First Time HijackThis Log

[Justy]

Hello! First time posting a log. A friend has been coming over and she has been going to any website giving free samples. I figured those sites are probably laden with spyware and adware. So I thought I'd give this a try since AVG anti-spyware is having errors removing adware.roguesuspect and nothing else I have (AVG anti-virus free, Webroot SpySweeper, Adware SE personal, trend micro housecall) even picks it up. Also while doing the Panda online scan, it picked up some things that nothing else did. So here we go.

Deckard's System Scanner v20070602.46
Run by FTan on 2007-06-03 at 17:50:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-06-04 01:50:12 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-06-04 01:43:54 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as FTan.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:54:18 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\FTan\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\FTan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129054286890
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4041E9EC-31D9-4778-BA51-00B2EF32575D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 CDRPDACC (Arrowkey Device Access) - c:\program files\321studios\shared\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access>
R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S2 cis1284 - c:\windows\system32\drivers\cis1284.sys (file missing)
S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 XDva007 - c:\windows\system32\xdva007.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
S4 MPService -


-- Files created between 2007-05-03 and 2007-06-03 -----------------------------

2007-06-03 17:47:10 0 dr-h----- C:\Documents and Settings\FTan\Recent
2007-06-03 17:31:59 0 d-------- C:\ie-spyad
2007-06-03 17:23:32 0 d-------- C:\Program Files\SpywareBlaster
2007-06-03 16:15:58 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-03 16:00:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-06-03 15:57:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-06-03 15:57:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-06-03 15:57:31 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-06-03 15:57:31 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-06-03 15:57:31 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-06-03 15:57:31 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-06-03 15:57:31 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-06-03 15:57:31 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-06-03 15:57:31 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-06-03 15:57:31 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-06-03 15:57:31 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-06-03 15:57:31 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-06-03 15:57:31 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-06-03 15:57:31 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-06-03 15:57:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-06-03 15:57:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-06-03 15:57:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-06-03 15:57:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-06-03 15:57:31 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-06-03 15:57:30 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-24 16:23:39 0 d-------- C:\Documents and Settings\FTan\Application Data\dvdcss
2007-05-20 21:45:44 0 d-------- C:\Program Files\Oberon Media
2007-05-20 00:55:09 0 d-------- C:\Program Files\Joost
2007-05-20 00:43:17 0 d-------- C:\Documents and Settings\FTan\Application Data\Joost
2007-05-18 01:33:55 152833 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-05-18 01:33:50 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-05-18 01:25:31 0 d--h----- C:\WINDOWS\HUL
2007-05-14 20:56:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-05-14 20:56:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-05-14 20:55:27 164 --a------ C:\install.dat
2007-05-12 02:04:21 0 d-------- C:\Documents and Settings\FTan\Application Data\FrostWire
2007-05-12 02:04:11 0 d-------- C:\Program Files\FrostWire
2007-05-05 21:05:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3


-- Find3M Report ---------------------------------------------------------------

2007-06-03 16:40:39 0 d-------- C:\Program Files\GetRight
2007-06-03 11:14:50 0 d-------- C:\Documents and Settings\FTan\Application Data\AVG7
2007-06-03 11:13:08 0 d-------- C:\Program Files\Trillian
2007-06-02 20:59:59 0 d-------- C:\Program Files\Steam
2007-06-02 20:12:27 0 d-------- C:\Program Files\Diablo II
2007-06-02 20:11:47 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-30 13:42:50 0 d-------- C:\Documents and Settings\FTan\Application Data\Microsoft Games
2007-05-30 13:35:24 0 d-------- C:\Program Files\Microsoft Games
2007-05-29 15:17:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-29 10:41:05 0 d-------- C:\Documents and Settings\FTan\Application Data\uTorrent
2007-05-22 21:36:26 0 d-------- C:\Documents and Settings\FTan\Application Data\AdobeUM
2007-05-20 21:47:16 30 --a------ C:\WINDOWS\popcinfo.dat
2007-05-14 11:19:18 0 d-------- C:\Program Files\Canon
2007-05-14 11:17:40 0 d-------- C:\Program Files\EA GAMES
2007-05-12 20:41:55 0 d-------- C:\Program Files\Atari
2007-04-28 20:42:03 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-04-27 03:52:12 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-04-27 03:41:42 0 d-------- C:\Program Files\Sierra
2007-04-13 13:50:04 35800 --a------ C:\WINDOWS\DIIUnin.dat
2007-04-13 13:49:16 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2007-04-13 13:49:16 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2007-04-13 13:49:16 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2007-04-06 00:21:08 0 d-------- C:\Documents and Settings\FTan\Application Data\vlc
2007-04-06 00:09:15 0 d-------- C:\Program Files\VideoLAN
2007-04-05 23:45:12 0 d-------- C:\Program Files\Java
2007-04-04 13:28:50 0 d-------- C:\Program Files\support.com
2007-03-26 21:41:21 2829 --a------ C:\WINDOWS\DIIUnin.pif
2007-03-26 21:41:21 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"SoundMAXPnP"="\"C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe\""
"KernelFaultCheck"="C:\\WINDOWS\\system32\\dumprep 0 -k"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Clock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sptsupd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\sptsupd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mnyexpr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SKYVSWI.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SKYVSWI"
"hkey"="HKLM"
"command"="C:\\documents and settings\\ftan\\local settings\\temp\\SKYVSWI.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tray Temperature]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MiniBug"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\FTan\\LOCALS~1\\Temp\\MiniBug.exe 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 pubs.mgn.net #french


-- End of Deckard's System Scanner: finished at 2007-06-03 at 17:54:52 ---------


Incident Status Location

Adware:adware/memorywatcher Not disinfected Windows Registry
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.xiti.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.atwola.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.go.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.ad.sensismediasmart.com.au/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.gamearena.com.au/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[fe.lea.lycos.es/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.adultfriendfinder.com/]
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\FTan\Application Data\Webroot\Spy Sweeper\Backup\Startup\PowerReg Scheduler V3.exe.bak
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\FTan\Cookies\ftan@atdmt[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\FTan\Cookies\ftan@target[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\FTan\Local Settings\Temp\Cookies\ftan@atwola[1].txt
Dialer:Dialer.HOI Not disinfected C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF

[tetonbob]

adware.roguesuspect can possibly be a false positive by AVG AS

What is the exact file/registry item it's finding? Can you show us a Scan Report from AVG AS?

[Justy]

Thank you for replying. Here's the AVG Anti-Spyware log as requested.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:41:23 AM 6/7/2007

+ Scan result:



HKLM\SYSTEM\CurrentControlSet\Enum\USB\Vid_05e3&Pid_0701\5&2f058105&0&2\\Class -> Adware.RogueSuspect : Ignored.
C:\Documents and Settings\FTan\Cookies\ftan@atdmt[1].txt -> TrackingCookie.Atdmt : Ignored.
:mozilla.187:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.188:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.38:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.40:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.43:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.44:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.45:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Com : Ignored.
:mozilla.91:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Intelli-direct : Ignored.
:mozilla.438:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Paypal : Ignored.
:mozilla.114:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.115:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.116:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Statcounter : Ignored.
:mozilla.63:C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt -> TrackingCookie.Webtrends : Ignored.


::Report end

[tetonbob]

Hello, Justy -

That is a false positive, confirmed by the ewido team. It will be fixed in the next definitions update.

http://www.wilderssecurity.com/showt...45#post1021145

I need a bit more time to review the rest of your logs, but I wanted to pass that information on to you.

[tetonbob]

Hi Justy -

This file can be deleted:

C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF

Other than that, your logs appear clean. Are you having other issues which might make you think you're infected?

[Justy]

Thank you tetonbob. I almost wanted to delete that one line from the registry myself. It's a good heads up. And thanks again for your continuing support.

[Justy]

sorry for the late reply, I don't know how I missed that last post when I already posted over it.

The only thing I'm curious about is when I did the panda scan the first time it picked up dailer.HOI and a hacking/tool rootkit?

Are they both related to C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF ?

Other than that it looks good.

[tetonbob]

dialer/HOI is Panda's name for the file:

C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF

Your Panda log you've shown here has no hacktool/rootkit entry.

As far as related goes....I don't know.

[Justy]

Thanks for the quick reply tetonbob. I tried to locate the file by copying and pasting path that panda and yourself have given me. I also tried manually going into the folder to look for it, but it is not appearing there. I do have hidden system files set to show and still nothing. I did a second scan from panda to double-check and it shows the same location. It did pick up a hacking tool and rootkit, as it did in the first scan, but I can't tell it apart from the cookies and dailer.HOI. Here is the second scan:


Incident Status Location

Adware:adware/memorywatcher Not disinfected Windows Registry
Spyware:Cookie/Atwola Not disinfected C:\Deckard\System Scanner\20070603175000\backup\DOCUME~1\FTan\LOCALS~1\Temp\Cookies\ftan@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.com.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.statcounter.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[stat.onestat.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.xiti.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.yadro.ru/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.go.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.bravenet.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.atwola.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\FTan\Application Data\Mozilla\Firefox\Profiles\default.5ws\cookies.txt[.i.screensavers.com/]
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\FTan\Application Data\Webroot\Spy Sweeper\Backup\Startup\PowerReg Scheduler V3.exe.bak
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\FTan\Cookies\ftan@atdmt[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\FTan\Cookies\ftan@target[2].txt
Dialer:Dialer.HOI Not disinfected C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF

[tetonbob]

Sometimes files in the DPF folder are hidden, even with Hidden Files showing.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Click OK on the message which pops up.

Delete these files//folders if present:


C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

Click OK on the message which pops up.

---------------------------------------------------------------------------------------------

The other items are cookies. I'm still not seeing any reference to hacking tool/rootkit. Please note that the scanners can use broad terms with regards to a file's potential. It's quite possible Panda is referring to this find in SpySweeper's quarantine:

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\FTan\Application Data\Webroot\Spy Sweeper\Backup\Startup\PowerReg Scheduler V3.exe.bak


From what I see, your logs are fine. We can use a different online scanner for a second opinion.

You can use this tool to clear your cookies, but you will always get some.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Cookies are nothing to be worried about. They get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click the small triangle next to cookies to expand that tab and put a check next to "for the originating website only". This will prevent third party cookies from being installed on your computer.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[Justy]

Followed your instructions regarding ActiveSecurity.INF and was able to delete it!

Here is the Kapersky log. It says it picked up 2 viruses and 4 infected objects.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 11, 2007 11:14:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/06/2007
Kaspersky Anti-Virus database records: 342568
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
J:\

Scan Statistics:
Total number of scanned objects: 107118
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:20:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\FTan\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\FTan\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Dionne Sadler][Date 19 May 2004 08:51:24 -0700]/UNNAMED/html Infected: Exploit.HTML.ObjData skipped
C:\Documents and Settings\FTan\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Dionne Sadler][Date 19 May 2004 08:51:24 -0700]/UNNAMED Infected: Exploit.HTML.ObjData skipped
C:\Documents and Settings\FTan\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\FTan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\FTan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\FTan\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\FTan\Local Settings\Temp\Perflib_Perfdata_624.dat Object is locked skipped
C:\Documents and Settings\FTan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\FTan\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\FTan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\FTan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

[tetonbob]

Hi Justy -

Good job.

All Kaspersky found was a suspicious item in your Outlook Express deleted items dbx, and a mIRC file. If you use mIRC, that's fine. Kaspersky IDs it based on potential.

Please empty your Outlook Express Deleted Items folder. To do so:

• Open Outlook Express
• Right click on Deleted Items
• Select 'Empty Deleted Items folder'.
• Click 'Yes' at the next popup box to succesfully empty the Deleted Items folder.

You may want to consider using these settings for your Outlook Express, which will automatically empty the deleted items folder upon exit:

Go to Tools > Options
Under the Maintenance Tab, checkmark the following boxes:

* Empty messages from 'Deleted item' folder on exit
* Purge deleted messages when leaving IMAP folders

Other than that, your logs appear clean.

You should be good to go.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • AOL Active Virus Shield (powered by Kaspersky Antivirus)
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  

  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial

• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
  
  Do not install more than one firewall program because they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Justy]

Thanks tetonbob. Everything is ready, steady, go. You Rock!