Tech Support Forum - View Single Post - 2nd thread, malware: blue screen, bugs &amp; more

mrskoz · 06-15-2008, 06:05 AM

Hi,

Thank you... I had a slight problem running SDFix in safe mode.. something completely disabled the mouse (I kept going using the keyboard) & there were approximately 50-75 (!!) identical pop-ups during that scan that read "SDFix SYSTEM\CurrentControlSet\Control\VirtualDeviceDivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application. I opted for 'close' thinking I would reboot and try again, but it kept running the scan.

And... I am seeing some improvement. :) Our system is becoming much more stable... the affected accounts still have blue desktops but the actual yellow banner warning of infection is gone. The display settings on the accounts are still missing some tabs (desktop & screen saver). The computer printer no longer works though it is directly attached, but it is accessible over the network oddly. When I search for "spyware" in a browser, it no longer shuts all open programs down. On certain websites I am getting a nagging pop-up to install Adobe Flash Player Installer, from Adobe? This is new, so am guessing one of the probs was through flash somewhere? And QuickLaunch through windows settings no longer disappears from the taskbar at every login.

I still am not sure where this originated... I'm fairly certain it came from my teen

who also says 2 of her friends have the exact same problem (bugs/blue screen), and they think it came from either myspace or flickr.com? I've noticed it all over this forum lately, though.

Here are the logs:

SDFix: Version 1.192
Run by CHRISTOPHER on Sat 06/14/2008 at 09:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 21:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:3c1a819c
"s2"=dword:8638b1e3
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:9b,76,e5,12,87,80,cc,96,69,dd,90,c5,0c,34,9f,53,cf,bb,95,fc,97,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d3,b1,4f,ee,d2,9a,3e,2b,70,f3,99,e8,47,e1,cb,2e,15,c8,22,0c,4c,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:9b,76,e5,12,87,80,cc,96,69,dd,90,c5,0c,34,9f,53,cf,bb,95,fc,97,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"="C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe:*:Enabled:Media Server LiveUpdate"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"="C:\\Program Files\\D-Link Media Server\\MediaGUI.exe:*:Enabled:D-Link_MediaServerGUI"
"C:\\Program Files\\D-Link Media Server\\MediaServer.exe"="C:\\Program Files\\D-Link Media Server\\MediaServer.exe:*:Enabled:D-Link_MediaServer"
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Disabled:CyberLink PowerDVD"
"C:\\WINDOWS\\system32\\dlcqcoms.exe"="C:\\WINDOWS\\system32\\dlcqcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Pidgin\\pidgin.exe"="C:\\Program Files\\Pidgin\\pidgin.exe:*:Enabled:Pidgin"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

Files with Hidden Attributes :

Finished!

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, June 15, 2008 01:21:30
Records in database: 864606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 130004
Threat name: 3
Infected objects: 259
Suspicious objects: 12
Duration of the scan: 02:33:54

File name / Threat name / Threats count
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\auctions259 Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox62 Infected: Trojan-Spy.HTML.Bayfraud.ib 4
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\mine391 Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 4
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 11
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 8
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Infected: Trojan-Spy.HTML.Bayfraud.ib 57
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Infected: Trojan-Spy.HTML.Paylap.by 1
C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7

The selected area was scanned.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:54 AM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 4652 bytes

06-15-2008, 06:05 AM	#11 (permalink)
mrskoz Registered User Join Date: May 2005 Posts: 35 OS: XP	Re: 2nd thread, malware: blue screen, bugs & more Hi, Thank you... I had a slight problem running SDFix in safe mode.. something completely disabled the mouse (I kept going using the keyboard) & there were approximately 50-75 (!!) identical pop-ups during that scan that read "SDFix SYSTEM\CurrentControlSet\Control\VirtualDeviceDivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application. I opted for 'close' thinking I would reboot and try again, but it kept running the scan. And... I am seeing some improvement. :) Our system is becoming much more stable... the affected accounts still have blue desktops but the actual yellow banner warning of infection is gone. The display settings on the accounts are still missing some tabs (desktop & screen saver). The computer printer no longer works though it is directly attached, but it is accessible over the network oddly. When I search for "spyware" in a browser, it no longer shuts all open programs down. On certain websites I am getting a nagging pop-up to install Adobe Flash Player Installer, from Adobe? This is new, so am guessing one of the probs was through flash somewhere? And QuickLaunch through windows settings no longer disappears from the taskbar at every login. I still am not sure where this originated... I'm fairly certain it came from my teen who also says 2 of her friends have the exact same problem (bugs/blue screen), and they think it came from either myspace or flickr.com? I've noticed it all over this forum lately, though. Here are the logs: SDFix: Version 1.192 Run by CHRISTOPHER on Sat 06/14/2008 at 09:20 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-14 21:38:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:3c1a819c "s2"=dword:8638b1e3 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:9b,76,e5,12,87,80,cc,96,69,dd,90,c5,0c,34,9f,53,cf,bb,95,fc,97,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:d3,b1,4f,ee,d2,9a,3e,2b,70,f3,99,e8,47,e1,cb,2e,15,c8,22,0c,4c,.. "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:9b,76,e5,12,87,80,cc,96,69,dd,90,c5,0c,34,9f,53,cf,bb,95,fc,97,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe::Enabled:RealPlayer" "C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"="C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe::Enabled:Media Server LiveUpdate" "C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE::Enabled:LEXPPS.EXE" "C:\\Program Files\\D-Link Media Server\\MediaGUI.exe"="C:\\Program Files\\D-Link Media Server\\MediaGUI.exe::Enabled:D-Link_MediaServerGUI" "C:\\Program Files\\D-Link Media Server\\MediaServer.exe"="C:\\Program Files\\D-Link Media Server\\MediaServer.exe::Enabled:D-Link_MediaServer" "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe::Disabled:CyberLink PowerDVD" "C:\\WINDOWS\\system32\\dlcqcoms.exe"="C:\\WINDOWS\\system32\\dlcqcoms.exe::Enabled:Lexmark Communications System" "C:\\Program Files\\Pidgin\\pidgin.exe"="C:\\Program Files\\Pidgin\\pidgin.exe::Enabled:Pidgin" "C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe::Enabled:Kaspersky Internet Security 7.0 Setup" "C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax" "C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Finished! &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, June 15, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, June 15, 2008 01:21:30 Records in database: 864606 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ Scan statistics: Files scanned: 130004 Threat name: 3 Infected objects: 259 Suspicious objects: 12 Duration of the scan: 02:33:54 File name / Threat name / Threats count C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\auctions259 Infected: Trojan-Spy.HTML.Bayfraud.ib 30 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Infected: Trojan-Spy.HTML.Bayfraud.ib 11 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Infected: Trojan-Spy.HTML.Paylap.by 1 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox28 Suspicious: Trojan-Spy.HTML.Fraud.gen 3 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Bayfraud.ib 11 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Infected: Trojan-Spy.HTML.Paylap.by 1 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox428 Suspicious: Trojan-Spy.HTML.Fraud.gen 3 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\Inbox62 Infected: Trojan-Spy.HTML.Bayfraud.ib 4 C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\mine391 Infected: Trojan-Spy.HTML.Bayfraud.ib 3 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 4 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.ib 11 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Infected: Trojan-Spy.HTML.Paylap.by 1 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 3 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1 C:\Documents and Settings\GENEVIEVE\My Documents\misc\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 8 C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Infected: Trojan-Spy.HTML.Bayfraud.ib 57 C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Infected: Trojan-Spy.HTML.Paylap.by 1 C:\Documents and Settings\GENEVIEVE\My Documents\misc\Thunderbird 1.5 en-US - 2006-01-13.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 3 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr-1.com\Inbox.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 3 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions Infected: Trojan-Spy.HTML.Bayfraud.ib 30 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\infanttoddlerclothing Infected: Trojan-Spy.HTML.Bayfraud.ib 1 C:\Documents and Settings\GENEVIEVE\My Documents\Thunderbird\Profiles\default.3ve\pop-server.san.rr.com\Inbox.sbd\auctions.sbd\mine Infected: Trojan-Spy.HTML.Bayfraud.ib 7 The selected area was scanned. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:48:54 AM, on 6/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s O4 - HKLM\..\Run: [dlcqmon.exe] "C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe" O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- End of file - 4652 bytes __________________ *Life can't be all bad when for ten dollars you can buy all the Beethoven sonatas and listen to them for ten years.* William F. Buckley, Jr. Last edited by mrskoz; 06-15-2008 at 06:10 AM.