Tech Support Forum banner
Cancel

Virus and pop-ups: command.exe and target saver

Jump to Latest Follow
Status
Not open for further replies.
1 - 17 of 17 Posts
M

· Registered
Joined
·
35 Posts
Discussion Starter · #1 ·
I had these problems (command.exe and targetsaver popups) a few months ago, which prompted me to join this forum.

I followed some do it yourself guides (which I can't locate this time) and all seemed well.

I got home from work today and my computer had crashed, which is not unusual. I rebooted and the problems started just like last time.

So this time I'll do things by the book and follow your advice and hopefully learn and be able to help in the future.

I have McAfee Virus Scan, Ad-Aware, and SpyBot. All identify issues. All take care of some of the issues, but not all. I even ran all 3 after updating them from safe mode. I end up with something that states xxxxx is running and can not be removed.

So that's where I am at. I want to get rid of this stuff the correct way.

Any help that you can provide will be appreciated. Oh, and I'm not real good with computers, so please keep that in mind.

Mike
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#2 ·
Hello Mike,

We need to begin with a HijackThis log:

Please download HijackThis - this program will help us determine the extent of any spyware/malware on your computer as well as aid us in removing it.

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here.

**Do not fix anything in HijackThis as many entries are harmless and necessary for the proper operation of your system.
 
Save Share
M

· Registered
Joined
·
35 Posts
Discussion Starter · #3 ·
Downloaded the hijackthis file. It was not a zip file. Created directory and placed it there.

Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 5:24:29 PM, on 12/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_components/control/activex/TmHcmsX.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159165319051
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\lvrm0991e.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#4 ·
Hello Mike,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

(Alternate Link if main link doesn't work - http://www.greyknight17.com/spy/CleanUp.exe )

---------------------------

Download Combofix and save it to your desktop. Do not run it yet.

**Note: It is important that it is saved directly to your desktop**

------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\lvrm0991e.dll (file missing)


Click 'Fix Checked' and close HijackThis.

------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-------------------------------------

Close any open browsers.

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
ComboFix.txt
New HijackThis log
 
Save Share
M

· Registered
Joined
·
35 Posts
Discussion Starter · #5 ·
Small problem. I missed the download of Cleanup! I can download it with alternate computer and transfer it via usb. Can I install it while in safe mode?

Or should I reboot in normal, install Cleanup! and go back into safe mode? If I do that, which of the previous steps do I need to repeat?

I'm sorry.
 
M

· Registered
Joined
·
35 Posts
Discussion Starter · #7 ·
Okay. Just finished the AVG scan. One step is missing from your directions: Before you can click the "reports" tab on top, you have to click "save report" on the bottom.

It's 1 am here. I'll pick up with the directions after work tomorrow.

(FYI - cleanup deleted some 35000 files totaling 800MB and AVG found 20 items on 2 drives).

Thanks for all the help thus far. I'll pick up again in about 16 hours.

Mike
 
M

· Registered
Joined
·
35 Posts
Discussion Starter · #8 ·
Just to keep you updated, I started the pandascan when I got home. It was still running when I left to do errands. I came back and it had scanned 500k files, and had a popup. I cleared the popup and the scan continued for a few minutes then closed. I've just started it again. Hopefuly this time it will complete and not close.
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#9 ·
Hi Mike,

If you cannot get Panda to complete, skip that for now and please post the other logs requested.
 
Save Share
M

· Registered
Joined
·
35 Posts
Discussion Starter · #10 ·
AVG Anti-Spyware results
--------------
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:53:35 AM 12/15/2006

+ Scan result:



E:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\dkserial.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\en02l1do1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\guard.tmp -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\ktp6l77s1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\lvrm0991e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\oxengl32.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Mike\Desktop\l2mfix\dlls\wxnsta.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
E:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
E:\Program Files\AntWar_Setup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
E:\Documents and Settings\Mike\Cookies\[email protected][2].txt -> TrackingCookie.Adjuggler : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> TrackingCookie.Admarketplace : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
E:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


Panda results
-------------
Unable to complete scan. Hit about 510k files and both windows close of their own free will.

ComboFix.txt
-------------------------------
"Mike" - 06-12-15 23:55:23.35 Service Pack 2
ComboFix 06-12-14W-BetaE2 - Running from: "C:\Documents and Settings\Mike\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\s.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-15 to 2006-12-15 ))))))))))))))))))))))))))))))))))


2006-12-15 17:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-15 17:15 <DIR> d-------- C:\WINDOWS\LastGood
2006-12-14 22:36 339,099 --a------ C:\Program Files\CleanUp.exe
2006-12-14 22:33 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2006-12-14 22:33 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-14 22:33 <DIR> d-------- C:\Program Files\Grisoft
2006-12-14 17:23 <DIR> d-------- C:\Program Files\HijackThis
2006-11-28 18:05 <DIR> d-------- C:\DOCUME~1\Mike\APPLIC~1\U3


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-14 22:51 -------- d-------- C:\DOCUME~1\Mike\Application Data\u3
2006-12-14 21:22 -------- d-------- C:\DOCUME~1\Mike\Application Data\azureus
2006-12-13 20:02 -------- d-------- C:\Program Files\Common Files\ufwo
2006-12-13 19:35 42496 --a------ C:\WINDOWS\system32\ftp.exe
2006-12-13 19:35 16896 --a------ C:\WINDOWS\system32\tftp.exe
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-13 20:24 -------- d-------- C:\Program Files\winavi
2006-11-13 20:13 -------- d-------- C:\Program Files\Common Files\avsmedia
2006-11-13 20:05 36954208 --a------ C:\Program Files\avsvideotools.exe
2006-11-11 11:51 -------- d-------- C:\Program Files\azureus
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-28 12:24 -------- d---s---- C:\DOCUME~1\Mike\Application Data\microsoft
2006-10-21 17:36 -------- d-------- C:\DOCUME~1\Mike\Application Data\vlc
2006-10-21 17:32 8282187 --a------ C:\Program Files\vlc-0.8.5-win32.exe
2006-10-21 17:32 -------- d-------- C:\Program Files\videolan
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-19 18:19 17 --a------ C:\Program Files\stng260.opt
2006-09-19 17:57 1144839 --a------ C:\Program Files\stng260.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"TPP Auto Loader"="C:\\WINDOWS\\TPPALDR.EXE"
"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-12-15 23:57:02.47



New HijackThis log
--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:59:10 PM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_components/control/activex/TmHcmsX.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159165319051
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

And that's the ones I could do.

Thanks for your help, Ried! I do honestly appreciate it.

ps - when I opened this window to post these, it said IE was not my default browser (I'm not aware that I have another) and it went to a MSN website and not my default about:blank. Is that a result of all that we've done / changed / modified / deleted?
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#11 ·
Hello Mike,

As a safeguard, ComboFix resets the homepage to default as well as prompting you about Internet Explorer as so many types of malware 'mess' with these settings. You can go ahead and set the homepage to your personal preference.

Based on an entry I saw in the ComboFix.txt, I'd like you to run another tool to ensure all traces of it have been removed:

Download AlcanShorty from here.
  • Click the download button below and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe and click install
  • This will create a new folder on your desktop called alcanshorty_en
  • Open that folder and doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.

Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.

  • Wait for the complete script execution box to popup and press OK.
  • Press exit to terminate the BFU program.


Try again to get an online scan to complete. I'd like to suggest disabling McAfee while attempting to download the Active X needed as well as during the scan. You'll be safe as long as the Panda or Kaspersky site is the only browser you have open.
 
Save Share
M

· Registered
Joined
·
35 Posts
Discussion Starter · #12 ·
BFU ran without a problem (quick too, I might add).

I disabled McAfee prior to running Kaspersky, but it is now enabled, and I'm not sure why or how.

Here is the results of Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 17, 2006 12:11:28 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/12/2006
Kaspersky Anti-Virus database records: 251356
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 86074
Number of viruses found: 4
Number of infected objects: 8 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:10:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_ROGUE.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_ROGUE.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Application Data\Spybot - Search & Destroy\Recovery\CASClient.zip/cas2stub.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\Mike\Application Data\Spybot - Search & Destroy\Recovery\CASClient.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\vnc-4_1_1-x86_win32.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\vnc-4_1_1-x86_win32.exe Inno: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
E:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{CA8E6154-3F2D-4BD1-A6B8-EE3C0CF4B24E}\Microsoft\Outlook Express\Deleted Items.dbx/[From [email protected]][Date Wed, 04 May 2005 10:55:58 +0000 (GMT)]/mail_info.zip Infected: Email-Worm.Win32.Sober.p skipped
E:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{CA8E6154-3F2D-4BD1-A6B8-EE3C0CF4B24E}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 1 skipped
E:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
E:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
E:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
E:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
E:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#13 ·
Hi Mike,

Kaspersky is only reporting the presence of VNC. As long as you installed that yourself, there's no problem with it. If you did not install it, uninstall the program via the Add/Remove programs in the Control Panel.

How is your system behaving now?
 
Save Share
M

· Registered
Joined
·
35 Posts
Discussion Starter · #14 ·
I did install VNC myself. I don't use it any longer. I should uninstall it.

I actually haven't been using the computer, as I was still scared by the results of Kaspersky:

Number of viruses found: 4
Number of infected objects: 8 / 0
Number of suspicious objects: 2

Does the fact that it found those things also mean that it cleaned/deleted them?
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#15 ·
No it does not clean them, and you are fine to use this computer. :sayyes:

Here are the entries Kaspersky is 'flagging':

C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\RealVNC\VNC4\wm_hooks.dll
C:\Program Files\vnc-4_1_1-x86_win32.exe
E:\Program Files\RealVNC\VNC4\winvnc4.exe
E:\Program Files\RealVNC\VNC4\wm_hooks.dll
 
Save Share
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#17 ·
What you want to do is delete the entire folder--any files within it would therefore also be deleted:

C:\Program Files\RealVNC
E:\Program Files\RealVNC

You may want to keep this in case you decide you'd like this program once again. If you're sure you won't need it in the future, you may delete this file as well:

C:\Program Files\vnc-4_1_1-x86_win32.exe
 
Save Share
1 - 17 of 17 Posts
Status
Not open for further replies.
About this Discussion
16 Replies
2 Participants
Last post:
Ried
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top