Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Hijacked from Paypal; Viewpoint keeps reinstalling

This is a discussion on Hijacked from Paypal; Viewpoint keeps reinstalling within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Blech!!!! Look what I just found in the registry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\system32\windir32.exe the data shows it as enabled This is a


 
 
Thread Tools Search this Thread
Old 02-23-2007, 08:40 PM   #21
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP


Blech!!!! Look what I just found in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\WINDOWS\system32\windir32.exe the data shows it as enabled

This is a new entry, isn't it?

I am suspicious still of the HP stuff, which is in the same folder. I have some file, HP Cue Status that asked to access the internet on feb 19th 2007 and I haven't had the HP installed since last October or November!

__________________
marlaj is offline  
Old 02-24-2007, 04:51 AM   #22
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


STEP 1.
======
SDFix

Also download SDFix.zip
and save it to the Desktop.

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

====
Start the computer in Safe Mode :
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

====
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

STEP 2.
======
Please do another Kapersky scan- the Anti-Virus database should be Extended this time.

Please perform an online scan with Internet Explorer at
http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

STEP 3.
======
Create a new folder on the desktop.
Copy the contents of this next code box to Notepad.
Name the file inspect.bat
Save as Type: All files
Save in that new folder on the desktop.

Double click on inspect.bat and let it run.
When finished it will open a file in Notepad.
That file will be named lsa.txt
Please save lsa.txt to post the content in your next reply

Code:
If not exist Files MkDir Files 


regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE 
regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa 
regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole 
regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa 
regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA 
regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" 
regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center" 
Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies 
Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies 
Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall 
Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall 
regedit /a /e files\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess

Copy files\*.txt = lsa.txt 
rmdir /s /q files 
Start Notepad lsa.txt
STEP 4.
======
Please reply with the results from:
  • The Report.txt in SDFix folder
  • The log from Kapersky
  • the contents of lsa.txt

__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-24-2007, 02:20 PM   #23
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



I messed up and didn't do the extended Kasperskey scan. I will post the results I have so far but will go back and do the last two steps again. Sorry.

SD Fix report:
SDFix: Version 1.68

Run by Administrator - Sat 02/24/2007 @ 14:25:32.93

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\windir32.exe"="C:\\WINDOWS\\system32\\windir32.exe:*:Enabled:windir32"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1127327071\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1127327071\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

C:\Documents and Settings\Marla\NetHood\Stem_Cell_Research on camr.ctsg.com\Desktop.ini
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\Marla\My Documents\~WRL0245.tmp
C:\Documents and Settings\Marla\My Documents\~WRL1904.tmp
C:\Documents and Settings\Marla\My Documents\~WRL3899.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\AATemple Talk\Feb 2006\~WRL0002.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\AATemple Talk\September2006\~WRL4076.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Bake sale\~WRL2554.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Calendar\~WRL3444.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Directory\~WRL2081.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Directory\~WRL3932.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Isaac\~WRL3716.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Sunday School\~WRL3296.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Sunday School\~WRL3578.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Yahrzeit\~WRL0399.tmp
C:\Documents and Settings\Marla\My Documents\AATemple\Yahrzeit\~WRL0640.tmp
C:\Documents and Settings\Marla\My Documents\Beats\~WRL0141.tmp
C:\Documents and Settings\Marla\My Documents\Beats\~WRL0534.tmp
C:\Documents and Settings\Marla\My Documents\Beats\~WRL2889.tmp
C:\Documents and Settings\Marla\My Documents\Coal plant\Lit\~WRL0001.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\BIT7.tmp

Add/Remove Programs List:

Ad-Aware SE Personal
Adobe Shockwave Player
Adobe Download Manager 2.0 (Remove Only)
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
AOL Coach Version 1.0(Build:20040229.1 en)
AVG Anti-Spyware 7.5
CCleaner (remove only)
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
EPSON Photo Print
FileSpecs plug-in for Ad-Aware SE
HexDump plug-in for Ad-Aware SE
HijackThis 1.99.1
HP Solution Center & Imaging Support Tools 5.3
OCR Software by I.R.I.S 7.0
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
iPod for Windows 2005-03-23
iTunes
QuickTime
Kaspersky Online Scanner
LSP Explorer plug-in for Ad-Aware SE
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Nero OEM
Nero Suite
Nero Digital
Microsoft National Language Support Downlevel APIs
Nero Media Player
NVIDIA Windows 2000/XP Display Drivers
OE/W Messengerctrl plug-in for Ad-Aware SE
Panda ActiveScan
PhoneTree2100
Pure Networks Port Magic
RealPlayer Basic
Shockwave
Adobe Flash Player 9 ActiveX
EPSON SMART PANEL for Scanner
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Learn2 Player (Uninstall Only)
TextBridge Pro 8.0
Tweak-SE plug-in for Ad-Aware SE
Viewpoint Media Player
McAfee VirusScan
VX2 Cleaner plug-in for Ad-Aware SE
Windows Genuine Advantage Validation Tool
Windows XP Service Pack 2
ZoneAlarm
ZSoft Uninstaller 2.3.4
Macromedia Flash Player
CP_Package_Variety1
Dell Printer Software
Microsoft Picture It! Publishing 2001
HP Software Update
CP_Package_Variety3
Google Toolbar for Internet Explorer
J2SE Runtime Environment 5.0 Update 3
Intellisyncr for AOL
Google Earth
iPod for Windows 2005-03-23
iTunes
Sony USB Driver
Windows Genuine Advantage v1.3.0254.0
WebReg
eSupportQFolder
DocProcQFolder
Microsoft Office XP Professional
Microsoft Publisher 2002
QuickTime
EPSON TWAIN 5
Windows Defender Signatures
Adobe Reader 7.0.8
ScanSoft PDF Create! 3.0
Windows Defender
Spy Sweeper
CP_Package_Variety2
First Step Guide
Microsoft .NET Framework 1.1
SUPERAntiSpyware Free Edition
Dell ResourceCD
HPProductAssistant
SolutionCenter
ImageMixer VCD2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HP Image Zone Express

Finished

The regular Kaspersky scan....I will go back after posting and run it again.

KASPERSKY ONLINE SCANNER REPORT
Saturday, February 24, 2007 4:01:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/02/2007
Kaspersky Anti-Virus database records: 257825
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 60994
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:51:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marla\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\History\History.IE5\MSHist012007022420070225\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marla\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marla\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marla\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AB69C2F3-D531-40A9-BF94-92DC5E475A10}\RP1611\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ETHEL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0386e.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03871.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


And now The lsa text from inspect bat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000
"DoNotAllowExceptions"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\windir32.exe"="C:\\WINDOWS\\system32\\windir32.exe:*:Enabled:windir32"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1127327071\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1127327071\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000248
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:ca,22,0f,a2,99,93,1f,dc,85,98,c9,08,0a,4c,44,af,35,34,64,64,34,\
33,32,63,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,7a,03,5d,4c

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:f6,cd,87,dc,53,93,3f,1b,53

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:b6,f3,ab,0a,60,a3

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:21,d8,63,7a,c3,5f,2e,1f,b5,8b,c0,38,80,8d,52,bf

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:34,9b,4a,5d,79,6b,c5,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center]
"FirstRun"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=dword:00000000



Hope this reveals something...or not? I wish I understood it all more. Is there anything in here that is providing some insight?

Many thanks again,
Marla

PS Windir32.exe is still there. Think I should be unplugging the internet and disabling restore when I fix this stuff or are we still fact finding?
Thanks for your patience.
__________________
marlaj is offline  
Old 02-24-2007, 03:28 PM   #24
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



It detected Smitfraudfix as a infected and suspicious. What's up with all the locked files? And, by the way, I haven't done the Smitfraudfix yet but have it ready and have done a few scans.

Many thanks again. Here's the log:

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 61127
Number of viruses found: 1
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:51:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marla\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Marla\Desktop\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Marla\Desktop\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Marla\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Marla\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Marla\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\History\History.IE5\MSHist012007022420070225\index.dat Object is locked skipped
C:\Documents and Settings\Marla\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marla\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marla\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marla\UserData\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AB69C2F3-D531-40A9-BF94-92DC5E475A10}\RP1603\A0093373.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{AB69C2F3-D531-40A9-BF94-92DC5E475A10}\RP1611\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ETHEL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0386e.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03871.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
__________________
marlaj is offline  
Old 02-24-2007, 04:14 PM   #25
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


Yes, I see that the windir32.exe is still there. The name is present in registry entries. It shows that you were infected but scans do not find the actual file in existence. I am trying to determine if you really have anything malicious and still active lingering on your system or just remnants of the past infection.
__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-24-2007, 05:51 PM   #26
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


======
Regscan

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
windir32
After the search has completed a window titled Results.txt will open.
Please copy the results and post(reply) back.

==============
What is this? I tried to find information about it.
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-24-2007, 05:59 PM   #27
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



Thanks for helping. I have tried to remove LimeWire on numerous ocassions and it keeps coming back. Also, the Windir keeps changing locations which doesn't seem to bode well. Should I try a removal program? They are, evidently, two different but closely related worms. Also, I guess there are some other clues, maybe, about disabling my antivirus? regedit from the lsa scan?

I would also like to begin uninstalling the HP stuff. Would that be alright? Should I use something special?

Thanks,
Marla, who needs to get on with her work but wants to be safe. : )

Oh I just saw your new reply. Thanks for giving me something to do about this! : )
__________________
marlaj is offline  
Old 02-24-2007, 06:15 PM   #28
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



Wow, I wonder what this is also. I appears to be a communication system with lots of channels in it and the ability to override the firewall. Where should I submit it? I have no idea what it came in with. I will search a file change for that date.

Life is interesting.

Marla
__________________
marlaj is offline  
Old 02-24-2007, 06:31 PM   #29
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


Let's see if we can find out more about that file lock.tmp

Please do the following:

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Please go to the link above and scroll down so that you see the board with the headings -subjects, started by, replies, etc. You will see a tab “New Topic” at the right. Please click the “New Topic” tab.

Then scroll down. Please enter your name and email address.
Copy and paste “Analysis of lock.tmp file” into the Subject line.

Copy and paste the following link into the box.
http://www.techsupportforum.com/secu...tml#post803506

You will see the “Attach” below and click the “Browse” button and navigate to the following file on your computer:
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp

Then please Click “Post”.

Please let me know if you were able to do this.
__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-24-2007, 07:43 PM   #30
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



I think GTec is associated with AOL's coach program, which I can't seem to find. I use AOL for work.

Here are the RegScans that I did. I took the liberty of also doing SearchAssistant and LimeWire searches:

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 2/24/2007 9:24:34 PM
; Search Term(s) Used: "windir32"
; 4 matches were found.
; The search took 41 seconds.


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\windir32.exe"="C:\\WINDOWS\\system32\\windir32.exe:*:Enabled:windir32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\windir32.exe"="C:\\WINDOWS\\system32\\windir32.exe:*:Enabled:windir32"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\windir32.exe"="C:\\WINDOWS\\system32\\windir32.exe:*:Enabled:windir32"

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"014"="windir32"

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 2/24/2007 9:30:10 PM
; Search Term(s) Used: "Search Assistant"
; 27 matches were found.
; The search took 34 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47C6C527-6204-4F91-849D-66E234DEE015}]
@="Search Assistant Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9461b922-3c5a-11d2-bf8b-00c04fb93661}]
@="Search Assistant OC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B791A095-A4AC-4312-8894-5B7E8FF5B3CD}]
@="Search Assistant Tip Service"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant]
@="Search Assistant Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1]
@="Search Assistant Control"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ECA4E801-17AE-4863-9F5C-AF4047AABEE0}\1.0]
@="Search Assistant 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Search Assistant]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Search Assistant]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Search Assistant]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\ACMru]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5603]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5604]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa0]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa1]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa2]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa4]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa5]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa6]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa8]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa9]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\faa]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\VB and VBA Program Settings\CCleaner\Options]
"(App)Search Assistant Autocomplete"="True"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Search Assistant]

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 2/24/2007 9:32:35 PM
; Search Term(s) Used: "LimeWire"
; 5 matches were found.
; The search took 40 seconds.


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="LimeWire"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="LimeWire"


I didn't know what else to look for but these are problems including that there is no program file for LimeWire.

I will also do the above.

Marla
__________________
marlaj is offline  
Old 02-24-2007, 08:05 PM   #31
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



I submitted it to spykiller. I also submitted it and several other files from that group to Virustotal and got a clean report.

I found a couple with packers; I asked you what that meant. Is it significant. Should I search for other files?

I have CWshredder, etc.

Marla
__________________
marlaj is offline  
Old 02-24-2007, 08:45 PM   #32
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP


Here's the other searchassistant:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC\CurVer]
@="SearchAssistantOC.SearchAssistantOC.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC.1]
@="SearchAssistantOC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchAssistantOC.SearchAssistantOC.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1\CurVer]
@="SrchUI.SearchAssistant.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com/ie"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com\www]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com]

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\180searchassistant.com\www]

And for worm:
Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 2/24/2007 10:47:23 PM
; Search Term(s) Used: "worm"
; 25 matches were found.
; The search took 34 seconds.


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0E6AE021-0C83-11D2-8CD4-00104BC75D9A}]
@="IDXTMetaWormHole"
"Log#013"="2/24/2007 7:18:14 PM - Components: [mcvsshld.exe-8,0,0,15][mcvsrte.exe-8,0,0,12][mcvsctl.dll-8,0,0,20][mcmnhdlr.exe-8,0,0,12][edisk.dll-8,0,0,12][vsoupd.dll-8,0,0,12][ashldres.dll-8,0,0,12][vsoui.dll-8,0,0,40][mcvsmap.exe-8,0,0,12][vsowow.dll-8,0,0,26][mcvsskt.dll-8,0,0,30][mcvsescn.exe-8,0,0,30][emscnres.dll-8,0,0,30][mcvsworm.dll-8,0,0,12][wormres.dll-8,0,0,20][mcvsscrp.dll-8,0,0,25][scrpres.dll-8,0,0,26][mcvsshl.dll-8,0,0,15][shlres.dll-8,0,0,12][mcavtsub.dll-8,0,0,12][outscan.dll-8,0,0,14][outscres.dll-8,0,0,14][mcvsftsn.exe-8,0,0,20][ftscnres.dll-8,0,0,22][vscfgui.dll-8,0,0,41][vsagntui.dll-8,0,0,13][splash.dll-8,0,0,20][vsoremui.dll-8,0,0,23][vso.adf-2834][EngineVer-5.1.00][DatVer-4.0.4968][extra.dat--1][804mbd1.img--1][NaiFiltr.sys-6,0,0,100][mcshield.exe-6,0,0,100][ntclient.dll-6,0,0,100][naiann.dll-6,0,0,100][naievent.dll-6,0,0,100][ScanServ.dll-6,0,0,100][mccomctl.dll-8,0,0,14][vsobuild-8045]"
"Log#014"="2/24/2007 7:18:14 PM - GET-url: '/apps/vso/en-us/vso8/chkupd.asp?affid=103' GET-PostData: 'appid=vso&app_code=vso&perpetual=0&trial=0&accnt_id=mjmarantz&settings=20070821&sysdate=20070224&OS=6&IE=7,0,5730,11&Version=4.2&ManualMode=0&mcvsshld.exe=8,0,0,15&mcvsrte.exe=8,0,0,12&mcvsctl.dll=8,0,0,20&mcmnhdlr.exe=8,0,0,12&edisk.dll=8,0,0,12&vsoupd.dll=8,0,0,12&ashldres.dll=8,0,0,12&vsoui.dll=8,0,0,40&mcvsmap.exe=8,0,0,12&vsowow.dll=8,0,0,26&mcvsskt.dll=8,0,0,30&mcvsescn.exe=8,0,0,30&emscnres.dll=8,0,0,30&mcvsworm.dll=8,0,0,12&wormres.dll=8,0,0,20&mcvsscrp.dll=8,0,0,25&scrpres.dll=8,0,0,26&mcvsshl.dll=8,0,0,15&shlres.dll=8,0,0,12&mcavtsub.dll=8,0,0,12&outscan.dll=8,0,0,14&outscres.dll=8,0,0,14&mcvsftsn.exe=8,0,0,20&ftscnres.dll=8,0,0,22&vscfgui.dll=8,0,0,41&vsagntui.dll=8,0,0,13&splash.dll=8,0,0,20&vsoremui.dll=8,0,0,23&vso.adf=2834&EngineVer=5.1.00&DatVer=4.0.4968&extra.dat=-1&804mbd1.img=-1&NaiFiltr.sys=6,0,0,100&mcshield.exe=6,0,0,100&ntclient.dll=6,0,0,100&naiann.dll=6,0,0,100&naievent.dll=6,0,0,100&ScanServ.dl"
"Log#053"="2/24/2007 2:55:12 PM - Components: [mcvsshld.exe-8,0,0,15][mcvsrte.exe-8,0,0,12][mcvsctl.dll-8,0,0,20][mcmnhdlr.exe-8,0,0,12][edisk.dll-8,0,0,12][vsoupd.dll-8,0,0,12][ashldres.dll-8,0,0,12][vsoui.dll-8,0,0,40][mcvsmap.exe-8,0,0,12][vsowow.dll-8,0,0,26][mcvsskt.dll-8,0,0,30][mcvsescn.exe-8,0,0,30][emscnres.dll-8,0,0,30][mcvsworm.dll-8,0,0,12][wormres.dll-8,0,0,20][mcvsscrp.dll-8,0,0,25][scrpres.dll-8,0,0,26][mcvsshl.dll-8,0,0,15][shlres.dll-8,0,0,12][mcavtsub.dll-8,0,0,12][outscan.dll-8,0,0,14][outscres.dll-8,0,0,14][mcvsftsn.exe-8,0,0,20][ftscnres.dll-8,0,0,22][vscfgui.dll-8,0,0,41][vsagntui.dll-8,0,0,13][splash.dll-8,0,0,20][vsoremui.dll-8,0,0,23][vso.adf-2834][EngineVer-5.1.00][DatVer-4.0.4968][extra.dat--1][804mbd1.img--1][NaiFiltr.sys-6,0,0,100][mcshield.exe-6,0,0,100][ntclient.dll-6,0,0,100][naiann.dll-6,0,0,100][naievent.dll-6,0,0,100][ScanServ.dll-6,0,0,100][mccomctl.dll-8,0,0,14][vsobuild-8045]"
"Log#054"="2/24/2007 2:55:12 PM - GET-url: '/apps/vso/en-us/vso8/chkupd.asp?affid=103' GET-PostData: 'appid=vso&app_code=vso&perpetual=0&trial=0&accnt_id=mjmarantz&settings=20070821&sysdate=20070224&OS=6&IE=7,0,5730,11&Version=4.2&ManualMode=0&mcvsshld.exe=8,0,0,15&mcvsrte.exe=8,0,0,12&mcvsctl.dll=8,0,0,20&mcmnhdlr.exe=8,0,0,12&edisk.dll=8,0,0,12&vsoupd.dll=8,0,0,12&ashldres.dll=8,0,0,12&vsoui.dll=8,0,0,40&mcvsmap.exe=8,0,0,12&vsowow.dll=8,0,0,26&mcvsskt.dll=8,0,0,30&mcvsescn.exe=8,0,0,30&emscnres.dll=8,0,0,30&mcvsworm.dll=8,0,0,12&wormres.dll=8,0,0,20&mcvsscrp.dll=8,0,0,25&scrpres.dll=8,0,0,26&mcvsshl.dll=8,0,0,15&shlres.dll=8,0,0,12&mcavtsub.dll=8,0,0,12&outscan.dll=8,0,0,14&outscres.dll=8,0,0,14&mcvsftsn.exe=8,0,0,20&ftscnres.dll=8,0,0,22&vscfgui.dll=8,0,0,41&vsagntui.dll=8,0,0,13&splash.dll=8,0,0,20&vsoremui.dll=8,0,0,23&vso.adf=2834&EngineVer=5.1.00&DatVer=4.0.4968&extra.dat=-1&804mbd1.img=-1&NaiFiltr.sys=6,0,0,100&mcshield.exe=6,0,0,100&ntclient.dll=6,0,0,100&naiann.dll=6,0,0,100&naievent.dll=6,0,0,100&ScanServ.dl"

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\VirusScan Online\Customize\Alerts\WormStopper]

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\VirusScan Online\Customize\Options\AdvWormStopper]

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\VirusScan Online\Installer]
"VSOLog122"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:0"
"VSOLog123"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:1"
"VSOLog124"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:1"
"VSOLog125"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:1"
"VSOLog126"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:65576"
"VSOLog127"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:73221"
"VSOLog138"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Options\\AdvWormStopper$$dword:1"
"VSOLog143"="UpdateRegConfig: RegObfuscate$$HKLM\\SOFTWARE\\McAfee.com\\VirusScan Online\\Customize\\Alerts\\WormStopper$$dword:0"
"VSOLog152"="DoDefaultSettings: Getting the WormStopperEnable(1) property : 0"
"VSOLog153"="DoDefaultSettings: Getting the WormStopperPatternMatch(1) property : 0"
"VSOLog154"="DoDefaultSettings: Getting the WormStopperRCMon(65556) property : 0"
"VSOLog155"="DoDefaultSettings: Getting the WormStopperSTMon(73221) property : 0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ScsiPort\SpecialTargetList\WormYAMAHA__CDR100__________]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ScsiPort\SpecialTargetList\WormYAMAHA__CDR102__________]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\WormYAMAHA__CDR100__________]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\WormYAMAHA__CDR102__________]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ScsiPort\SpecialTargetList\WormYAMAHA__CDR100__________]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ScsiPort\SpecialTargetList\WormYAMAHA__CDR102__________]
__________________
marlaj is offline  
Old 02-25-2007, 11:42 AM   #33
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


Hi marlaj

Tony Klein posted that the lock.exe file is most likely not malware related. So far I have we have found registry entries with the names of applications and files that no longer exist but are evidence that your computer was infected.

You do not have the Limewire program and the windir32.exe file present on your computer.

I am working on a way to clean up those registry entries.

You asked about Packers. Submitting files to Jotti does return information if files contained packers. I understand that there are applications called "packers" that are used to compress/condense data so that it takes up less space. It can also make data more difficult to determine if it is malware infected or not. Just because packers were used does not mean the file is bad.

The search for "worm" gave me similar results on my system.
__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-25-2007, 11:59 AM   #34
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP


Thanks so much, Susan. What about the searchassistant stuff? That is not as worrisome, I take it? I think the wormyamaha thing is something about how the CD drive works more than anything else. I do find limewire listed in the registry under programs. I work on another computer and Norton is there and despite our best efforts to delete it, including using special tools, it is re-establishing itself. I was worried that is the case with windir32.exe, especially since when I delete one registry listing it changes locations. What's up with that?

So you think I am fairly safe? Can I start trying to delete these entries? What about smitfraud thing? Should I let it try to repair the winnint file that it says is infected or might be infected?

Many thanks for all your kind attention.

Marla
__________________
marlaj is offline  
Old 02-25-2007, 05:51 PM   #35
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



I decided to go through the and look at files were most activein the last day, for example, especially considering the movement of windir32.exe to different locations in the directory, the return of that registry cleaner program and such. I looked for those files not part of the programs we have been using. I looked for files that were responding to what we were doing. I also noticed some eventhandler items in the registry with Curve files? I am not sure if they have anything to do with it, but I became interest in events.

The wbem files seem to be the most active. I submitted both dll and log files and it was thelog file that turned out to bethe most revealing.

http://fileinfo.prevx.com/fileinfo.a...915--NTEVT.log. It's a polymorhpic trojan, not located where I thought it would be. I am going to keep submitting them to virus total. Should I download prevx and clean it?

Marla

Marla
__________________
marlaj is offline  
Old 02-25-2007, 07:45 PM   #36
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


I am waiting for someone to review the registry fix.

Let's try another scan-not that I expect to find anything after the Kapersky scan, but more clean scans provides better statistics that malware is gone.

======
Bitdefender Scan

Go here
and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted..
  • Leave the scanning options at default and press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here post the results in your next reply.

=============
Quote:
I submitted both dll and log files and it was thelog file that turned out to bethe most revealing
So did you submit a file to Jotti and get results back that it was malware? What was the file?

Also you can test your firewall here. Let me know the results please.
http://www.hackerwatch.org/probe

Let me know about the BidDefender scan, information about the files you are referring to, and the result of the firewall test.
__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-25-2007, 09:41 PM   #37
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



From my previous post:


http://fileinfo.prevx.com/fileinfo.a...915 NTEVT.log. It's a polymorhpic trojan, not located where I thought it would be. I am going to keep submitting them to virus total. Should I download prevx and clean it?

Yes, Virus Total found it, a polymorphic trojan.

Marla
__________________
marlaj is offline  
Old 02-25-2007, 11:11 PM   #38
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP



The firewall tested out completely secure.

Bit Defender, just like last time, almost got done and then the little timer appeared and it and IE shut down. It didn't detect anything.


I did notice, however, the Kapersky wasn't able to scan some of the files I individually submitted to Virus Total. They were packed and perhaps some engines are better at analyzing the packed files than others. Bit Defender did say there were, I think, something like 1600 or more packed files.

Marla
__________________
marlaj is offline  
Old 02-26-2007, 03:34 AM   #39
TSF Team, Emeritus
 
Join Date: Nov 2006
Posts: 207
OS: WinXP Pro


Backup the registry:

STEP 1.
======
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Then, go to start-->run

and type this in:
notepad

Paste this into the box:
Here is the registry fix to delete the references to Limewire and windir32.exe, and the HP things that you stated you do not use anymore.

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-
"C:\\WINDOWS\\system32\\windir32.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=-
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\windir32.exe"=- 
"C:\\Program Files\\LimeWire\\LimeWire.exe"=- 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\windir32.exe"=-
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-

[HKEY_USERS\S-1-5-21-1220945662-1500820517-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"014"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-
Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file
**

Now double click on regfix.reg and insert it into the registry.

After this see if you can find Limewire and windir32.exe.
================
What is this about the NTEVT.log? Are you saying that yours is infected? Also what about the packed files

Quote:
there were, I think, something like 1600 or more packed files.
I am sure it has been a harrowing experience having Paypal hacked, did you ever consider reformatting and installing Windows and your applications again?

Here are a couple of links which may provide you with additional valuable information:
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

======================
Also are you still seeing the following?
Quote:
Now, as my home page is loading, several other pages, two with ads and one with about blank load first, then after it is loaded it resets again. Maybe I am being paranoid and this makes no difference. But this is definately different.
__________________



Proud member of ASAP since 2005

If you feel we've helped you, Please donate to the forum
Susan528 is offline  
Old 02-26-2007, 08:51 AM   #40
Registered Member
 
Join Date: Feb 2007
Posts: 58
OS: XP


Virus scan found it: http://fileinfo.prevx.com/fileinfo.a...915 NTEVT.log. It's a polymorhpic trojan. What about the searchassist180 entries in the registry. Should we be deleting those also? I think they must be related to that other piece of adware that was found by an earlier scan. Why does Bit Defender keep shutting down and ie closing because of an error?

Marla

__________________
marlaj is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 07:25 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts