calirz

i have been trying to get Deckard's to run so i can post my log for a suspected keylogger. I cant get it to get past backing up registy hives and then i get the error pop-up. any suggestions so i can get this to work?

Ried

Hello calirz and welcome,

Run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

In the dialog box that appears:

Look to the lower right under the Options heading, and uncheck Backup Registry Hives.

Click Scan!

Post the main.txt and extra.txt it produces.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

calirz

i did that and now it goes into the error pop-up the minute it starts to clean. what am i doing wrong that i cant get it to run?

Ried

You're not doing anything wrong. For some reason, it's having difficulty on your system.


Run it the same way as before:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

This time, uncheck 'Temp Cleanup' then click 'Scan'

Be sure to disable any real-time protection you have on your system first.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

calirz

attached is my logs. i have a good suspicion there is a keyloger in my system. i run mcafee and have run the panda scan and nothing came up. i ran the kaspersky from your forum and it showed one virus. while doing Step 1 i deleted a program called Otto (no other explanation in it) and honestly i did it so fast i was just panicking and hit remove so i dont know if that was part of it or not. please advise.

Deckard's System Scanner v20071014.68
Run by own on 2008-06-02 09:31:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
79: 2008-06-02 13:31:49 UTC - RP417 - Deckard's System Scanner Restore Point
78: 2008-06-02 11:27:33 UTC - RP416 - Software Distribution Service 3.0
77: 2008-06-02 0411 UTC - RP415 - Deckard's System Scanner Restore Point
76: 2008-06-02 02:21:06 UTC - RP414 - Software Distribution Service 3.0
75: 2008-06-01 23:05:09 UTC - RP413 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-01-13 16:20:40 UTC - RP339 - System Checkpoint




-- HijackThis (run as own.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:27 AM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\own\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\own.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGuiSt.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DelayShred] "C:\Program Files\McAfee\MSHR\ShrCL.EXE" /P7 /q C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\W5INWD6Z.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\TBDIS8NY.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\S5MB4D6F.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\OP2JGXY3.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\O1AN8XUB.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\LORZNXSO.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\KXABC5YN.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\IP8FMT0L.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\GXAR4TIV.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\ERWYASLU.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\8LUZ8PA7.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\6X4XCVCN.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\UK49Y05J.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE5\S9INWPEF.SH! C:\DOCUME~1\own\LOCALS~1\Temp\TEMPOR~1\Content.IE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O23 - Service: McAfee Application Installer Cleanup (0156021212406404) (0156021212406404mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\015602~1.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8921 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys <Not Verified; America Online; ATW Protocol Driver>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\idsdefs\20050901.036\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-01 20:33:20 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-07 20:12:38 346 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2007-08-07 20:12:37 348 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-02 09:32:14 0 d-------- C:\Program Files\Trend Micro
2008-06-01 23:59:38 0 d-------- C:\WINDOWS\LastGood
2008-06-01 17:48:50 0 d-------- C:\Program Files\Panda Security


-- Find3M Report ---------------------------------------------------------------

2008-06-02 07:38:57 0 d-------- C:\Documents and Settings\own\Application Data\SiteAdvisor
2008-06-02 07:33:26 0 d-------- C:\Program Files\America Online 8.0
2008-06-02 07:33:21 0 d-------- C:\Program Files\McAfee
2008-06-01 17:55:50 0 d-------- C:\Program Files\SiteAdvisor
2008-05-28 06:56:25 0 d-------- C:\Documents and Settings\own\Application Data\U3
2008-05-13 20:11:49 0 d-------- C:\Documents and Settings\own\Application Data\AdobeUM
2008-05-02 06:56:31 0 d-------- C:\Program Files\QuickTime
2008-05-01 20:46:28 0 d-------- C:\Program Files\Coupons
2008-05-01 20:40:27 0 d-------- C:\Program Files\iTunes
2008-05-01 20:40:14 0 d-------- C:\Program Files\iPod
2008-05-01 20:35:17 0 d-------- C:\Program Files\Common Files
2008-05-01 20:35:17 0 d-------- C:\Program Files\Common Files\Apple
2008-05-01 20:33:18 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/19/2005 04:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 04:03 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [02/08/2007 10:39 PM]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [10/11/2005 01:23 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [12/16/2006 05:05 PM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [12/12/2005 02:39 PM]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGuiSt.exe" [07/28/2007 10:32 AM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [01/16/2007 01:59 PM]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 11:22 AM]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [12/13/2005 05:45 PM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 12:11 AM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/06/2005 12:56 AM]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/22/2005 11:57 AM]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [08/01/2005 05:26 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [11/11/2005 12:05 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DelayShred"="C:\Program Files\McAfee\MSHR\ShrCL.exe" [12/04/2007 01:32 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
America Online 8.0 Tray Icon.lnk - C:\Program Files\America Online 8.0\aoltray.exe [12/16/2006 5:05:16 PM]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [12/16/2006 524 PM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [9/24/2005 4:39:30 AM]
hp psc 1000 series.lnk - C:\Program Files\HP\Digital Imaging\bin\hpohmr08.exe [4/6/2003 1:17:18 AM]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [4/6/2003 158 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-06-02 09:32:54 ------------

Attached Files

extra.txt (19.5 KB, 2 views)

tetonbob

Hello calirz -

I believe these logs belong in this thread. I've merged them so Ried can find them. Please bookmark this thread so you can more easily find it, and make all replies in this topic.

Thanks.

Back to you, Ried!

__________________

** PC Safety and Security--What Do I Need? **

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Ried

Thanks tetonbob

Hello calirz,

I'm not seeing any malware here. Did you save the Kaspersky report?

If so, please post those results here.

If not, please run a new scan:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs!
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

calirz

thanks guy - here is the kaspersky report that i ran also. please advise if i should buy this software to remove the things it picked up. thanks for all your help.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 9:44:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 821471
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 89284
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:05:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{6633D35E-0A10-4A95-B295-F32AA05F2F66}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\SYSTEM-apconfig_2008-06-01.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\SYSTEM-netlib_2008-06-01.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\SYSTEM-PrestoSvc_2008-06-01.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRA.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\own\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\own\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\own\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\own\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\own\Local Settings\History\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
C:\Documents and Settings\own\Local Settings\Temp\sqlite_qEq6ALiL7QSqIPP Object is locked skipped
C:\Documents and Settings\own\Local Settings\Temp\~DFA9DA.tmp Object is locked skipped
C:\Documents and Settings\own\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\own\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\own\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP393\A0023829.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.aeh skipped
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP393\A0023829.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP413\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{72B3A4A6-CD1A-489A-A307-403F9828FF4B}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4E0B9362-494C-4FD0-BDDD-AAFA4F367114}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_1tWT4GS8P7sneDa Object is locked skipped
C:\WINDOWS\Temp\mcmsc_RPrY2lmdxp9ctAN Object is locked skipped
C:\WINDOWS\Temp\mcmsc_XHzBYiVK4gQCEmE Object is locked skipped
C:\WINDOWS\Temp\sqlite_4NJV4HsACBfh8lm Object is locked skipped
C:\WINDOWS\Temp\sqlite_s86xTeDLt4cPz8b Object is locked skipped
C:\WINDOWS\Temp\sqlite_tyMZDqojhczpQ1F Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Ried

Hi calirz,

No, there is no need to purchase this program. Kaspersky is only reporting items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reset/clear the cache.

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.


Your logs are clean.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

calirz

Thanks so much for all your help!! i will do this now.