Options
Please, im just a regular girl. I need help
I have windows XP and my computer has had numerous problems for sometime. I used to download music files and I am guessing this is how it all started. Ive done a little research. I have Micro-trend anti virus and I also have Norton. I have run spyware doctor and vundofix. all of which detect Vurtumonde,trojan downloader, and other various spyware. Spyware doctor says they are all removed.. vundofix deletes all but one; yaywtsr.dll. Eachtime I rerun these programs there are more infected files. My computer is so slow and I continue to get pop ups for malware ads. i have tried downloading hijack this but each time I try the webpage shuts off. I am just an average girl and Im not that great with computers! Can anyone rescue me??? :o Thank you in advance!!
0
Comments
Someone here will help you soon
Might be quicker to reinstall windows at this point, anything on your computer you can't afford to lose?
Let's take a look at what all is loaded there, and see about some repairs.
Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.
Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners. You can use separate posts here when replying and posting the log files if needed.
Once you reach that point things get very time consuming.
My personal favorite for removing this stuff is Spybot Search and Destroy. It's never failed me. If you can get that installed and running you should be half way to getting your computer back.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:23 PM, on 2/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\219cedsq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\219cedsq.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [BCNT] C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT User Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 5874 bytes
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BlockTracker" = "c:\hp\bin\BlockTracker.exe" [file not found]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"TkBellExe" = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot" ["RealNetworks, Inc."]
"MoneyStartUp10.0" = ""c:\Program Files\Microsoft Money\System\Activation.exe"" [MS]
"WCOLOREAL" = ""C:\Program Files\COMPAQ\Coloreal\coloreal.exe"" [null data]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /installquiet /keeploaded" ["NVIDIA Corporation"]
"BCNT" = "C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE" [empty string]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{13F537F0-AF09-11d6-9029-0002B31F9E59}\(Default) = "Yahoo! Companion BHO"
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {HKLM...CLSID} = "America Online"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Owner" & "All Users" startup folders:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Dataviz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]
Enabled Scheduled Tasks:
"Norton Security Online - Run Full System Scan - Owner" -> launches: "C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" [file not found]
"Norton Security Scan" -> launches: "C:\Program Files\Norton Security Scan\Nss.exe /scan-full /scheduled" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" [file not found]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Miscellaneous IE Hijack Points
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
The Silent Runners log wasn't allowed to be completed (you may not have waited until it notified you it was done), but so far no infection is showing here. However, which method of recovery you did would impact that. What occurs when you try to access the net right now? Do you get net access itself, but no internet access with your browsers?
Here i reran silent runners here is the log.
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BlockTracker" = "c:\hp\bin\BlockTracker.exe" [file not found]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"TkBellExe" = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot" ["RealNetworks, Inc."]
"MoneyStartUp10.0" = ""c:\Program Files\Microsoft Money\System\Activation.exe"" [MS]
"WCOLOREAL" = ""C:\Program Files\COMPAQ\Coloreal\coloreal.exe"" [null data]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /installquiet /keeploaded" ["NVIDIA Corporation"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{13F537F0-AF09-11d6-9029-0002B31F9E59}\(Default) = "Yahoo! Companion BHO"
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
DESKTOP.INI DLL launch in local fixed drive directories:
D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
Startup items in "Owner" & "All Users" startup folders:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Dataviz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]
Enabled Scheduled Tasks:
"Norton Security Online - Run Full System Scan - Owner" -> launches: "C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" [file not found]
"Norton Security Scan" -> launches: "C:\Program Files\Norton Security Scan\Nss.exe /scan-full /scheduled" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" [file not found]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Miscellaneous IE Hijack Points
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
(launch time: 2008-02-27 20:45:15)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 82 seconds.
(total run time: 207 seconds)
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BlockTracker" = "c:\hp\bin\BlockTracker.exe" [file not found]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"TkBellExe" = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot" ["RealNetworks, Inc."]
"MoneyStartUp10.0" = ""c:\Program Files\Microsoft Money\System\Activation.exe"" [MS]
"WCOLOREAL" = ""C:\Program Files\COMPAQ\Coloreal\coloreal.exe"" [null data]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /installquiet /keeploaded" ["NVIDIA Corporation"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{13F537F0-AF09-11d6-9029-0002B31F9E59}\(Default) = "Yahoo! Companion BHO"
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
DESKTOP.INI DLL launch in local fixed drive directories:
D:\cmdcons\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
D:\hp\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
Startup items in "Owner" & "All Users" startup folders:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Dataviz Messenger" -> shortcut to: "C:\WINDOWS\DvzCommon\DvzMsgr.exe" [null data]
"Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]
Enabled Scheduled Tasks:
"Norton Security Online - Run Full System Scan - Owner" -> launches: "C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" [file not found]
"Norton Security Scan" -> launches: "C:\Program Files\Norton Security Scan\Nss.exe /scan-full /scheduled" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" [file not found]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
HKLM\SOFTWARE\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]
{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Miscellaneous IE Hijack Points
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
(launch time: 2008-02-27 20:45:15)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 82 seconds.
(total run time: 207 seconds)
all files are c:\windows\system32
awvts(2).dll
geeda(2).dll
geedb(2).dll
jkkji.dll
jkkjj.dll
nxmumavr.ini
ptrqaxnp.dll
rvamumxn.dll
tyyarhoj.dll
ueklyjto.dll
yaywtsr.dll
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download ComboFix.exe from here to your desktop.
Then disconnect from net access. Once you have done that click the downloaded ComboFix.exe file to run the repair.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.
ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.
(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)
Reconnect to net access and post back the C:\ComboFix.txt log as well as a new HijackThis log please.
ComboFix 08-02-25.3 - Owner 2008-02-28 12:30:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.240 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\92SKESHC\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\92SKESHC\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\92SKESHC\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\cfdcfbbbdfddebe.dll
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\grpcxiqg.ini
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\lrddtsno.ini
C:\WINDOWS\system32\micwatps.ini
C:\WINDOWS\system32\msdtexch.dll
C:\WINDOWS\system32\msftedswc.dll
C:\WINDOWS\system32\pkgsfkot.ini
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\wjvihlvk.ini
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.
2008-02-28 08:29 . 2004-08-20 15:50 159,744 --a
C:\WINDOWS\system32\igfxres.dll
2008-02-28 07:27 . 2008-02-28 07:32 <DIR> d
C:\Program Files\Symantec
2008-02-28 03:13 . 2005-10-20 16:33 991,232 --a
C:\WINDOWS\system32\esent.dll
2008-02-28 03:08 . 2005-06-15 11:50 285,184 --a
C:\WINDOWS\system32\kerberos.dll
2008-02-28 03:08 . 2005-07-08 10:09 238,592 --a
C:\WINDOWS\system32\tapisrv.dll
2008-02-28 03:08 . 2004-10-28 12:06 201,216 --a--c--- C:\WINDOWS\system32\dllcache\wordpad.exe
2008-02-28 03:08 . 2005-08-22 21:51 111,104 --a
C:\WINDOWS\system32\umpnpmgr.dll
2008-02-28 03:08 . 2006-03-01 13:44 83,456 --a
C:\WINDOWS\system32\mtxoci.dll
2008-02-28 03:08 . 2004-12-07 13:34 79,872 --a--c--- C:\WINDOWS\system32\dllcache\srvsvc.dll
2008-02-28 03:08 . 2006-03-01 13:44 64,512 --a
C:\WINDOWS\system32\mtxclu.dll
2008-02-28 03:08 . 2005-06-10 17:55 53,248 --a
C:\WINDOWS\system32\spoolsv.exe
2008-02-28 03:01 . 2008-02-28 03:01 <DIR> d
C:\WINDOWS\system32\bits
2008-02-28 03:00 . 2008-02-28 07:32 <DIR> d--h
C:\WINDOWS\$hf_mig$
2008-02-28 03:00 . 2005-06-28 10:21 22,752 --a
C:\WINDOWS\system32\spupdsvc.exe
2008-02-27 22:15 . 2008-02-27 22:10 691,545 --a
C:\WINDOWS\unins000.exe
2008-02-27 22:15 . 2008-02-27 22:15 2,550 --a
C:\WINDOWS\unins000.dat
2008-02-27 22:06 . 2008-02-27 22:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 21:14 . 2007-07-30 19:19 271,224 --a
C:\WINDOWS\system32\mucltui.dll
2008-02-27 21:14 . 2007-07-30 19:19 30,072 --a
C:\WINDOWS\system32\mucltui.dll.mui
2008-02-27 18:19 . 2003-08-25 18:06 182,880 --a
C:\WINDOWS\system32\iuenginenew.dll
2008-02-27 18:17 . 2002-08-29 06:00 35,741 --a--c--- C:\WINDOWS\system32\config\systemprofile\08770877.dat
2008-02-27 18:15 . 2004-01-28 20:33 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\UserData
2008-02-27 18:15 . 2007-11-07 12:32 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Shared
2008-02-27 18:15 . 2007-11-07 12:41 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Incomplete
2008-02-27 18:15 . 2007-11-07 07:57 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-02-27 18:15 . 2006-01-26 11:40 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Walgreens
2008-02-27 18:15 . 2007-11-25 12:01 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Viewpoint
2008-02-27 18:15 . 2004-02-05 09:08 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Template
2008-02-27 18:15 . 2004-01-28 19:10 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-02-27 18:15 . 2007-06-04 12:05 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Snapfish
2008-02-27 18:15 . 2008-01-08 21:06 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools
2008-02-27 18:15 . 2008-02-27 16:10 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\MSN6
2008-02-27 18:15 . 2008-01-17 11:30 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Move Networks
2008-02-27 18:15 . 2007-02-06 22:33 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Motive
2008-02-27 18:15 . 2008-02-16 13:11 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\LimeWire
2008-02-27 18:15 . 2004-05-23 19:46 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Leadertech
2008-02-27 18:15 . 2008-01-31 12:28 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\InterVideo
2008-02-27 18:15 . 2007-12-11 10:35 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\Image Zone Express
2008-02-27 18:15 . 2007-12-04 13:30 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\HP
2008-02-27 18:15 . 2004-03-18 08:17 <DIR> d--h
C:\WINDOWS\system32\config\systemprofile\Application Data\GTek
2008-02-27 18:15 . 2007-11-15 07:05 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\GARMIN
2008-02-27 18:15 . 2004-04-10 07:14 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\AOL
2008-02-27 18:15 . 2005-08-22 19:40 <DIR> d
C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM
2008-02-27 18:15 . 2007-12-03 14:03 <DIR> d
C:\WINDOWS\system32\config\systemprofile\.jpi_cache
2008-02-27 18:15 . 2007-12-03 14:03 <DIR> d
C:\WINDOWS\system32\config\systemprofile\.java
2008-02-27 18:15 . 2002-08-29 02:06 51,072 --a
C:\WINDOWS\system32\drivers\i8042prt.sys
2008-02-27 18:15 . 2002-08-29 01:27 23,424 --a
C:\WINDOWS\system32\drivers\kbdclass.sys
2008-02-27 18:14 . 2001-09-04 07:09 40,960 --a
C:\WINDOWS\AolCInUn.exe
2008-02-27 18:12 . 2002-08-29 06:00 35,741 --a--c--- C:\Documents and Settings\Default User\08770877.dat
2008-02-27 18:10 . 2004-01-28 20:33 <DIR> d---s---- C:\Documents and Settings\Default User\UserData
2008-02-27 18:10 . 2007-11-07 12:32 <DIR> d
C:\Documents and Settings\Default User\Shared
2008-02-27 18:10 . 2007-11-07 12:41 <DIR> d
C:\Documents and Settings\Default User\Incomplete
2008-02-27 18:10 . 2007-12-03 14:03 <DIR> d
C:\Documents and Settings\Default User\.jpi_cache
2008-02-27 18:10 . 2007-12-03 14:03 <DIR> d
C:\Documents and Settings\Default User\.java
2008-02-27 15:19 . 2008-02-27 15:19 <DIR> d
C:\Program Files\Trymedia
2008-02-27 15:19 . 2008-02-27 15:19 <DIR> d
C:\Program Files\The Weather Channel FW
2008-02-27 15:19 . 2008-02-27 22:23 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-02-27 15:19 . 2008-02-27 15:19 <DIR> d
C:\Program Files\Disney
2008-02-27 15:19 . 2008-02-27 15:19 <DIR> d
C:\Program Files\America Online 7.0a
2008-02-27 15:19 . 2008-02-27 15:19 <DIR> d
C:\Program Files\America Online 7.0
2008-02-27 15:18 . 2008-02-27 15:18 <DIR> d
C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-25 19:07 . 2008-02-27 15:18 <DIR> d
C:\Program Files\McAfee
2008-02-17 18:38 . 2008-02-16 19:46 85,504 --a
C:\WINDOWS\system32\VACFix.exe
2008-02-16 14:20 . 2008-02-27 08:19 78 --a
C:\WINDOWS\BMe77132ba.xml
2008-02-16 14:20 . 2008-02-19 17:13 22 --a
C:\WINDOWS\pskt.ini
2008-02-15 12:01 . 2008-02-16 13:11 <DIR> d
C:\Documents and Settings\Owner\Application Data\LimeWire
2008-02-15 12:00 . 2008-02-16 13:13 <DIR> d
C:\Program Files\LimeWire
2008-02-02 13:07 . 2008-02-02 13:07 <DIR> d
C:\Program Files\Common Files\DirectX
2008-02-02 13:07 . 2008-02-02 13:07 <DIR> d
C:\Documents and Settings\All Users\Application Data\Trymedia
2008-01-31 12:28 . 2008-01-31 12:28 <DIR> d
C:\Documents and Settings\Owner\Application Data\InterVideo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 13:33
d
w C:\Program Files\Common Files\Symantec Shared
2008-02-28 13:33
d
w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-28 04:23
d
w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 04:12
d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-28 01:42
d
w C:\Program Files\Common Files\AOL
2008-02-28 01:39
d
w C:\Program Files\WildTangent
2008-02-28 01:39
d
w C:\Program Files\AWS
2008-02-28 00:23
d
w C:\Program Files\Trend Micro
2008-02-28 00:18 4,282 --sha-r C:\WINDOWS\system32\drivers\HP_DA238A-ABA 6450NX NA910_YC_Pres_QMX3050_E31NAheRED4_4_IMS-6577_SMICRO-STAR INTERNATIONAL CO., LTD_V020_B3.10_T030109_WXH1_L409_M504_J120_7Intel_8Pentium 4_92.53_1103300F2_N10EC8139_P_Z11C1044E_K_A808624C5_U808624C2.MRK
2008-02-28 00:15
d--h--w C:\Program Files\InstallShield Installation Information
2008-02-27 22:37
d
w C:\Program Files\2Wire
2008-02-27 22:10
d
w C:\Documents and Settings\Owner\Application Data\MSN6
2008-02-27 21:34
d
w C:\Program Files\Norton Security Scan
2008-02-27 21:19
d
w C:\Program Files\Google
2008-01-17 17:30
d
w C:\Documents and Settings\Owner\Application Data\Move Networks
2007-12-21 05:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-11-07 18:34 8,096 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2006-06-09 16:21 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2002-08-29 12:00 35,741 -c--a-w C:\Documents and Settings\Owner\08770877.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 01:39 548933 C:\WINDOWS\system32\nview.dll]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" [ ]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 15:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 23:56 61440]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 10:01 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2002-10-29 15:41 151597]
"MoneyStartUp10.0"="c:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 19:00 241714]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2002-02-20 21:40 143360]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-10-01 01:39 372736 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 22:28 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 15:55 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
HotSync Manager.LNK - C:\Program Files\Palm\HOTSYNC.EXE [2003-10-14 14:04:06 299008]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.LNK - C:\Program Files\Palm\HOTSYNC.EXE [2003-10-14 14:04:06 299008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 20:16:46 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-08 21:05:09 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 21:20:02 53248]
SBC Self Support Tool.lnk - C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe [2006-11-15 10:17:52 217088]
S3 msCMTSrvc;Content Monitoring Tool;C:\WINDOWS\system32\msCMTSrvc.exe [2002-03-27 05:42]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 02:00:00 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Owner.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-16 01:08:06 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-02-28 18:33:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 12:32:37
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-28 12:33:22
ComboFix-quarantined-files.txt 2008-02-28 18:33:14
.
2008-02-28 13:33:01 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:39 PM, on 2/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\219cedsq.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\219cedsq.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT User Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204168256359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204168229921
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 6946 bytes
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold). Right click each and rename them by adding .old to the name (example - file.ini becomes file.ini.old).
C:\WINDOWS\BMe77132ba.xml
C:\WINDOWS\pskt.ini
That will keep them our of activity while we check them. Once you have done that zip copies of them (use your preferred zipping tool or right click each file - Send To - Compressed (zipped) Folder), then just send it to [noparse]jintan@cfl.rr.com[/noparse] as an attachment. Please place "Submitted Files - LaRusin" as the email Subject.
Then follow the steps here to disable SpyBot's TeaTimer.
For now let's just run a scan to check on things.
Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Please post that log here for review. If it is large break it into parts and use separate posts.
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 5:43:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/03/2008
Kaspersky Anti-Virus database records: 592387
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 93540
Number of viruses found: 9
Number of infected objects: 44
Number of suspicious objects: 2
Duration of the scan process: 01:37:02
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_14ffb3d2-05ef-4d8b-919f-a0b98e3c410d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Default User\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Default User\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Default User\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\region\EN_US-ie.reg Infected: Trojan.WinREG.StartPage skipped
C:\Program Files\SBC LightSpeed Self Support Tool\log\mpbtn.log Object is locked skipped
C:\Program Files\Spyware Doctor\NetworkLayer\InterfaceDLL.txt Object is locked skipped
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\16.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\18.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\2E.tmp Infected: Trojan-Spy.Win32.BZub.bun skipped
C:\Program Files\Trend Micro\Antivirus\QUARANTINE\30.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cfdcfbbbdfddebe.dll.vir Infected: Trojan-Downloader.Win32.Agent.gyy skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000642.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000643.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000644.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000645.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000646.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000648.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000649.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000652.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP1\A0000653.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP66\A0002066.dll Infected: Trojan-Downloader.Win32.Agent.gyy skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP67\change.log Object is locked skipped
C:\VundoFix Backups\awvts(2).dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\VundoFix Backups\geeda(2).dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\VundoFix Backups\geedb(2).dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\jkkji(2).dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\jkkjj(2).dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ixd skipped
C:\VundoFix Backups\pmkjg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ptrqaxnp.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\rvamumxn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\tyyarhoj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ueklyjto.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\uhfkcckk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\vfovdbva.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\yaywtsr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{80118C2F-0418-4B2B-99A7-47A8CA628B5D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\system32\config\systemprofile\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\system32\config\systemprofile\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msCMTsrvc.exe Infected: Trojan-Downloader.Win32.Presario skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP67\change.log Object is locked skipped
F:\Apps\sst\VNC\MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
F:\Apps\sst\VNC\MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
F:\Apps\sst\VNC\MotVNC.exe WiseSFX: infected - 2 skipped
Scan process completed.
Quite a few checks and balances in our open forums like this to keep from anyone with bad intent from leading folks astray. But in areas like IRC chat rooms that might be a different matter entirely, so in those type scenarios caution is a good idea.
The Kaspersky scan looks good - mostly normally locked system functions, some infection already removed in various steps done, some tools we use misidentified as bad, and for the same reason a notice that that MotVNC software there has some VNC capabilities.
I have not yet received those files. Are you able to locate them?