Is This OK? - Page 2

**Ariesjill** · 02-10-2007, 04:39 PM

ok WAIT,

jUST RAN THE ZIP FILE CONTENTS AGAIN...AND WUTEVAH IT IS GOT ADDED THIS TIME. I am NOT making THIS UP, ok?

I just want 2 know....WHERE NUMBER SEVEN WENT ALL BY ITSELF, Ok? i AM GETTING, someone in The Pentagon is doing this... yes, via a Rootkit.

Just because I am paranoid now...does not mean this is not accurate. I listen 2 Air America radio, OK?

Now I will run yet another HJT scan.
***************************************
Here it is:
aLogfile of HijackThis v1.99.1
Scan saved at 6:40:49 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

______________________________________________
OMG

**Deckard** · 02-10-2007, 04:44 PM

Were you able to double-click Ariesjill.reg and get a dialog box that told you that the information was successfully entered into the registry? Or does it still tell you that Regedit is disabled? I'm betting ComboFix took care of the O7 for us, which is why it doesn't appear in your HJT log anymore.

Also, don't edit your posts -- I don't get notified when you do that. I almost missed the ComboFix log. Thanks!

I'm not seeing any signs of a rootkit. We've run a couple rootkit scanners now and none of them have showed me anything that makes me think you've got a rootkit.

However, let's try another online scanner. Please perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded, click on NEXT.
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database: extended
- Scan Options: Scan Archives and Scan Mail Bases
Click OK
Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
Now under select a target to scan, select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run all the way.
Once the scan is complete it will display if your system has been infected.
Click on the Save as Text button and save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

Post your Kaspersky log and a new HijackThis log after it finishes. I'm betting Kaspersky will turn up nothing, too.

**Ariesjill** · 02-10-2007, 04:49 PM

hi, OK yes, I got "successfuly added" notification. OK, bless U for explanation of disappearance of #7.....maybe not Pentagon. Made me instanly crazy/new trembling.

So sorry re editing....I was trying to save space. We R all a little irrational, OK? (Well, I am) So sorry this messed things up...now I know.

Will follow up.
J.

OK

**Deckard** · 02-10-2007, 05:09 PM

No worries -- I'm not upset or anything. I just want to make sure I don't miss anything.

**Ariesjill** · 02-10-2007, 05:24 PM

Hi,

Thank U for being nice....started Kasp scan but then had to run out, now I must begin work....will start it again....meanwhie viruses R coming in knowing no active AVG....kidding.

I think U need to knw about Sinus Buster.

Will back ASAP.
J.l

**Deckard** · 02-10-2007, 06:30 PM

No rush -- do it when you can. I think you're fine, because I'm just not seeing anything obvious. At this point we're just trolling your system hoping something will bite.

My headache has largely gone away, although I can still feel tiny twinges of it. I think it was one-half migraine, one-half dehydration, and one-half hunger.

**Ariesjill** · 02-10-2007, 07:46 PM

Hi, am doing this between clients...well, trying. Re dehydration & forgetting 2 or being 2 busy 2 eat....pls stop imitating me, OK?

Now will paste the Kaspersky thingies. Incl 2 screenies, as I do not get why things R locked and were skipped. Not at all. And yes, I did choose the extended database....why these peolpe include floppy drives & opticals...I also do not get, OK?

How could those be infected??? I have no clue.

Trolling V good description.....so desktop with 2 HDDs is ocean....and we R deep sea fishing for Rootkits....holding line still and waiting for one to C the worm and take the hook. IF IT IS THERE.

I totally get this, OK? Also now get that rootkits have both eyes on one side....like flounder. Soon I will get my Certification....cause I am QUICK STUDY, Ok?

Ok here we go...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 10, 2007 8:39:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/02/2007
Kaspersky Anti-Virus database records: 266772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68110
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:03:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\AOL\Ca_America Online 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\AOL\Ca_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\AOL\Ca_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\AOL\Ca_America Online 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\AOL\Ca_America Online 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007021020070211\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a00.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\idb\jillmorrisone\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\idb\jillmorrisone\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\organize\CACHE\jillmorriso02 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\organize\jillmorrisone Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\organize\jillmorrisone.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\organize\jillmorrisone.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\Ca_America Online 9.0\ShopAssist\DataStore\users\Jillmorrisone.adb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Office\Templates\Normal.dot Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{169C6368-2D9E-4009-9C50-D89CA29026AF}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\VALUED-71BAE275.ldb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A335E709-9F8B-4B4F-8F84-4DD2AECAA804}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\SnopFree.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT054be.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT054c2.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{169C6368-2D9E-4009-9C50-D89CA29026AF}\RP3\change.log Object is locked skipped

Scan process completed.
(above was ovah hour ago....gotta be quick)

I will now attach screenies I do not understand speaking about locked things.

Bless U yet again, Deckard....and the fine brain leading U to the MAC.
J.

**Deckard** · 02-10-2007, 10:39 PM

LOL. I've been drinking lots of water this evening and ate a big dinner, so I am doing much better now.

Kaspersky's online scanner is one of those love/hate relationships for us. It does a good job at finding things, but it also has all these 'object is locked' lines, which do nothing but confuse. What the scanner is telling us is that it couldn't scan that file because it was being used by your computer.

The good news is that Kaspersky turned up nothing. Your computer is clean -- as I expected. I know you run a tight ship.

At this point, I don't think there is anything else to check, so let's wrap you up and get you on your way.

Microsoft Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection.

Please ensure that you have already patched your system against these recent critical exploits:

WMF exploit: KB912919
VML exploit: KB925486

Enable Windows Auto Update:

Go to Start>Run, type WUAUCPL.CPL and press Enter.
Make sure "Keep my computer up to date" is checked.
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Tool Deletions
Feel free to remove these tools and their folders:

ComboScan
GMER
System Repair Engineer
ComboFix

That's it!

Please respond to this thread one more time so we can mark this thread as resolved.

**Ariesjill** · 02-10-2007, 10:58 PM

Deckard:

Wow!! Locked. Nowww….I get it! Made my head spin. But now I get it. Thanks so much for clearing this up!
I am sooooooo relieved.

My heart rate will soon return to normal…thanks only to Deckard and TSF. Who needs to do cardio? Just download couple of rootkit utilities & run them!

Also should report….a SWAT team appeared just now in my apartment; the main guy went: “OK, step AWAYYY FROM THE Rootkit DETECTION downloads!!…..slowly now…just Step AWAYYYY.”

THEN, he said, “Which would U choose: having a maybe rootkit, or ending up in BELLEVUE IN A PADDED ROOM IN A WHITE COAT U can NOT UNBUTTON????

I told him #1` to get rid of them, they were way scary…..but I LIED, OK??

Pathetic.

Bless U, I am soooo glad you hydrated and ate food!!!!!!!!!!! We NEED YOUUUUU, so do those a lot, OK?

Sooo….if I run such a “tight ship,’ Deckard….. how come, on the side of my tower, instead of Dell….it says TITANIC???

I am deeply, deeply grateful. DEEPLY.

Jilly

**Ariesjill** · 02-10-2007, 11:10 PM

PS...Just got the two patches U had links 2....even though I nat on autoupdate. Oddly, the first one installed! the second said my IE version did not match it....I think that one might B for IE6....I have 7....and my 7 is fully patched to date.

But re the first one....I feel safer! So it's all good!

J,

02-10-2007, 04:39 PM	#21 (permalink)
Ariesjill Human Individual Join Date: May 2006 Location: Manhattan Posts: 2,837 OS: WXP Home, WXP Pro	ok WAIT, jUST RAN THE ZIP FILE CONTENTS AGAIN...AND WUTEVAH IT IS GOT ADDED THIS TIME. I am NOT making THIS UP, ok? I just want 2 know....WHERE NUMBER SEVEN WENT ALL BY ITSELF, Ok? i AM GETTING, someone in The Pentagon is doing this... yes, via a Rootkit. Just because I am paranoid now...does not mean this is not accurate. I listen 2 Air America radio, OK? Now I will run yet another HJT scan. ************************************* Here it is: aLogfile of HijackThis v1.99.1 Scan saved at 6:40:49 PM, on 2/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe ______________________________________________ OMG __________________ The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust It ain't where you go, it's where you're coming from. Jill** Last edited by Ariesjill : 02-10-2007 at 04:42 PM.

02-10-2007, 04:44 PM	#22 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Were you able to double-click Ariesjill.reg and get a dialog box that told you that the information was successfully entered into the registry? Or does it still tell you that Regedit is disabled? I'm betting ComboFix took care of the O7 for us, which is why it doesn't appear in your HJT log anymore. Also, don't edit your posts -- I don't get notified when you do that. I almost missed the ComboFix log. Thanks! I'm not seeing any signs of a rootkit. We've run a couple rootkit scanners now and none of them have showed me anything that makes me think you've got a rootkit. However, let's try another online scanner. Please perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded, click on NEXT. Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: extended Scan Options: Scan Archives and Scan Mail Bases Click OK Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done. Now under select a target to scan, select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run all the way. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button and save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. Post your Kaspersky log and a new HijackThis log after it finishes. I'm betting Kaspersky will turn up nothing, too. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

02-10-2007, 04:49 PM	#23 (permalink)
Ariesjill Human Individual Join Date: May 2006 Location: Manhattan Posts: 2,837 OS: WXP Home, WXP Pro	hi, OK yes, I got "successfuly added" notification. OK, bless U for explanation of disappearance of #7.....maybe not Pentagon. Made me instanly crazy/new trembling. So sorry re editing....I was trying to save space. We R all a little irrational, OK? (Well, I am) So sorry this messed things up...now I know. Will follow up. J. OK __________________ The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust *It ain't where you go, it's where you're coming from.* Jill

02-10-2007, 05:09 PM	#24 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	No worries -- I'm not upset or anything. I just want to make sure I don't miss anything. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

02-10-2007, 05:24 PM	#25 (permalink)
Ariesjill Human Individual Join Date: May 2006 Location: Manhattan Posts: 2,837 OS: WXP Home, WXP Pro	Hi, Thank U for being nice....started Kasp scan but then had to run out, now I must begin work....will start it again....meanwhie viruses R coming in knowing no active AVG....kidding. I think U need to knw about Sinus Buster. Will back ASAP. J.l __________________ The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust *It ain't where you go, it's where you're coming from.* Jill

02-10-2007, 06:30 PM	#26 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	No rush -- do it when you can. I think you're fine, because I'm just not seeing anything obvious. At this point we're just trolling your system hoping something will bite. My headache has largely gone away, although I can still feel tiny twinges of it. I think it was one-half migraine, one-half dehydration, and one-half hunger. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

02-10-2007, 10:39 PM	#28 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	LOL. I've been drinking lots of water this evening and ate a big dinner, so I am doing much better now. Kaspersky's online scanner is one of those love/hate relationships for us. It does a good job at finding things, but it also has all these 'object is locked' lines, which do nothing but confuse. What the scanner is telling us is that it couldn't scan that file because it was being used by your computer. The good news is that Kaspersky turned up nothing. Your computer is clean -- as I expected. I know you run a tight ship. At this point, I don't think there is anything else to check, so let's wrap you up and get you on your way. Microsoft Updates It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by malware. Using Internet Explorer, please go to Microsoft's Windows Update and download all of the critical updates to help prevent possible re-infection. Please ensure that you have already patched your system against these recent critical exploits: WMF exploit: KB912919 VML exploit: KB925486 Enable Windows Auto Update: Go to Start>Run, type WUAUCPL.CPL and press Enter. Make sure "Keep my computer up to date" is checked. Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Tool Deletions Feel free to remove these tools and their folders: ComboScan GMER System Repair Engineer ComboFix That's it! Please respond to this thread one more time so we can mark this thread as resolved. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006

02-10-2007, 10:58 PM	#29 (permalink)
Ariesjill Human Individual Join Date: May 2006 Location: Manhattan Posts: 2,837 OS: WXP Home, WXP Pro	Yessss!!!!! Deckard: Wow!! Locked. Nowww….I get it! Made my head spin. But now I get it. Thanks so much for clearing this up! I am sooooooo relieved. My heart rate will soon return to normal…thanks only to Deckard and TSF. Who needs to do cardio? Just download couple of rootkit utilities & run them! Also should report….a SWAT team appeared just now in my apartment; the main guy went: “OK, step AWAYYY FROM THE Rootkit DETECTION downloads!!…..slowly now…just Step AWAYYYY.” THEN, he said, “Which would U choose: having a maybe rootkit, or ending up in BELLEVUE IN A PADDED ROOM IN A WHITE COAT U can NOT UNBUTTON???? I told him #1` to get rid of them, they were way scary…..but I LIED, OK?? Pathetic. Bless U, I am soooo glad you hydrated and ate food!!!!!!!!!!! We NEED YOUUUUU, so do those a lot, OK? Sooo….if I run such a “tight ship,’ Deckard….. how come, on the side of my tower, instead of Dell….it says TITANIC??? I am deeply, deeply grateful. DEEPLY. Jilly __________________ The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust *It ain't where you go, it's where you're coming from.* Jill

02-10-2007, 11:10 PM	#30 (permalink)
Ariesjill Human Individual Join Date: May 2006 Location: Manhattan Posts: 2,837 OS: WXP Home, WXP Pro	PS...Just got the two patches U had links 2....even though I nat on autoupdate. Oddly, the first one installed! the second said my IE version did not match it....I think that one might B for IE6....I have 7....and my 7 is fully patched to date. But re the first one....I feel safer! So it's all good! J, __________________ The real voyage of discovery consists not in seeking new landscapes, but in having new eyes. Marcel Proust *It ain't where you go, it's where you're coming from.* Jill