID : 2532
ThreadCreationTime : 5-9-2007 12:47:55 AM
BasePriority : Below Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskEng
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskeng.exe.mui
#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2608
ThreadCreationTime : 5-9-2007 12:47:58 AM
BasePriority : Normal
FileVersion : 7.1.1.5
ProductVersion : 7.1.1.5
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:51 [notepad.exe]
FilePath : C:\Windows\system32\
ProcessID : 1912
ThreadCreationTime : 5-9-2007 12:49:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE.MUI
#:52 [unsecapp.exe]
FilePath : C:\Windows\system32\wbem\
ProcessID : 3544
ThreadCreationTime : 5-9-2007 12:50:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Sink to receive asynchronous callbacks for WMI client application
InternalName : unsecapp.dll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : unsecapp.dll
#:53 [wmiprvse.exe]
FilePath : C:\Windows\system32\wbem\
ProcessID : 1924
ThreadCreationTime : 5-9-2007 12:50:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI Provider Host
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe
#:54 [swdoctor.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 2956
ThreadCreationTime : 5-9-2007 12:52:18 AM
BasePriority : Normal
FileVersion : 5.0.0.184
ProductVersion : 5.0
CompanyName : PC Tools
FileDescription : Spyware Doctor
LegalCopyright : Copyright ? 2006 PC Tools. All rights reserved.
#:55 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 5988
ThreadCreationTime : 5-9-2007 1:06:38 AM
BasePriority : Normal
FileVersion : 1.4.0.3
ProductVersion : 1, 4, 0, 3
ProductName : SpyBot-S&D
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : SpyBotSD.exe
Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.
#:56 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 4332
ThreadCreationTime : 5-9-2007 1:12:35 AM
BasePriority : Normal
#:57 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 4136
ThreadCreationTime : 5-9-2007 1:27:29 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
#:58 [ieuser.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 5128
ThreadCreationTime : 5-9-2007 1:30:46 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : ieuser.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ieuser.exe.mui
#:59 [searchprotocolhost.exe]
FilePath : C:\Windows\system32\
ProcessID : 5308
ThreadCreationTime : 5-9-2007 1:31:57 AM
BasePriority : Idle
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows Search Protocol Host
InternalName : SearchProtocolHost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SearchProtocolHost.exe
#:60 [searchfilterhost.exe]
FilePath : C:\Windows\system32\
ProcessID : 5344
ThreadCreationTime : 5-9-2007 1:31:58 AM
BasePriority : Idle
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows Search Filter Host
InternalName : SearchFilterHost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SearchFilterHost.exe
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Windows Object Recognized!
Type : RegData
Data :
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-110746431-3671446382-3770039454-1000\software\policies\microsoft\internet explorer\control panel
Value : Homepage
Data :
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Scanning Hosts file......
Hosts file location:"C:\Windows\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
2 entries scanned.
New critical objects:0
Objects found so far: 1
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
10:24:03 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:51:33.166
Objects scanned:481254
Objects identified:1
Objects ignored:0
New critical objects:1
/////////////////////////////////////////////////
////////////////////////////////////////////////
PC TOOLS SPYWARE DOCTOR - LOG FILE (from a .htm)
PC Tools Spyware Doctor
DATE STATUS
5/9/2007 7:57:40 PM:24 Service Started
Spyware Doctor Service Application started
5/9/2007 7:57:40 PM:217 OnGuards status
All OnGuards were Enabled
5/9/2007 7:57:43 PM:156 Immunizer Results
ActiveX section has been immunized, Processed 4 items.
5/9/2007 8:10:41 PM:922 Scan Started
Scan Type - Full Scan
5/9/2007 8:37:52 PM:986 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - File
Risk Level - High
Infection - C:\Windows\System32\wincis32.dll
5/9/2007 8:42:51 PM:486 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Asynchronous
5/9/2007 8:42:51 PM:496 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, DllName
5/9/2007 8:42:51 PM:506 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Impersonate
5/9/2007 8:42:51 PM:516 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Startup
5/9/2007 8:42:51 PM:525 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Shutdown
5/9/2007 8:42:51 PM:526 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32
5/9/2007 8:43:37 PM:223 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - File
Risk Level - High
Infection - wincis32.dll
5/9/2007 8:43:37 PM:262 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\wincis32 wincis32.dll
5/9/2007 8:44:29 PM:524 Scan Finished
Scan Type - Full Scan
Items Processed - 200300
Threats Detected - 1
Infections Detected - 9
Infections Ignored - 0
I made the mistake of trying to get some stuff on astalavista. I knew better but I did it anyway and ended up with a sick computer.
I'm running Vista and I realized I had an issue when IE opened on its own (I usually use Firefox) and it tried to visit a web page that only contained a couple lines of text. IE now opens and tries to access different similar pages of that same site every couple minutes. I could post the link but I'm guessing you wouldn't like me much after that.
Here is a summery of what I've done thus far. When you guys get a chance, could you take a look at it?
Thanks.
Precast
Summary of what I've done thus far:
1) I have run ATF Cleaner.
2) I have run Ad Aware SE (1 critical object in registry scan - Log below).
3) I ran Spybot Search & Destroy (which found "no immediate threats")
4) I ran Spyware Doctor (which found Trojan.Downloader.Small.CML - 9 infectons - log below)
5) I HAVE NOT run Online scans - Apparently IE 7.0.6 doesn't like online scans. I fooled with all the IE security settings and still couldn't get any of them past the Terms of Usage.
6) (Hijack log in next post.)
//////////////////////////////////
AD AWARE SE LOG FILE
Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, May 08, 2007 9:32:30 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R169 07.05.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
5-8-2007 9:32:30 PM - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 464
ThreadCreationTime : 5-9-2007 12:46:05 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : C:\Windows\system32\
ProcessID : 540
ThreadCreationTime : 5-9-2007 12:46:07 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Client Server Runtime Process
InternalName : CSRSS.Exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CSRSS.Exe.MUI
#:3 [wininit.exe]
FilePath : C:\Windows\system32\
ProcessID : 584
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : High
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Start-Up Application
InternalName : WinInit
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WinInit.exe.mui
#:4 [csrss.exe]
FilePath : C:\Windows\system32\
ProcessID : 596
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Client Server Runtime Process
InternalName : CSRSS.Exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CSRSS.Exe.MUI
#:5 [services.exe]
FilePath : C:\Windows\system32\
ProcessID : 628
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe.mui
#:6 [lsass.exe]
FilePath : C:\Windows\system32\
ProcessID : 644
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Local Security Authority Process
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe.mui
#:7 [lsm.exe]
FilePath : C:\Windows\system32\
ProcessID : 652
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Local Session Manager Service
InternalName : lsm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsm.exe.mui
#:8 [winlogon.exe]
FilePath : C:\Windows\system32\
ProcessID : 732
ThreadCreationTime : 5-9-2007 12:46:09 AM
BasePriority : High
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Logon Application
InternalName : winlogon
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WINLOGON.EXE.MUI
#:9 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 836
ThreadCreationTime : 5-9-2007 12:46:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:10 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 924
ThreadCreationTime : 5-9-2007 12:46:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:11 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 980
ThreadCreationTime : 5-9-2007 12:46:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:12 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 1064
ThreadCreationTime : 5-9-2007 12:46:11 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:13 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 1156
ThreadCreationTime : 5-9-2007 12:46:12 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:14 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1184
ThreadCreationTime : 5-9-2007 12:46:12 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:15 [slsvc.exe]
FilePath : C:\Windows\system32\
ProcessID : 1288
ThreadCreationTime : 5-9-2007 12:46:14 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Software Licensing Service
InternalName : SLService
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SLService
#:16 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1328
ThreadCreationTime : 5-9-2007 12:46:15 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:17 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1496
ThreadCreationTime : 5-9-2007 12:46:16 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:18 [dwm.exe]
FilePath : C:\Windows\system32\
ProcessID : 1700
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Desktop Window Manager
InternalName : dwm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dwm.exe.mui
#:19 [explorer.exe]
FilePath : C:\Windows\
ProcessID : 1728
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE.MUI
#:20 [spoolsv.exe]
FilePath : C:\Windows\System32\
ProcessID : 1784
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe.mui
#:21 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 1808
ThreadCreationTime : 5-9-2007 12:46:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:22 [taskeng.exe]
FilePath : C:\Windows\system32\
ProcessID : 1848
ThreadCreationTime : 5-9-2007 12:46:19 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskEng
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskeng.exe.mui
#:23 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1996
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
FileVersion : 0.1.0.3760
ProductVersion : 0.1.0.3760
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe
#:24 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2016
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
FileVersion : 7.1.1.5
ProductVersion : 7.1.1.5
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
#:25 [smanager.7.exe]
FilePath : C:\Windows\
ProcessID : 2028
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
#:26 [sdtrayapp.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 316
ThreadCreationTime : 5-9-2007 12:46:21 AM
BasePriority : Normal
FileVersion : 5.0.0.37
ProductVersion : 5.0
CompanyName : PC Tools
FileDescription : Spyware Doctor Tray
LegalCopyright : Copyright ? 2007 PC Tools. All rights reserved.
#:27 [sidebar.exe]
FilePath : C:\Program Files\Windows Sidebar\
ProcessID : 384
ThreadCreationTime : 5-9-2007 12:46:22 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 1.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Sidebar
InternalName : Windows Sidebar
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : sidebar.EXE.MUI
#:28 [ehtray.exe]
FilePath : C:\Windows\ehome\
ProcessID : 472
ThreadCreationTime : 5-9-2007 12:46:22 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe
#:29 [pnagent.exe]
FilePath : C:\Program Files\Citrix\ICA Client\
ProcessID : 844
ThreadCreationTime : 5-9-2007 12:46:22 AM
BasePriority : Normal
FileVersion : 10.00.52110
ProductVersion : 10.00
ProductName : Citrix ICA Client
CompanyName : Citrix Systems, Inc.
FileDescription : Citrix ICA Client PNAgent (Win32)
InternalName : PNAGENT
LegalCopyright : Copyright (c) 1990-2006 Citrix Systems, Inc.
OriginalFilename : PNAGENT.EXE
#:30 [ehmsas.exe]
FilePath : C:\Windows\ehome\
ProcessID : 920
ThreadCreationTime : 5-9-2007 12:46:24 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe.mui
#:31 [sidebar.exe]
FilePath : C:\Program Files\Windows Sidebar\
ProcessID : 1384
ThreadCreationTime : 5-9-2007 12:46:27 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 1.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Sidebar
InternalName : Windows Sidebar
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : sidebar.EXE.MUI
#:32 [guard.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 2732
ThreadCreationTime : 5-9-2007 12:47:02 AM
BasePriority : Normal
FileVersion : 7, 5, 0, 47
ProductVersion : 7, 5, 0, 47
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : guard.exe
#:33 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 2748
ThreadCreationTime : 5-9-2007 12:47:05 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:34 [clcapsvc.exe]
FilePath : C:\Program Files\HP\QuickPlay\Kernel\TV\
ProcessID : 2764
ThreadCreationTime : 5-9-2007 12:47:06 AM
BasePriority : Normal
FileVersion : 5.00.3517
ProductVersion : 5.00.3517
ProductName : CLCapSvc Module
FileDescription : CLCapSvc Module
InternalName : CLCapSvc
LegalCopyright : Copyright 2004
OriginalFilename : CLCapSvc.EXE
#:35 [hphc_service.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Health Check\
ProcessID : 2800
ThreadCreationTime : 5-9-2007 12:47:06 AM
BasePriority : Normal
#:36 [lssrvc.exe]
FilePath : C:\Program Files\Common Files\LightScribe\
ProcessID : 2992
ThreadCreationTime : 5-9-2007 12:47:07 AM
BasePriority : Normal
FileVersion : 1.4.124.1
ProductName : LightScribe
CompanyName : Hewlett-Packard Company
LegalCopyright : © Copyright 2003-2006 Hewlett-Packard Development Company, LP
OriginalFilename : LSSrvc.exe
#:37 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 3024
ThreadCreationTime : 5-9-2007 12:47:07 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:38 [svcntaux.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 3096
ThreadCreationTime : 5-9-2007 12:47:07 AM
BasePriority : Normal
FileVersion : 5.0.0.21
ProductVersion : 5.0
CompanyName : PC Tools
LegalCopyright : Copyright ? 2006 PC Tools. All rights reserved.
#:39 [swdsvc.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 3168
ThreadCreationTime : 5-9-2007 12:47:08 AM
BasePriority : Normal
FileVersion : 5.0.0.57
ProductVersion : 5.0
CompanyName : PC Tools
FileDescription : Spyware Doctor Service
LegalCopyright : Copyright © 2006 PC Tools. All rights reserved.
#:40 [svchost.exe]
FilePath : C:\Windows\system32\
ProcessID : 3224
ThreadCreationTime : 5-9-2007 12:47:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:41 [tavsvc.exe]
FilePath : C:\Program Files\Trend Micro\AntiVirus 2007\
ProcessID : 3240
ThreadCreationTime : 5-9-2007 12:47:10 AM
BasePriority : Normal
FileVersion : 15.1.0.1206
ProductVersion : 15.1.0
ProductName : Trend Micro AntiVirus 2007
CompanyName : Trend Micro Inc.
FileDescription : Trend Micro AntiVirus Service Manager
InternalName : tavsvc
LegalCopyright : Copyright (C) 1995-2007 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright (C) 1995-2007 Trend Micro Incorporated.
OriginalFilename : tavsvc.exe
#:42 [tmproxy.exe]
FilePath : C:\Program Files\Trend Micro\AntiVirus 2007\Components\
ProcessID : 3276
ThreadCreationTime : 5-9-2007 12:47:11 AM
BasePriority : Normal
FileVersion : 3.1.0.1013
ProductVersion : 3.1.0
ProductName : Trend Micro Network Security Components 3.1
CompanyName : Trend Micro Inc.
FileDescription : Trend Micro Proxy Service Controller
InternalName : TmProxy.exe
LegalCopyright : Copyright (C) 2001-2006 Trend Micro Inc. All rights reserved.
LegalTrademarks : Copyright (C) Trend Micro Inc.
OriginalFilename : TmProxy.exe
#:43 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ProcessID : 3308
ThreadCreationTime : 5-9-2007 12:47:11 AM
BasePriority : Normal
FileVersion : 3,3,1,2592
ProductVersion : 3, 3
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper Engine
LegalCopyright : Copyright (C) 2002 - 2007, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe
#:44 [svchost.exe]
FilePath : C:\Windows\System32\
ProcessID : 3492
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Host Process for Windows Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe.mui
#:45 [searchindexer.exe]
FilePath : C:\Windows\system32\
ProcessID : 3516
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows Search Indexer
InternalName : SearchIndexer.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SearchIndexer.exe.mui
#:46 [xaudio.exe]
FilePath : C:\Windows\system32\DRIVERS\
ProcessID : 3556
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
#:47 [clsched.exe]
FilePath : C:\Program Files\HP\QuickPlay\Kernel\TV\
ProcessID : 3568
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 5.00.3517
ProductVersion : 5.00.3517
ProductName : CLSched Module
FileDescription : CLSched Module
InternalName : CLSched
LegalCopyright : Copyright 2004
OriginalFilename : CLSched.EXE
#:48 [hpqwmiex.exe]
FilePath : C:\Program Files\Hewlett-Packard\Shared\
ProcessID : 3588
ThreadCreationTime : 5-9-2007 12:47:13 AM
BasePriority : Normal
FileVersion : 2, 0, 1, 9
ProductVersion : 2, 0, 1, 9
ProductName : hpqwmiex Module
CompanyName : Hewlett-Packard Development Company, L.P.
FileDescription : hpqwmiex Module
InternalName : hpqwmiex
LegalCopyright : © Copyright 2003-2006 Hewlett-Packard Development Company, L.P.
OriginalFilename : hpqwmiex.EXE
#:49 [taskeng.exe]
FilePath : C:\Windows\system32\
ProcessID : 2532
ThreadCreationTime : 5-9-2007 12:47:55 AM
BasePriority : Below Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskEng
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskeng.exe.mui
#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2608
ThreadCreationTime : 5-9-2007 12:47:58 AM
BasePriority : Normal
FileVersion : 7.1.1.5
ProductVersion : 7.1.1.5
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
#:51 [notepad.exe]
FilePath : C:\Windows\system32\
ProcessID : 1912
ThreadCreationTime : 5-9-2007 12:49:18 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE.MUI
#:52 [unsecapp.exe]
FilePath : C:\Windows\system32\wbem\
ProcessID : 3544
ThreadCreationTime : 5-9-2007 12:50:09 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Sink to receive asynchronous callbacks for WMI client application
InternalName : unsecapp.dll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : unsecapp.dll
#:53 [wmiprvse.exe]
FilePath : C:\Windows\system32\wbem\
ProcessID : 1924
ThreadCreationTime : 5-9-2007 12:50:10 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI Provider Host
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe
#:54 [swdoctor.exe]
FilePath : C:\Program Files\Spyware Doctor\
ProcessID : 2956
ThreadCreationTime : 5-9-2007 12:52:18 AM
BasePriority : Normal
FileVersion : 5.0.0.184
ProductVersion : 5.0
CompanyName : PC Tools
FileDescription : Spyware Doctor
LegalCopyright : Copyright ? 2006 PC Tools. All rights reserved.
#:55 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 5988
ThreadCreationTime : 5-9-2007 1:06:38 AM
BasePriority : Normal
FileVersion : 1.4.0.3
ProductVersion : 1, 4, 0, 3
ProductName : SpyBot-S&D
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : SpyBotSD.exe
Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.
#:56 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 4332
ThreadCreationTime : 5-9-2007 1:12:35 AM
BasePriority : Normal
#:57 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 4136
ThreadCreationTime : 5-9-2007 1:27:29 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
#:58 [ieuser.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 5128
ThreadCreationTime : 5-9-2007 1:30:46 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : ieuser.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ieuser.exe.mui
#:59 [searchprotocolhost.exe]
FilePath : C:\Windows\system32\
ProcessID : 5308
ThreadCreationTime : 5-9-2007 1:31:57 AM
BasePriority : Idle
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows Search Protocol Host
InternalName : SearchProtocolHost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SearchProtocolHost.exe
#:60 [searchfilterhost.exe]
FilePath : C:\Windows\system32\
ProcessID : 5344
ThreadCreationTime : 5-9-2007 1:31:58 AM
BasePriority : Idle
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows Search Filter Host
InternalName : SearchFilterHost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : SearchFilterHost.exe
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Windows Object Recognized!
Type : RegData
Data :
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-110746431-3671446382-3770039454-1000\software\policies\microsoft\internet explorer\control panel
Value : Homepage
Data :
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Scanning Hosts file......
Hosts file location:"C:\Windows\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
2 entries scanned.
New critical objects:0
Objects found so far: 1
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
10:24:03 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:51:33.166
Objects scanned:481254
Objects identified:1
Objects ignored:0
New critical objects:1
/////////////////////////////////////////////////
////////////////////////////////////////////////
PC TOOLS SPYWARE DOCTOR - LOG FILE (from a .htm)
PC Tools Spyware Doctor
DATE STATUS
5/9/2007 7:57:40 PM:24 Service Started
Spyware Doctor Service Application started
5/9/2007 7:57:40 PM:217 OnGuards status
All OnGuards were Enabled
5/9/2007 7:57:43 PM:156 Immunizer Results
ActiveX section has been immunized, Processed 4 items.
5/9/2007 8:10:41 PM:922 Scan Started
Scan Type - Full Scan
5/9/2007 8:37:52 PM:986 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - File
Risk Level - High
Infection - C:\Windows\System32\wincis32.dll
5/9/2007 8:42:51 PM:486 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Asynchronous
5/9/2007 8:42:51 PM:496 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, DllName
5/9/2007 8:42:51 PM:506 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Impersonate
5/9/2007 8:42:51 PM:516 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Startup
5/9/2007 8:42:51 PM:525 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Value
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32, Shutdown
5/9/2007 8:42:51 PM:526 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincis32
5/9/2007 8:43:37 PM:223 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - File
Risk Level - High
Infection - wincis32.dll
5/9/2007 8:43:37 PM:262 Infection was detected on this computer
Threat Name - Trojan.Downloader.Small.CML
Type - Startup
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\wincis32 wincis32.dll
5/9/2007 8:44:29 PM:524 Scan Finished
Scan Type - Full Scan
Items Processed - 200300
Threats Detected - 1
Infections Detected - 9
Infections Ignored - 0
0
Comments
Logfile of HijackThis v1.99.1
Scan saved at 9:33:58 PM, on 5/9/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\smanager.7.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://workbench.bovislendlease.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://projects.bovislendlease.com/pw/mpsPwLc7.CAB
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://projects.bovislendlease.com/viewer6/activeXViewer/activexviewer.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vtuuttr - C:\Windows\SYSTEM32\vtuuttr.dll
O20 - Winlogon Notify: wincis32 - C:\Windows\SYSTEM32\wincis32.dll
O20 - Winlogon Notify: WRNotifier - C:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
My name is Rahina Rescue and I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".
It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Trend Micro AntiVirus or Symantec/Norton Antivirus.
Let me know when you have done this.
So it took me a couple minutes to find Add/Remove in Vista (now called "Programs and Features) and I didn't see Norton/Symantec anywhere. This machine is about 2 months old and I have to admit I haven't explored the new OS as much as I should have.
When I bought the machine I put Trend on it but not Norton. I'm not sure where that came from (symlcsvc.exe). Could it be something that MS stuffed in as part of a promo or maybe related to the problem? I checked out the folder where it is located and it contains 3 .dll files and a file named ez_log.html. All files in the folder were last modified before I purchased the machine.
I am running about 4 spyware programs on the machine but I'm not running them with real time protection and I run the scans separately.
Here's another symptom that just popped up: when I reboot my computer, the clock on the computer jumps forward an hour.
Step #1
Please download VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.Step #2
Download the latest version of Java Runtime Environment (JRE) 6
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Step #3
Please download Combofix to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Step #4
In your next reply please post:
C:\Vundofix.txt
C:\Combofix.txt
Also Post a Fresh Hijackthis logfile.
Sorry it took so long to get back to you. I went to visit mom for the weekend as a
mother's day present.
1) So VundoFix didn't finish removing the vtuuttr.dll file. When it tried to restart
the computer, my machine locked up and wouldn't finish shutting down. I had to force
the shutdown with the power button after waiting about 5 minutes. I ran VundoFix again
and it found the vtuuttr.dll again and tried to remove it again. The log below is
obviously incomplete...
VundoFix V6.3.21
Checking Java version...
Scan started at 8:02:28 PM 5/13/2007
Listing files found while scanning....
C:\Windows\System32\vtuuttr.dll
Beginning removal...
VundoFix V6.3.21
Checking Java version...
Scan started at 8:31:25 PM 5/13/2007
Listing files found while scanning....
C:\Windows\System32\vtuuttr.dll
Beginning removal...
//////////////////////// And this is where it hung up again.///////
I got a bit impatient/frustrated so I took Killbox and got rid of it. Then ran VundoFix
again. Here's the new log.
VundoFix V6.3.21
Checking Java version...
Scan started at 7:27:29 PM 5/15/2007
Listing files found while scanning....
No infected files were found.
2) I removed and reinstalled Java
3) I downloaded ComboFix but it doesn't seem to like me. I clicked the file, the screen
blinked and nothing else happened. I opened task manager and watched the processes
while i did that. ComboFix.exe ran for a second then a cmd.exe opened but didn't show
the command line window.
////////////////////
//And the result...is interesting. When I start up the machine, IE opens and tries to
//go to the same site, but after I close it it doesn't open anymore. I don't know if
//this is due to the realtime PC Tools Spyware Doctor that I have running now or if we
//have done some damage to the Spyware/virus/annoyance.
//Anyway here's the Hijack log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:45:30 PM, on 5/15/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\owner\Desktop\Install Files\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?
TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -
Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus
2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01
\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe"
-startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe
/detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe
oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe
/detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft
Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1
\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -
https://workbench.bovislendlease.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) -
https://projects.bovislendlease.com/pw/mpsPwLc7.CAB
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) -
https://projects.bovislendlease.com/viewer6/activeXViewer/activexviewer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1
\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtuuttr - vtuuttr.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35
-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program
Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner -
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program
Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-
Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program
Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32
\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -
Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio
Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner -
C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program
Files\Spyware Doctor\swdsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common
Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. -
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program
Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32
\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software,
Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32
\DRIVERS\xaudio.exe
--
End of file - 9647 bytes
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with DrWeb-CureIt as follows:
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
I haven't performed the actions requested in your most recent reply yet but I thought you might be interested in the following.
At startup the PC TOOLS SPYWARE DOCTOR has been removing smanager.7.exe (trojan.downloader.alphabet.GEN) and each time I reboot it has been coming up again.
I deleted it manually and now when I startup the DOCTOR doesn't detect it and IE is no longer popping up with the unwanted site. HAPPINESS!
I am still going to perform the items to make sure it is gone, but I'll have to do it tomorrow as I'm falling asleep at the moment. Thanks for the continued help. I'll post a reply tomorrow with the Dr.Web log and a new Hijack.
Precast
I ran Dr Web and found some more stuff. Here's the log.
vtuuttr.dll;C:\!KillBox;Trojan.Virtumod; Deleted.;
vtuuttr.dll( 1);C:\!KillBox;Trojan.Virtumod; Deleted.;
vtuuttr.dll( 2);C:\!KillBox;Trojan.Virtumod; Deleted.;
vtuuttr.dll;C:\Documents and Settings\owner\Documents\spyware****;Trojan.Virtumod; Deleted.;
defrag.js;C:\Program Files\Hewlett-Packard\HP Health Check\ActiveCheck\objects;Modification of VBS.Generic.217;Moved.;
And just for fun, how about another Hijack log...
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:26:37 PM, on 5/16/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\taskeng.exe
C:\Users\owner\Desktop\Install Files\HiJackThis_v2.exe
C:\Windows\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://workbench.bovislendlease.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://projects.bovislendlease.com/pw/mpsPwLc7.CAB
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://projects.bovislendlease.com/viewer6/activeXViewer/activexviewer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtuuttr - vtuuttr.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9648 bytes
Thanks so much, Rahina.
Precast
Please Run a Scan Using Hijackthis 1.99.1 And post a fresh logfile in your next reply.
Logfile of HijackThis v1.99.1
Scan saved at 9:28:18 PM, on 5/17/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\HPCONN~1\6811507\Program\HPCONN~1.EXE
C:\Windows\system32\taskeng.exe
C:\Users\owner\Desktop\Install Files\spy****\hijackthis_sfx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://workbench.bovislendlease.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://projects.bovislendlease.com/pw/mpsPwLc7.CAB
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://projects.bovislendlease.com/viewer6/activeXViewer/activexviewer.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vtuuttr - vtuuttr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
Step #1
Please open HiJackThis and scan. Check the boxes next to all the entries listed below
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O20 - Winlogon Notify: vtuuttr - vtuuttr.dll (file missing)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis
Please go Here to see how to show hidden files in windows.
Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):
C:\Windows\Smanager.7.exe
Step #2
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Extended (if available otherwise Standard)
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
Select
My Computer[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.[*]Copy and paste that information in your next post.
I had some issues with the online version so i downloaded the 30 day trial of the Kaspersky Antivirus software. Here's the log it produced:
Protection
Total scanned: 308138
Detected: 3
Untreated: 0
Start time: 5/19/2007 8:06:34 PM
Duration: 01:55:39
Detected
Status Object
deleted: Trojan program Trojan-Downloader.Win32.Alphabet.gen File: C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact
deleted: adware not-a-virus:AdWare.Win32.EZula.l File: C:\Users\owner\Documents\Kennedy\personal\annasaver.exe//WISE0019.BIN
deleted: adware not-a-virus:AdWare.Win32.180Solutions File: C:\Users\owner\Documents\Kennedy\personal\annasaver.exe//WISE0020.BIN
Events
Time Event
----
5/19/2007 7:40:08 PM Kaspersky Anti-Virus is not activated.
5/19/2007 7:40:08 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
5/19/2007 7:40:21 PM Protection of your computer started.
5/19/2007 7:42:16 PM Please restart your computer to complete the installation of new or updated protection components.
5/19/2007 7:42:22 PM Update completed successfully
5/19/2007 8:03:56 PM Protection of your computer is not running. You are advised to resume protection.
5/19/2007 8:06:24 PM Kaspersky Anti-Virus is not activated.
5/19/2007 8:06:24 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
5/19/2007 8:06:34 PM Protection of your computer started.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/Ad-Aware SE Default.skn: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/arrow1.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/arrow2.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bck1.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt11.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt12.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt13.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt21.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt22.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt23.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt31.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt32.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt33.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt41.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt42.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt43.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt51.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt52.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt53.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt61.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt62.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox1.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox2.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox3.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox4.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn1.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn2.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn3.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph1.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph2.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph3.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph4.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph5.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph6.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph7.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/main.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/preview.bmp: is password protected.
5/19/2007 9:02:32 PM File C:\Program Files\Lavasoft(0)\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/sprite1.bmp: is password protected.
5/19/2007 9:13:15 PM File C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/sbRecovery.reg: is password protected.
5/19/2007 9:13:15 PM File C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/sbRecovery.ini: is password protected.
5/19/2007 9:27:49 PM File C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/sbRecovery.reg: is password protected.
5/19/2007 9:27:49 PM File C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip/sbRecovery.ini: is password protected.
5/19/2007 9:31:06 PM File C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan-Downloader.Win32.Alphabet.gen'.
5/19/2007 9:31:06 PM Security threats have been detected. You are advised to neutralize them immediately.
5/19/2007 9:31:06 PM File C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, postponed.
5/19/2007 9:31:10 PM File C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: detected Trojan program 'Trojan-Downloader.Win32.Alphabet.gen'. User: WORKGROUP\OWNER-PC$, computer: localhost.
5/19/2007 9:33:04 PM File C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe//PE_Patch.PECompact//PecBundle//PECompact: is still infected, cannot be disinfected.
5/19/2007 9:33:34 PM File C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe: deleted.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/Ad-Aware SE Default.skn: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/arrow1.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/arrow2.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bck1.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt11.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt12.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt13.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt21.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt22.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt23.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt31.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt32.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt33.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt41.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt42.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt43.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt51.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt52.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt53.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt61.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/bt62.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/checkbox1.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/checkbox2.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/checkbox3.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/checkbox4.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/defbtn1.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/defbtn2.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/defbtn3.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph1.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph2.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph3.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph4.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph5.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph6.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/glyph7.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/main.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/preview.bmp: is password protected.
5/19/2007 9:33:34 PM File C:\Users\owner\Desktop\Install Files\aawsepersonal.exe//WISE0020.BIN/sprite1.bmp: is password protected.
5/19/2007 9:37:00 PM File C:\Users\owner\Documents\Kennedy\personal\annasaver.exe//WISE0019.BIN: detected adware 'not-a-virus:AdWare.Win32.EZula.l'.
5/19/2007 9:37:00 PM Security threats have been detected. You are advised to neutralize them immediately.
5/19/2007 9:37:00 PM File C:\Users\owner\Documents\Kennedy\personal\annasaver.exe//WISE0019.BIN: is still infected, postponed.
5/19/2007 9:37:00 PM File C:\Users\owner\Documents\Kennedy\personal\annasaver.exe//WISE0020.BIN: detected adware 'not-a-virus:AdWare.Win32.180Solutions'.
5/19/2007 9:42:44 PM File c:\users\owner\documents\kennedy\personal\annasaver.exe//WISE0019.BIN: detected adware 'not-a-virus:AdWare.Win32.EZula.l'.
5/19/2007 9:42:48 PM File c:\users\owner\documents\kennedy\personal\annasaver.exe//WISE0020.BIN: detected adware 'not-a-virus:AdWare.Win32.180Solutions'.
5/19/2007 9:42:48 PM File c:\users\owner\documents\kennedy\personal\annasaver.exe: deleted.
Reports
Component Status Start Finish Size
----
Proactive Defense running 5/19/2007 8:06:34 PM 0 bytes
File Anti-Virus running 5/19/2007 8:06:34 PM 5 MB
Mail Anti-Virus running 5/19/2007 8:06:34 PM 0 bytes
Web Anti-Virus running 5/19/2007 8:06:35 PM 108 KB
Scan My Computer completed 5/19/2007 8:23:48 PM 5/19/2007 9:59:20 PM 55.3 MB
Quarantine
Status Object Size Added
----
Backup
Status Object Size
----
Infected: adware not-a-virus:AdWare.Win32.EZula.l c:\users\owner\documents\kennedy\personal\annasaver.exe 1.8 MB
Infected: Trojan program Trojan-Downloader.Win32.Alphabet.gen C:\Users\owner\AppData\Local\Temp\winF339.tmp.exe 11 KB
Cheers,
Precast
Remember that you should only have 1 Antivirus and 1 Firewall at a time active on your system.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".
It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.
Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
o If it wants to install an ActiveX component allow ito It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report
Let's try something different. Panda's ActiveScan doesn't have a version out for Vista quite yet. What else should we do?
Precast
Note: This Scanner is for Internet Explorer Only!
Zero for two. F-Secure doesn't support Vista either. I tried to run the scanner anyway and it just gave me an error. Wanna try another?
Precast
KASPERSKY ONLINE SCANNER REPORT Sunday, June 17, 2007 9:27:59 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/06/2007
Kaspersky Anti-Virus database records: 347847
Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true
Scan Target Critical Areas C:\Windows
C:\Users\owner\AppData\Local\Temp\
Scan Statistics Total number of scanned objects 40601 Number of viruses found 0 Number of infected objects 0 Number of suspicious objects 0 Duration of the scan process 00:19:56
Infected Object Name Virus Name Last Action C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{00EBDA65-6F7F-4180-834B-645D8CC97BB0}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{4a38025b-feb0-11db-9dbb-001636e2812d}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{4a38025b-feb0-11db-9dbb-001636e2812d}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{4a38025b-feb0-11db-9dbb-001636e2812d}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{4a38025b-feb0-11db-9dbb-001636e2812d}.TxR.blf Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Users\owner\AppData\Local\Temp\ehmsas.txt Object is locked skipped
Scan process completed.