Jump to content

Dave VW

Members
 View Profile  See their activity

  • Posts

    12

  • Joined

  • Last visited

Reputation

0 Neutral
  1. Dave VW
    OK, got a fresh restore point after clearing out the old, and updated Acrobat and a couple other of out of date items. My system is actually running better than it was before, and I've learned a lot about XP and the system files. I'll definitely be following your advice to avoid further infections - a good investment! Thanks a LOT!! Cheers, Dave
  2. Dave VW
    OK, here are the two new scans with the new MBAM version. Right now the system is running nicely, so I'll see if it acts up again and watch the appropriate CPU usage column. Thanks for getting me squared away with Task Manager! If nothing happens in a day or so, I'll post that info, too. Yup, I did the SP3 through Windows Update - so I'll get an original CD from my IT guys at work. Thanks again for everything, Dave Malwarebytes' Anti-Malware 1.28 Database version: 1137 Windows 5.1.2600 Service Pack 3 9/10/2008 5:18:22 PM mbam-log-2008-09-10 (17-18-22).txt Scan type: Quick Scan Objects scanned: 48399 Time elapsed: 4 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:21:28 PM, on 9/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5127 bytes
  3. Dave VW
    Task Manager just shows the usual Windows processes, explorer.exe and svchost.exe and my Kasperski, but they're only taking up <30-40MB each while the CPU usage continues to climb (sometimes). If it happens while running Firefox, then Firefox may be taking up 40-50MB or so. There are 31 processes normally. The system has 2GB. A couple years ago, there was an early XP bug that sometimes lead to system memory not being freed up, resulting in climbing CPU usage like I have been seeing. For a while, people were using an application called FreeRAM to fix it. But MS supposedly fixed the problem a long time ago (even before SP2 I think), and I have SP3. But the behavior is like what others reported in old forums. Here are the ComboFix and HiJack logs. I look forward to you analysis - thanks! Dave ComboFix 08-09-05.14 - Dave 2008-09-10 13:20:47.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1672 [GMT -4:00] Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 ))))))))))))))))))))))))))))))) . 2008-09-09 17:04 . 2008-09-09 17:24 1,355 --a------ C:\WINDOWS\imsins.BAK 2008-09-09 11:32 . 2008-09-09 11:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-09-08 14:59 . 2008-09-08 14:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-09-08 14:59 . 2008-09-08 14:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-09-08 14:59 . 2008-09-08 14:59 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\SUPERAntiSpyware.com 2008-09-08 14:59 . 2008-09-08 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-09-08 13:57 . 2008-09-08 14:59 <DIR> d-------- C:\Program Files\a-squared Free 2008-09-07 06:09 . 2008-09-07 06:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-09-07 06:09 . 2005-11-21 18:22 27,006 --------- C:\WINDOWS\system32\pavas.ico 2008-09-07 06:09 . 2005-07-29 13:43 2,550 --------- C:\WINDOWS\system32\Uninstall.ico 2008-09-07 06:09 . 2005-07-29 13:43 1,406 --------- C:\WINDOWS\system32\Help.ico 2008-09-06 08:55 . 2008-09-06 08:56 <DIR> d-------- C:\Program Files\QuickTime 2008-09-06 08:26 . 2008-06-10 02:32 73,728 --------- C:\WINDOWS\system32\javacpl.cpl 2008-08-31 14:44 . 2008-08-31 14:44 <DIR> d-------- C:\Program Files\Process Explorer 2008-08-31 10:35 . 2008-08-31 10:35 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-08-31 10:35 . 2008-08-31 10:35 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\SystemRequirementsLab 2008-08-30 10:45 . 2008-06-23 12:57 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-08-30 10:45 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-08-30 10:45 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-08-30 10:45 . 2008-06-23 12:57 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-08-30 10:45 . 2008-06-23 12:57 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-08-30 10:45 . 2008-06-23 12:57 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-08-30 10:45 . 2008-06-23 12:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-08-30 10:45 . 2008-06-23 12:57 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-08-30 10:45 . 2008-06-23 05:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-08-30 10:14 . 2008-08-30 10:14 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-08-30 10:14 . 2008-08-30 10:14 <DIR> d-------- C:\WINDOWS\system32\en 2008-08-30 10:14 . 2008-08-30 10:14 <DIR> d-------- C:\WINDOWS\system32\bits 2008-08-30 10:14 . 2008-08-30 10:14 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-30 10:11 . 2008-08-30 10:15 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-30 06:22 . 2008-08-30 06:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-08-30 05:02 . 2008-08-30 05:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-08-30 02:35 . 2008-08-30 02:35 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\deskPDF 2008-08-28 12:20 . 2008-08-28 12:20 <DIR> d-------- C:\Documents and Settings\Jodi\Application Data\Malwarebytes 2008-08-28 11:50 . 2008-08-28 11:50 <DIR> d-------- C:\Program Files\CCleaner 2008-08-27 13:17 . 2008-08-27 13:17 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-27 11:40 . 2008-06-19 17:24 28,544 --------- C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-27 11:39 . 2008-08-27 11:39 <DIR> d-------- C:\Program Files\Panda Security 2008-08-26 14:28 . 2008-08-26 14:35 96,976 --------- C:\WINDOWS\system32\drivers\klin.dat 2008-08-26 14:28 . 2008-08-26 14:28 87,855 --------- C:\WINDOWS\system32\drivers\klick.dat 2008-08-26 14:27 . 2008-08-26 14:27 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-08-26 14:27 . 2008-09-10 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-08-26 14:27 . 2008-09-10 13:18 3,318,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-08-26 14:27 . 2008-09-10 13:18 696,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-08-26 14:27 . 2008-09-10 13:18 28,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-08-26 14:27 . 2008-09-10 13:18 3,460 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-08-26 14:25 . 2008-08-26 14:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-08-25 17:27 . 2008-09-08 05:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-25 17:27 . 2008-08-25 17:27 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes 2008-08-25 17:27 . 2008-08-25 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-25 17:27 . 2008-09-08 00:11 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-25 17:27 . 2008-09-08 00:11 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-25 17:26 . 2008-08-25 17:26 82 --------- C:\WINDOWS\wininit.ini 2008-08-25 14:11 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-25 14:11 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-08-25 14:11 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys 2008-08-25 14:07 . 2008-04-13 14:51 101,120 --a------ C:\WINDOWS\system32\drivers\bthpan.sys 2008-08-25 14:06 . 2008-04-13 20:12 151,552 --a------ C:\WINDOWS\system32\irftp.exe 2008-08-25 14:06 . 2008-04-13 14:46 59,136 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys 2008-08-25 14:06 . 2008-04-13 20:11 28,160 --a------ C:\WINDOWS\system32\irmon.dll 2008-08-25 14:06 . 2008-04-13 14:46 18,944 --a------ C:\WINDOWS\system32\drivers\bthusb.sys 2008-08-25 14:06 . 2008-04-13 14:46 17,024 --a------ C:\WINDOWS\system32\drivers\bthenum.sys 2008-08-25 14:06 . 2008-04-13 20:12 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2008-08-25 13:16 . 2004-08-04 08:00 28,288 -----c--- C:\WINDOWS\system32\dllcache\xjis.nls 2008-08-25 13:14 . 2008-04-13 20:09 13,463,552 -----c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-08-25 13:13 . 2004-08-04 08:00 1,677,824 -----c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-08-25 13:10 . 2004-08-04 08:00 16,384 -----c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-08-25 13:10 . 2008-08-25 13:10 749 -r-h----- C:\WINDOWS\WindowsShell.Manifest 2008-08-25 13:10 . 2008-08-25 13:10 749 -r-h----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-08-25 13:10 . 2008-08-25 13:10 749 -r-h----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-08-25 13:10 . 2008-08-25 13:10 749 -r-h----- C:\WINDOWS\system32\nwc.cpl.manifest 2008-08-25 13:10 . 2008-08-25 13:10 749 -r-h----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-08-25 13:10 . 2008-08-25 13:10 488 -r-h----- C:\WINDOWS\system32\logonui.exe.manifest 2008-08-25 12:56 . 2008-08-25 12:56 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\History 2008-08-25 08:45 . 2008-08-25 08:45 <DIR> d-------- C:\WINDOWS\dell . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-08 12:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-06 19:23 --------- d-----w C:\Program Files\Java 2008-09-06 13:07 --------- d-----w C:\Program Files\Microsoft Works 2008-08-31 18:42 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-31 18:42 --------- d-----w C:\Program Files\Creative 2008-08-31 18:40 --------- d-----w C:\Program Files\Audible 2008-08-26 18:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-08-26 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-08-13 20:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT 2008-08-13 20:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT 2008-07-30 00:21 218,376 ------w C:\WINDOWS\system32\klogon.dll 2008-07-30 00:20 24,774 ------w C:\WINDOWS\system32\drivers\klopp.dat 2008-07-27 15:38 --------- d-----w C:\Program Files\iTunes 2008-07-27 15:07 --------- d-----w C:\Program Files\Wave Systems Corp 2008-07-27 15:07 --------- d-----w C:\Program Files\Broadcom 2008-07-27 14:57 --------- d-----w C:\Program Files\DivX 2008-07-27 14:55 --------- d-----w C:\Documents and Settings\Dave\Application Data\Wave Systems Corp 2008-07-21 22:34 121,872 ------w C:\WINDOWS\system32\drivers\kl1.sys 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 22:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 176128] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-01 7561216] "snp2std"="C:\WINDOWS\vsnp2std.exe" [2005-11-16 344064] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "nwiz"="nwiz.exe" [2007-11-17 C:\WINDOWS\system32\nwiz.exe] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 C:\WINDOWS\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 44544] "RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-19 24576] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 ezgmntr;EZ GIG II Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\ezgmntr.sys [2007-12-17 213760] R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784] R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544] R2 ezgfsfilt;EZ GIG II FS Filter;C:\WINDOWS\system32\DRIVERS\ezgfsfilt.sys [2007-12-17 28800] R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592] S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2005-11-18 10192896] S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys [2001-08-30 19968] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\nt1st1tz.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.yahoo.com/ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-10 13:23:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-10 13:25:03 ComboFix-quarantined-files.txt 2008-09-10 17:25:00 ComboFix2.txt 2008-09-10 17:06:49 Pre-Run: 74,577,608,704 bytes free Post-Run: 74,561,019,904 bytes free 182 --- E O F --- 2008-08-30 11:27:53 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:26:53 PM, on 9/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5105 bytes
  4. Dave VW
    Here are the other scans. Sorry, something is still going on within my web browsers and this website - something is still blocking me from this site, so I couldn't post the rest of my logs. Also, I could only update MBAM from the It-Mates UK mirror. Again, just now I was able to update from .org - so I'm trying a new full scan. I just today saw for the first time a "google-analitic" flash in the status bar of Firefox. At the very start of my problems, I was seeing the "analitic-checks" that others have reported. The trojan that Kasperski detected a couple days ago was called Trojan.Win32.Pakes and Trojan.Win32.Agent with .kek and .kej and .acjd extensions. Interestingly, I see now that Kasperski said "Detected" but "Untreated - Postponed" for some reason. It's not showing up now. I also tried a-squared Free and SuperAntiSpyware, with nothing detected. Also I tried MBAM and Kasperski full scans in Safe Mode, just in case that might help. Nothing. Concerning the CPU usage, yes - I'm watching it in Task Manager, then looking to see what process(es) cause the problem, but there is often nothing significant (unusually large) there. And none of the processes memory usages' increase in proportion to the CPU usage. It's bizzarre. Killing an open application, such as Firefox or an Office app, sometimes does nothing and sometimes it has a temporary effect of lowering the usage before it starts creeping up again later. Sometimes it's OK for an hour or two. Until I just now saw the goofy redirect in Firefox, I was starting to think my problem was not a virus - but now I feel like I'm back to square one with a trojan. Thanks again, Dave ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-09-08 09:29:09 PROTECTIONS: 1 MALWARE: 4 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== Kaspersky Internet Security 8.0.0.454 Yes Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@atdmt[1].txt 00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@xiti[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@advertising[2].txt 00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@citi.bridgetrack[1].txt ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:46:40 PM, on 9/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\stsystra.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dllC:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dllC:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dllC:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5544 bytes
  5. Dave VW
    Things were looking much better, but now I'm having problems again. I cleaned up the registry quite a bit, so booting is much faster. I updated every piece of software and every plug-in that I could, including all security programs, XP and Office SP3, Quicktime, Java, etc. Got rid of any unnecessary programs. Did lots of microsoft security updates. The problem now is that my CPU usage keeps gradually increasing to 100% with no associated increase in processes, RAM or page file usage. svchost and explorer are usually the highest memory users, but they are not relatively high - and they don't increase when the CPU usage shoots up. It's really strange. Process Explorer can't ID the source of the CPU usage. I even thought I might be over-heating without knowing it. Firefox will be crusing along at less than 15% usage, and then 10 or 15 minutes later, low-content sites like Yahoo! News will start to slow down. This will happen with pretty much any application. Panda ActiveScan pegs it out almost everytime. Right now, I can't access the Malwarebytes website from that computer, either. I tried Avira with nothing new. I did a full Kasperski scan, and it did locate a few items, but the problems persist. I seem to be continually getting reinfected. Right now I'm using Kasperski as my main protection. Here come my log files - thanks for any help you can provide!!! Dave Malwarebytes' Anti-Malware 1.27 Database version: 1128 Windows 5.1.2600 Service Pack 3 9/8/2008 8:59:10 AM mbam-log-2008-09-08 (08-59-10).txt Scan type: Quick Scan Objects scanned: 47354 Time elapsed: 2 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  6. Dave VW
    When I add Anti-Malware to my cart, the price shows up first in Euros, then when I select US$, it's $29.69 instead of $24.99?? I suspect this has something to do with me being in Europe at the moment and a some sneaky spyware? Just kidding. Should I just wait until I return to the US to buy?
  7. Dave VW
    OK, removed Bit Torrent and the HJT scan item. Here are the new MBAM and HJT posts - nothing found by MBAM...thanks, Dave Malwarebytes' Anti-Malware 1.25 Database version: 1092 Windows 5.1.2600 Service Pack 2 11:51:01 AM 8/29/2008 mbam-log-08-29-2008 (11-51-01).txt Scan type: Quick Scan Objects scanned: 52429 Time elapsed: 8 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:52:09 AM, on 8/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\stsystra.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\mshearts.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O4 - HKLM\..\Run: [showLOMControl] O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dllC:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dllC:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dllC:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5723 bytes
  8. Dave VW
    OK, here are the two follow-up scans. Yes, CCleaner cleared up 5GB! Surprisingly, MBAM found another trojan, so maybe it's good I let CCleaner delete everything. Everything is running just fine - internet has been quite fast since the first round of cleaning. Thanks! Dave Malwarebytes' Anti-Malware 1.25 Database version: 1092 Windows 5.1.2600 Service Pack 2 12:32:54 PM 8/28/2008 mbam-log-08-28-2008 (12-32-54).txt Scan type: Quick Scan Objects scanned: 52582 Time elapsed: 5 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:33:37 PM, on 8/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [showLOMControl] O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [Ovulation Calculator] "C:\Program Files\Ovulation Calculator\ovulcalc.exe" 1 O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dllC:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dllC:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dllC:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5957 bytes
  9. Dave VW
    Here are all three scan logs. Right now, neither Kasperski nor MBAM are finding anything (follow-up scans) - so it's surprising to me that ActiveScan found some things. I run Windows XP Pro, and right now I'm not having any problems, except Firefox couldn't connect for a minute or two after logging on - kind of strange. No "analitics-checks" or anything like that showing in the search bar, though (not anymore, that is!). Thanks! Dave Malwarebytes' Anti-Malware 1.25 Database version: 1062 Windows 5.1.2600 Service Pack 2 1:58:31 AM 8/26/2008 mbam-log-08-26-2008 (01-58-31).txt Scan type: Quick Scan Objects scanned: 55028 Time elapsed: 7 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\VrBblP05.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\x31V2wxd.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot. ;******************************************************************************* ****************** ANALYSIS: 2008-08-27 13:16:39 PROTECTIONS: 1 MALWARE: 14 SUSPECTS: 1 ;******************************************************************************* ****************** PROTECTIONS Description Version Active Updated ;============================================================================ Kaspersky Internet Security 8.0.0.454 Yes Yes ;============================================================================ MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;============================================================================ 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@atdmt[2].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@com[1].txt 00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@webpower[1].txt 00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@xiti[1].txt 00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@xiti[1].txt 00167709 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@fe.lea.lycos[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@bs.serving-sys[1].txt 00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@weborama[1].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@server.iad.liveperson[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@advertising[2].txt 00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@xxxcounter[1].txt 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Jodi\Cookies\jodi@adultfriendfinder[1].txt 00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Dave\Cookies\dave@citi.bridgetrack[1].txt 03511048 Application/RogueAntimalware2008 HackTools No 0 Yes No C:\Documents and Settings\Jodi\Local Settings\Temp\nsj41.tmp\euladlg.dll ;============================================================================== SUSPECTS Sent Location , ;=============================== No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000006.dll , ;=============================== VULNERABILITIES Id Severity Description , ;=============================== 184380 MEDIUM MS08-002 , 184379 MEDIUM MS08-001 , 182048 HIGH MS07-069 , 182046 HIGH MS07-067 , 182043 HIGH MS07-064 , 179553 HIGH MS07-061 , 176382 HIGH MS07-057 , 176383 HIGH MS07-058 , 170911 HIGH MS07-050 , 170907 HIGH MS07-046 , 170906 HIGH MS07-045 , 170904 HIGH MS07-043 , 164915 HIGH MS07-035 , 164913 HIGH MS07-033 , 164911 HIGH MS07-031 , 160623 HIGH MS07-027 , 157262 HIGH MS07-022 , 157261 HIGH MS07-021 , 157260 HIGH MS07-020 , 157259 HIGH MS07-019 , 156477 HIGH MS07-017 , 150253 HIGH MS07-016 , 150249 HIGH MS07-013 , 150248 HIGH MS07-012 , 150247 HIGH MS07-011 , 150243 HIGH MS07-008 , 150242 HIGH MS07-007 , 150241 MEDIUM MS07-006 , 141034 HIGH MS06-076 , 141033 MEDIUM MS06-075 , 141030 HIGH MS06-072 , 137571 HIGH MS06-070 , 137568 HIGH MS06-067 , 133387 MEDIUM MS06-065 , 133386 MEDIUM MS06-064 , 133385 MEDIUM MS06-063 , 133379 HIGH MS06-057 , 131654 HIGH MS06-055 , 129977 MEDIUM MS06-053 , 129976 MEDIUM MS06-052 , 126093 HIGH MS06-051 , 126092 MEDIUM MS06-050 , 126087 HIGH MS06-046 , 126086 MEDIUM MS06-045 , 126083 HIGH MS06-042 , 126082 HIGH MS06-041 , 126081 HIGH MS06-040 , 123421 HIGH MS06-036 , 123420 HIGH MS06-035 , 120825 MEDIUM MS06-032 , 120823 MEDIUM MS06-030 , 120818 HIGH MS06-025 , 120815 HIGH MS06-022 , 120814 HIGH MS06-021 , 117384 MEDIUM MS06-018 , 114666 HIGH MS06-015 , 114664 HIGH MS06-013 , 108744 MEDIUM MS06-008 , 108743 MEDIUM MS06-007 , 108742 MEDIUM MS06-006 , 104567 HIGH MS06-002 , 104237 HIGH MS06-001 , 96574 HIGH MS05-053 , 93395 HIGH MS05-051 , 93394 HIGH MS05-050 , 93454 MEDIUM MS05-049 , ;===================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:17:30 PM, on 8/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\vsnp2std.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [showLOMControl] O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKUS\S-1-5-21-2540917122-3733762060-481627426-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jodi') O4 - HKUS\S-1-5-21-2540917122-3733762060-481627426-1005\..\Run: [bitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized (User 'Jodi') O4 - HKUS\S-1-5-21-2540917122-3733762060-481627426-1005\..\Run: [Ovulation Calculator] "C:\Program Files\Ovulation Calculator\ovulcalc.exe" 1 (User 'Jodi') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 6112 bytes
  10. Dave VW
    Yeah, I had the same problem. You have to get the Anti-Malware update to get rid of this aprt of the virus. See my previous post: http://www.malwarebytes.org/forums/index.php?showtopic=5969 But you also need to run SpyBot first using the instructions provided in this forum: http://www.malwarebytes.org/forums/index.php?showtopic=5940 You can update SpyBot manually, if necessary. Dave
  11. Dave VW
    After McAfee failed to protect or identify the AntivirusXP2000 bug, and after reading many on-line discussions and reviews - I ditched McAfee for Kasperski, but was surprised to see during the trail version installation that Kasperski is incompatible with SpyBot, which had to be removed to complete the installation. Interestingly, there was no conflict with MBAM. Has anyone else had this problem? What happens if I try to reinstall SbyBot now? (AntivirusXP2000 is now gone, I'm just thinking about the future) Cheers, Dave
  12. Dave VW
    As others have instructed, I managed to (finally) remove Antivirus XP 2008 (correction, not 2000) from my machine using the combination of SpyBot Search & Destroy and Malwarebyte Anti-Malware. Thanks to everyone in this forum! But I wanted to note that it was not fully removed until I ran MBAM after updating the database, also as directed. However, I could not update the MBAM database either through the program or manually using the download from any of the possible sites. Downloading the update on a 2nd computer, then installing it on the infected computer resulted in MBAM not functioning and telling me I was using an incompatible database. In order to fully remove this virus files, I had to first run MBAM without the update. After that, the virus was still present, but I was able to auto-update MBAM with the new database through the program. With the new database, it was then able to completely remove the infected files after a clean boot. This begs the question - why isn't the update incorporated into the main MBAM download? It's not a brand new update. Regardless, thanks again to Malwarebyte and everyone on this forum. I'm buying the full version and also backing up more often! Dave
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.