View Full Version : Spambot?
Latinlover1
05-25-2006, 12:13 PM
Hi,
For the last few weeks my PC has been acting rather strangely. I have run every conceivable spyware and/or anti-virus available and it keeps coming up clean. However, very recently, I have been forced to reboot at least once every 24 hours because something keeps disabling my anti-virus program and a few other protection programs that I run continuously. Also, I have the strangest feeling that it has been infected and is being used as a spambot. The reason I suspect this is because I have received approx. 97 e-mails very recently concerning non-deliverable email which I supposedly sent (and I know for a fact that I never sent them!). In fact, I have absolutely no idea who the supposed recipients are.
Here is my HJT logfile created just a few minutes ago...
Logfile of HijackThis v1.99.1
Scan saved at 10:46:05 AM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\TCAUDIAG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\AuthFw.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This!\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=48835[/url]
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - [url]http://home3.ca.com/PestPatrol/uniblue/pestscan/pestscan.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138131495659[/url]
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - [url]http://aerial.leepa.org/ecwplugins/ncs.cab[/url]
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ADSService - Copyright© Aluria Software, LLC - C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~2\PROTEC~1\EFWPPS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
I consider my PC knowledge to be advanced (I have been building/configuring my own PC's for a number of years) but this situation has completely thrown me for a loop and any help/advice would be totally appreciated.
Thanxxx in advance,
LL1
AVG...SpySweeper...Earthlink's stuff...SpywareGuard...Spybot, with TeaTimer...
All good, but if there is something that has gotten by all of that it isn't showing. Have you tried a dedicated Trojan scanner?
Use the link in my sig to find the list...
Latinlover1
05-26-2006, 11:26 AM
AVG...SpySweeper...Earthlink's stuff...SpywareGuard...Spybot, with TeaTimer...
All good, but if there is something that has gotten by all of that it isn't showing. Have you tried a dedicated Trojan scanner?
Use the link in my sig to find the list...
GM MJC,
Thanks for your quick reply and the links to your incredibly wonderful lists!
I tried both E-Wido Anti-malware and SwatIt! yesterday and came up clean (E-Wido found 3 very minor issues). After that I prayed and hoped but, lo and behold, the issues still exist. I will start to write down these issues and post them with the hope that suggestions keep rolling in. I'm just about at the end of my rope and will try just about anything (short of a rebuild!). In the past I would drop everything and just throw a fresh build on my HD. However, after the last two/three times, I've come to realize that rebuilding is not necessarily the way to go because before you even get to throw adware/anti-virus onto the fresh build...you're already infected!
Anyway, thanks again (your help is very much appreciated!) and if you, or anyone else, thinks of anything that might help please let me know.
Thanks,
LL1
About the only thing I can think of is that the protection programs are stumbling over each other...try disabling everything except your AV, then over the next couple of days add them back in one at a time.
That is the one thing I noticed from your log, you've got a fair number of the protection programs running all the time.
Latinlover1
05-26-2006, 01:15 PM
About the only thing I can think of is that the protection programs are stumbling over each other...try disabling everything except your AV, then over the next couple of days add them back in one at a time.
That is the one thing I noticed from your log, you've got a fair number of the protection programs running all the time.
Good idea!...:) I thought of that before but since I've been running the very same protections for a few years now without any problems, I quickly dismissed it...you know how it is, sometimes the hardest thing to see is the most obvious...hehehe.
I'll give it a shot!...and again, thanks for the quick response.
LL1
And somtimes an update to something will screw up how well it behaves with other programs...several times I had that happen.
Budfred
05-26-2006, 08:16 PM
I definitely agree with shutting down the similar resident protection programs... They can conflict with each other, like TeaTimer and Windows Defender...
Also try one or both of these:
Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/Files/RootkitRevealer.zip
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.
To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....
http://www.f-secure.com/blacklight/
Also, I have heard good things about this one, so try it too:
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
[list]
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
[/list
Latinlover1
05-26-2006, 09:24 PM
[QUOTE=Budfred]I definitely agree with shutting down the similar resident protection programs... They can conflict with each other, like TeaTimer and Windows Defender...
Also try one or both of these:
I'm definitely going to give these a shot over the weekend...=)
Now, check this out...
Today, when I had finished reading E-mail for the 900th time, I closed Earthlink TotalAccess Mailbox as usual. When attempting to close I received a message saying that my mailbox was fragmented and if I wanted to proceed to defrag it...to which I responded 'yes'. When the program attempted to defrag the mailbox, I received an error message concerning an ODBC Access Driver so I proceeded to call Earthlink tech support. They told me to un-install and re-install TotalAccess Mailbox which I did. As soon as I un-installed, re-installed and rebooted (which I always do after installing new software) I get a message from Webroots Spysweeper saying that it had detected Hotbar in memory and if I wanted to do a sweep (which I did). The sweep took awhile and upon rebooting I didn't receive any of the boot-up error messages that I've been getting for the last couple of months. For the last couple of hours the PC's been running amazingly.
Apparently, the ODBC issue was allowing the Hotbar spyware to hide in memory somehow and it was masked so well that nothing that I ran was able to find it. The problem seems solved!...for the time-being, anyway...=)
Like I said above, I'm going to give these last few ideas a run anyway but I'm totally sure that all of your advice influenced this discovery, in some way. Maybe the anti-trojans caused the ODBC error which in turn opened everything else up!
I'm absolutely grateful for all of the incredibly wonderful help/ideas/links that you all posted and will do my best to stay as active as humanly possible on this board and to recommend it to everyone that I know (hopefully, you won't get bombarded with too many noob questions).
You guys are awesome, thanks! I'll be seeing you on the board!
LL1
Budfred
05-26-2006, 10:28 PM
If your computer is being used to send SPAM, it wasn't Hotbar that did it... I would still go with the rootkit scans and make sure you don't run 2 programs that offer the same resident protections...
Latinlover1
05-27-2006, 12:39 PM
Budfred,
Here are the resulting logfiles (posted separately)...
Rootkit Revealer:
HKLM\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP \ActiveNATMappings\svchost (192.168.0.2:1035) 41412 UDP 5/27/2006 10:47 AM 32 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Visual Networks\EarthLink\EarthLink_Dedicated.ipi 5/27/2006 10:47 AM 844 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010004.ci 5/27/2006 10:56 AM 80.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010004.dir 5/27/2006 10:56 AM 721 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 5/27/2006 2:21 AM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 5/27/2006 2:21 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 5/27/2006 2:21 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.000 5/27/2006 10:56 AM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.001 5/27/2006 10:56 AM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.002 5/27/2006 10:56 AM 64.00 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb 5/27/2006 10:48 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
Latinlover1
05-27-2006, 12:49 PM
Dr.Web CureIt!:
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.03283)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2006-05-26, 23:52:04 [DADANTEC][Ernesto R. Velez]
Command-line: "C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cur eit.exe" /lng /ini:cureit_XP.ini
Engine version: 4.33 (4.33.2.02271)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw today.cdb - 784 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw 43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw ebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cwr today.cdb - 39 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cwr 43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw risky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cwn today.cdb - 615 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cwn 43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cwn 43301.cdb - 773 virus records
[Virus base] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\crw nasty.cdb - 4867 virus records
Total virus records: 123130
Key file: C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cur eit.key
License key number: 0000000010
Registered to: Dr.Web CureIt Project
License key activates: 2005-03-05
License key expires: 2007-03-05
Scan statistics
Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00
[Scan path] C:\WINDOWS\system32\smss.exe
[Scan path] C:\WINDOWS\system32\csrss.exe
[Scan path] C:\WINDOWS\system32\winlogon.exe
[Scan path] C:\WINDOWS\system32\services.exe
[Scan path] C:\WINDOWS\system32\lsass.exe
[Scan path] C:\WINDOWS\system32\svchost.exe
[Scan path] C:\WINDOWS\system32\spoolsv.exe
[Scan path] C:\WINDOWS\explorer.exe
[Scan path] C:\WINDOWS\system32\cisvc.exe
[Scan path] C:\WINDOWS\system32\tcpsvcs.exe
[Scan path] C:\WINDOWS\system32\snmp.exe
[Scan path] C:\WINDOWS\system32\sstray.exe
[Scan path] C:\WINDOWS\system32\TCAUDIAG.EXE
[Scan path] C:\Program Files\SpywareGuard\sgmain.exe
[Scan path] C:\WINDOWS\system32\wdfmgr.exe
[Scan path] C:\WINDOWS\system32\alg.exe
[Scan path] C:\WINDOWS\system32\AuthFw.exe
[Scan path] C:\WINDOWS\system32\cidaemon.exe
[Scan path] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\_st art.exe
[Scan path] C:\DOCUME~1\ERNEST~1.VEL\LOCALS~1\Temp\RarSFX1\cur eit.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
[Scan path] C:\Program Files\QuickTime\qttask.exe
[Scan path] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[Scan path] C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[Scan path] C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
[Scan path] C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
[Scan path] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
[Scan path] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
[Scan path] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
[Scan path] C:\Program Files\Windows Defender\MSASCui.exe
[Scan path] C:\WINDOWS\system32\NeroCheck.exe
[Scan path] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
[Scan path] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[Scan path] C:\Program Files\Ahead\Nero BackItUp\nbj.exe
[Scan path] C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
[Scan path] C:\Documents and Settings\Ernesto R. Velez\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\WINDOWS\system32\mmsys.cpl
[Scan path] C:\WINDOWS\system32\icmui.dll
[Scan path] C:\WINDOWS\system32\rshx32.dll
[Scan path] C:\WINDOWS\system32\docprop.dll
[Scan path] C:\WINDOWS\system32\ntshrui.dll
[Scan path] C:\WINDOWS\system32\themeui.dll
[Scan path] C:\WINDOWS\system32\deskadp.dll
[Scan path] C:\WINDOWS\system32\deskmon.dll
[Scan path] C:\WINDOWS\system32\dssec.dll
[Scan path] C:\WINDOWS\system32\SlayerXP.dll
[Scan path] C:\WINDOWS\system32\shscrap.dll
[Scan path] C:\WINDOWS\system32\diskcopy.dll
[Scan path] C:\WINDOWS\system32\ntlanui2.dll
[Scan path] C:\WINDOWS\system32\printui.dll
[Scan path] C:\WINDOWS\system32\dskquoui.dll
[Scan path] C:\WINDOWS\system32\syncui.dll
[Scan path] C:\WINDOWS\system32\hticons.dll
[Scan path] C:\WINDOWS\system32\fontext.dll
[Scan path] C:\WINDOWS\system32\deskperf.dll
[Scan path] C:\WINDOWS\system32\cryptext.dll
[Scan path] C:\WINDOWS\system32\NETSHELL.dll
[Scan path] C:\WINDOWS\system32\wiashext.dll
[Scan path] C:\WINDOWS\system32\remotepg.dll
[Scan path] C:\WINDOWS\system32\wshext.dll
[Scan path] C:\Program Files\Common Files\System\Ole DB\oledb32.dll
[Scan path] C:\WINDOWS\system32\mstask.dll
[Scan path] C:\WINDOWS\system32\shdocvw.dll
[Scan path] C:\WINDOWS\system32\wuaucpl.cpl
[Scan path] C:\WINDOWS\system32\twext.dll
[Scan path] C:\WINDOWS\system32\shmedia.dll
[Scan path] C:\WINDOWS\system32\browseui.dll
[Scan path] C:\WINDOWS\system32\sendmail.dll
[Scan path] C:\WINDOWS\system32\occache.dll
[Scan path] C:\WINDOWS\system32\webcheck.dll
[Scan path] C:\WINDOWS\system32\appwiz.cpl
[Scan path] C:\WINDOWS\system32\shimgvw.dll
[Scan path] C:\WINDOWS\system32\netplwiz.dll
[Scan path] C:\WINDOWS\system32\zipfldr.dll
[Scan path] C:\WINDOWS\system32\cdfview.dll
[Scan path] C:\WINDOWS\system32\extmgr.dll
Continued in next post...sorry
Latinlover1
05-27-2006, 12:52 PM
Continuation of Dr.Web CureIt! log...
[Scan path] C:\WINDOWS\system32\msieftp.dll
[Scan path] C:\WINDOWS\system32\docprop2.dll
[Scan path] C:\WINDOWS\system32\dsquery.dll
[Scan path] C:\WINDOWS\system32\dsuiext.dll
[Scan path] C:\WINDOWS\system32\mydocs.dll
[Scan path] C:\WINDOWS\System32\cscui.dll
[Scan path] C:\WINDOWS\msagent\agentpsh.dll
[Scan path] C:\WINDOWS\system32\dfsshlex.dll
[Scan path] C:\WINDOWS\system32\photowiz.dll
[Scan path] C:\WINDOWS\System32\mmcshext.dll
[Scan path] C:\WINDOWS\system32\cabview.dll
[Scan path] C:\Program Files\Outlook Express\wabfind.dll
[Scan path] C:\WINDOWS\system32\wmpshell.dll
[Scan path] C:\WINDOWS\system32\upnpui.dll
[Scan path] C:\Program Files\Grisoft\AVG Free\avgse.dll
[Scan path] C:\WINDOWS\system32\mscoree.dll
[Scan path] C:\WINDOWS\system32\Audiodev.dll
[Scan path] C:\WINDOWS\system32\dfshim.dll
[Scan path] C:\Program Files\Ahead\InCD\incdshx.dll
[Scan path] C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[Scan path] C:\Program Files\Real\RealPlayer\rpshell.dll
[Scan path] C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
[Scan path] C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
[Scan path] C:\Program Files\Microsoft Office\Office10\msohev.dll
[Scan path] C:\Program Files\SpywareGuard\spywareguard.dll
[Scan path] C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
[Scan path] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[Scan path] C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
[Scan path] C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
[Scan path] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[Scan path] C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
[Scan path] C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
[Scan path] C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
[Scan path] C:\WINDOWS\system32\SHELL32.dll
[Scan path] C:\WINDOWS\system32\stobject.dll
[Scan path] C:\WINDOWS\system32\crypt32.dll
[Scan path] C:\WINDOWS\system32\cryptnet.dll
[Scan path] C:\WINDOWS\system32\cscdll.dll
[Scan path] C:\WINDOWS\system32\wlnotify.dll
[Scan path] C:\WINDOWS\system32\sclgntfy.dll
[Scan path] C:\WINDOWS\system32\WgaLogon.dll
[Scan path] C:\WINDOWS\system32\WRLogonNTF.dll
[Scan path] C:\WINDOWS\system32\DRIVERS\ACPI.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ADSFilter.sys
[Scan path] C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
[Scan path] C:\WINDOWS\system32\drivers\aec.sys
[Scan path] C:\WINDOWS\System32\drivers\afd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\aic78xx.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\amdk7.sys
[Scan path] C:\WINDOWS\System32\Drivers\AnyDVD.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\arp1394.sys
[Scan path] C:\WINDOWS\system32\drivers\aslm75.sys
[Scan path] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\asyncmac.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\atapi.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\atmarpc.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\audstub.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Scan path] C:\WINDOWS\System32\Drivers\avg7core.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsw.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsxp.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[Scan path] C:\WINDOWS\System32\Drivers\avgtdi.sys
[Scan path] C:\WINDOWS\System32\Drivers\BW2NDIS5.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\cdrom.sys
[Scan path] C:\WINDOWS\system32\clipsrv.exe
[Scan path] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe
[Scan path] C:\WINDOWS\system32\dllhost.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\css-dvp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\disk.sys
[Scan path] C:\WINDOWS\System32\dmadmin.exe
[Scan path] C:\WINDOWS\System32\drivers\dmboot.sys
[Scan path] C:\WINDOWS\System32\drivers\dmio.sys
[Scan path] C:\WINDOWS\System32\drivers\dmload.sys
[Scan path] C:\WINDOWS\system32\drivers\DMusic.sys
[Scan path] C:\WINDOWS\system32\drivers\drmkaud.sys
[Scan path] C:\Program Files\Common Files\Command Software\dvpapi.exe
[Scan path] C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\el90Xbc5.SYS
[Scan path] C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
[Scan path] C:\PROGRA~1\EARTHL~2\PROTEC~1\EFWPPS~1.EXE
[Scan path] C:\WINDOWS\system32\DRIVERS\fdc.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\flpydisk.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\fltMgr.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ftdisk.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\gameenum.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\msgpc.sys
[Scan path] C:\WINDOWS\System32\Drivers\GRTdiMon.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
[Scan path] C:\WINDOWS\System32\Drivers\HTTP.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\i8042prt.sys
[Scan path] C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\imapi.sys
[Scan path] C:\WINDOWS\system32\imapi.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\InCDPass.sys
[Scan path] C:\Program Files\Ahead\InCD\InCDsrv.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipinip.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipnat.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipsec.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\irenum.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\isapnp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\kbdclass.sys
[Scan path] C:\WINDOWS\system32\drivers\kmixer.sys
[Scan path] C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[Scan path] C:\WINDOWS\system32\mnmsrvc.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\mouclass.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mrxdav.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
[Scan path] C:\WINDOWS\system32\msdtc.exe
[Scan path] C:\WINDOWS\system32\msiexec.exe
[Scan path] C:\WINDOWS\system32\drivers\MSKSSRV.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPCLOCK.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPQM.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mssmbios.sys
[Scan path] C:\WINDOWS\system32\drivers\msmpu401.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ndistapi.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ndisuio.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ndiswan.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\netbios.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\netbt.sys
[Scan path] C:\WINDOWS\system32\netdde.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\nic1394.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
[Scan path] C:\WINDOWS\system32\drivers\nvax.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\NVENET.sys
[Scan path] C:\WINDOWS\system32\drivers\nvapu.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\nv_agp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ohci1394.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\parport.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\pci.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\pciide.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\raspptp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\psched.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ptilink.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rasacd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\raspppoe.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\raspti.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rdbss.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
[Scan path] C:\WINDOWS\system32\sessmgr.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\redbook.sys
[Scan path] C:\WINDOWS\system32\locator.exe
[Scan path] C:\WINDOWS\system32\rsvp.exe
[Scan path] C:\WINDOWS\System32\SCardSvr.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\secdrv.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\serenum.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\serial.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\SI3112r.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
[Scan path] C:\WINDOWS\System32\snmptrap.exe
[Scan path] C:\WINDOWS\system32\drivers\splitter.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\sr.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\srv.sys
[Scan path] C:\WINDOWS\system32\Drivers\SSI.SYS
[Scan path] C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\swenum.sys
[Scan path] C:\WINDOWS\system32\drivers\swmidi.sys
[Scan path] C:\WINDOWS\system32\drivers\sysaudio.sys
[Scan path] C:\WINDOWS\system32\smlogsvc.exe
[Scan path] C:\WINDOWS\system32\tcaicchg.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\TCAITDI.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\tcpip.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\tcpip6.sys
To Be Continued again...:(
Latinlover1
05-27-2006, 12:53 PM
Final continuation of Dr.Web CureIt! log...
[Scan path] C:\WINDOWS\system32\DRIVERS\termdd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\tunmp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\update.sys
[Scan path] C:\WINDOWS\System32\ups.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\usbehci.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbhub.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbohci.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbprint.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
[Scan path] C:\WINDOWS\System32\drivers\vga.sys
[Scan path] C:\WINDOWS\System32\vssvc.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\wanarp.sys
[Scan path] C:\WINDOWS\system32\drivers\wdmaud.sys
[Scan path] C:\Program Files\Windows Defender\MsMpEng.exe
[Scan path] C:\Program Files\Windows Media Connect 2\wmccds.exe
[Scan path] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[Scan path] C:\Documents and Settings\Ernesto R. Velez\Start Menu\Programs\Startup\SpywareGuard.lnk
Scan statistics
Objects scanned: 270
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 3767 Kb/s
Scan time: 00:00:18
[Scan path] C:\
C:\ADSCLI~1.TXT - read error
C:\ADSSER~2.TXT - read error
C:\AluriaCacheFile.dat - read error
C:\Documents and Settings\Ernesto R. Velez\NTUSER.DAT - read error
C:\Documents and Settings\Ernesto R. Velez\NTUSER~1.LOG - read error
C:\Documents and Settings\Ernesto R. Velez\Application Data\Microsoft\Windows Defender\FileTracker\{A58AB~1 - read error
C:\Documents and Settings\Ernesto R. Velez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\Ernesto R. Velez\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\LocalService\NTUSER.DAT - read error
C:\Documents and Settings\LocalService\NTUSER~1.LOG - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS09~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS19~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS34~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS43~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS49~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5D~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS60~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS62~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS70~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8F~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS93~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS95~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9D~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA0~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA1~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA5~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAA~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAD~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB0~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB9~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBF~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCC~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCE~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCE~2.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD6~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDC~2.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDC~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE6~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEA~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEB~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF4~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFB~1.TMP - read error
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE~1.TMP - read error
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\System Volume Information\_restore{0B4B0968-B202-4D9D-B621-F0562B3B5EA9}\RP143\A0049663.dll is adware program Adware.Minibug
C:\WINDOWS\system32\config\default - read error
C:\WINDOWS\system32\config\default.LOG - read error
C:\WINDOWS\system32\config\SAM - read error
C:\WINDOWS\system32\config\SAM.LOG - read error
C:\WINDOWS\system32\config\SECURITY - read error
C:\WINDOWS\system32\config\SECURITY.LOG - read error
C:\WINDOWS\system32\config\software - read error
C:\WINDOWS\system32\config\software.LOG - read error
C:\WINDOWS\system32\config\system - read error
C:\WINDOWS\system32\config\system.LOG - read error
[Scan path] D:\
D:\AluriaCacheFile.dat - read error
[Scan path] E:\
E:\AluriaCacheFile.dat - read error
[Scan path] F:\
F:\AluriaCacheFile.dat - read error
[Scan path] N:\
N:\AluriaCacheFile.dat - read error
Scan statistics
Objects scanned: 87354
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 221 Kb/s
Scan time: 00:51:18
C:\System Volume Information\_restore{0B4B0968-B202-4D9D-B621-F0562B3B5EA9}\RP143\A0049663.dll - deleted
Total session statistics
Objects scanned: 87624
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 1
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 242 Kb/s
Scan time: 00:51:36
The strange thing is that I ran RR on 3 separate occasions (each time after a reboot) and got 3 different results. The 1st time it reported "Scan Complete. No Discrepancies Found". The 2nd time it reported 10 discrepancies but I wasn't able to save the logfile for some strange reason. And, finally, the 3rd log reported 11 discrepancies and is posted above.
PS...
While some issues have been resolved, per my posting of last night, some issues still remain. I will log them the very next time (usually happens every 24 hours) and post them.
Thanks,
LL1
Budfred
05-27-2006, 01:57 PM
It doesn't look like you have a rootkit and it looks like Dr.Web CureIt! only found and removed one adware program... We will need to decide what to do next based on what issues you are still having...
Of course if the SPAM hasn't been repeated, then I'd say it was just a case of spoofing your email address, which is actually a fairly common practice.
Spammer gets hold of your address and instead of putting it on the list of people to send it to, he drops it in the 'From' field and *poof* suddenly you are inundated with all the bounces/complaints from that batch.
Latinlover1
05-30-2006, 02:26 PM
Hey MJC,
You're absolutely right...it could actually just be a case of spoofing...and hopefully, that's the case...:)
Here's the list of errors that I've been getting on a daily basis...hopefully, someone has an idea of what, if anything, might be causing this...
1) Winpatrol popup declares "Winpatrol New Program Alert" (Startup program) with absolutely none of the usual information that I normally receive when I actually install a program...no publisher, etc.
2) The very next popup declares "The Connection to the Spy Sweeper engine has been lost or terminated".
3) Next one is AVG Control Center - "Shell Extension: The Shell Extension DLL Library is Not Installed"
4) System Error - 5 Access is Denied
5) SpywareGuard - "Run-time error '48': error in loading DLL"
These all have a tendency to happen one right after the other forcing me to reboot the PC. I haven't tried just re-installing the above list of software to see if it's just file degradation but I will sometime today (if I get the chance). I realize that I'm basically grasping at straws here and I must be driving you all nuts but I'm just hoping that someone/anyone has previously encountered some/all of these errors in the past and knows a simple solution to solve this...before I resort to wiping/rebuilding the HD...(which, BTW, has taken me as long as a week in the past...hehehe).
Thanks and I hope you all had a fabulous Memorial Day weekend.
LL1
You are using NTFS as your files system, right?
That is either a conflict or an infection of some kind.
At this point we have gone through most of the ways of detecting malware so if it is really masking itself then...
At this point, I think we need to pull out a bigger gun...
http://www.sysinternals.com/Utilities/Streams.html
or
http://www.heysoft.de/Frames/f_sw_la_en.htm
Concentrate on the Windows directory and all its subs...
Also
http://www.spywareinfo.com/~merijn/downloads.html ADSspy (this may be the easier one to run)
The reason that I'm suggesting a dedicated scanner is that there is a chance that since your anti-crapware programs are crashing/being disabled then something could be hiding from them.
Latinlover1
05-30-2006, 06:35 PM
Also
http://www.spywareinfo.com/~merijn/downloads.html ADSspy (this may be the easier one to run)
The reason that I'm suggesting a dedicated scanner is that there is a chance that since your anti-crapware programs are crashing/being disabled then something could be hiding from them.
That's precisely my thinking...I tried every tool I could think of...and then I found The PC Guide and am so totally thankful for all the help that you've all provided!
I'll give these a shot and see what they come up with...:)
LL1
Latinlover1
06-05-2006, 09:47 AM
Hey all!
It's been a few days since I last had time to get back here but, I have good news to report...
I tried every suggestion that you mentioned (and then some!) and the computer turned up squeak clean (thankfully!). However, you guys definitely put me on the right track and after much work and discovery over the last couple of weeks I finally hit upon the culprit...Earthlink's Protection Control Center software was driving the PC nuts! I've been using for quite some time now and had never had any problems with it in the past but, somewhere along the line, I must have installed or done something that didn't quite agree with it...and then the issues began. I must admit, I truly believed that I had contracted a virus or some seriously sophisticated spyware! Anyway, I uninstalled the culprit and the PC has been totally stable for over 48 hours now so...:)
Again, I thank you all from the bottom of my heart for all your help! Without your help I would have most definitely resorted to a complete rebuild (what I usually resort to when a PC issue drives me nuts) that would have taken me quite a few days and you all saved me from that headache.
Thanks!... and I'll definitely check back as often as I can...maybe I can be of help to someone else someday...:)
LL1
Glad to hear you've got it working...
Latinlover1
06-06-2006, 10:25 AM
Glad to hear you've got it working...
Amen! to that, MJC! Still stable after 72 hours...:). My Pc hasn't been this stable for at least the last 3 months. I'm really glad that I took out some time to research and ended up discovering The PC Guide.
You guys ROCK!
LL1
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.