Thread: Computer sending email
View Single Post
Old 10-03-2006, 08:31 PM   #7 (permalink)
exploreman
Registered User
 
Join Date: Sep 2006
Posts: 8
OS: xp


Nearly Clean?
Thanks POADB for your help. If my children want to continue using the IPOD should I keep them off of Limewire? Kazaa? What do you recommend for a virus scan since we were already using McAfee.

Here are the logs.

Kaspersky Scan
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 03, 2006 1049 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/10/2006
Kaspersky Anti-Virus database records: 228607
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 102276
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:08:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall\data\hwcache.xdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27201e3c91d1c28374264a784f83cb10_1d22649d-6752-4c82-b006-229dc42bac19 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\52ba6f937b9b266d3c2b7de3e72f3847_1d22649d-6752-4c82-b006-229dc42bac19 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Musicmatch\Jukebox\Portables.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012006100320061004\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\CMLS--2006-10-03--19-42-35.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\JETA13C.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Perflib_Perfdata_1e0.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_hphtra07.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kay Bee\Local Settings\Temp\hsperfdata_Kay Bee\6968 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C53C9A72-7D1F-4C0F-8858-5C976595E97B}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B4B5A763-FD1A-4364-9B82-A28150DDBB04}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\sqlite_qXRL80iQPpbT9V8 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Combofix

HP_Administrator - 06-10-03 22:08:33.70 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\HJT\combofix"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-09-26 19:42 <DIR> d-------- C:\WINDOWS\McAfee.com


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 15:11 -------- d-------- C:\Program Files\QuickTime
2006-10-02 15:08 -------- d-------- C:\Program Files\Messenger
2006-10-02 15:07 -------- d-------- C:\Program Files\iTunes
2006-10-02 15:07 -------- d-------- C:\Program Files\Internet Explorer
2006-10-02 15:04 -------- d-------- C:\Program Files\Google
2006-10-02 15:03 -------- d-------- C:\Program Files\Common Files\System
2006-10-02 15:02 -------- d-a------ C:\Program Files\Common Files\LightScribe
2006-10-02 11:31 -------- d-------- C:\Program Files\Common Files
2006-10-02 11:24 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-29 08:57 -------- d-------- C:\Program Files\Java
2006-09-27 12:41 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-26 15:55 4812 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2006-09-26 09:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-25 21:53 68247 --a------ C:\Documents and Settings\HP_Administrator\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2006-09-13 16:10 -------- d-------- C:\Program Files\McAfee.com
2006-08-31 14:03 -------- d-------- C:\Program Files\Outlook Express
2006-08-31 14:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-31 12:44 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-30 13:11 -------- d-------- C:\Program Files\Lavasoft
2006-08-23 22:32 -------- d-------- C:\Program Files\Microsoft Games
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-12 13:57 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\McAfee.com Personal Firewall
2006-08-12 13:53 -------- d-------- C:\Program Files\McAfee
2006-08-11 13:01 -------- d-------- C:\Program Files\Adobe
2006-08-11 13:01 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\InterTrust
2006-08-05 15:55 -------- d---s---- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"HPHUPD08"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"SMSERIAL"="sm56hlpr.exe"
"HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
75,53,63,68,64,32,2e,65,78,65,00
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1136851029\\ee\\AOLSoftware.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"!ewido"="\"C:\\HJT\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.runehq.com/images/monsterdb/jailguard5ix.gif"
"SubscribedURL"="http://www.runehq.com/images/monsterdb/jailguard5ix.gif"
"FriendlyName"=""
"Flags"=dword:00002001
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,b0,02,41,c0,b4,74,08,40,80,01,68,de,b0,02,20,6d,\
b0,02,73,61,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,ae,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,9e,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,9e,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061002-113045-817
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20060929-093751-929
O21 - SSODL: udBVxhcj - {9421B6D8-3E8B-1C72-81A5-AD3093A6DE3E} - C:\WINDOWS\system32\vxr.dll (file missing)
backup-20060929-093751-412
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
backup-20060929-093751-715
O4 - HKCU\..\Run: [cfd3fda6.exe] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\cfd3fda6.exe
backup-20060929-093751-632
O4 - Startup: Backyard Skateboarding Registration.lnk = C:\Documents and Settings\HP_Administrator\Local Settings\Temp\{8F722C94-13EA-43E6-A920-5110A1A32B21}\{37003C6E-DC86-4233-B5CE-665D82DFA7EB}\ATR1.EXE

Completion time: Tue 10/03/2006 22:09:09.04
ComboFix.txt
exploreman is offline