Issues with checker.exe please check HJT log

**gracious** · 01-17-2008, 09:54 AM

Could you please check my HJT log to see if there is anything that I have missed. Thank you!!

Logfile of HijackThis v1.99.1
Scan saved at 8:52:57 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\AlienGUIse\wbload.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\AlienAutopsy\Test_BS.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\PnkBstrA.exe
D:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NexusBar - {4E7BD74F-2B8D-469E-C0FF-FD7FA18DBF33} - D:\PROGRA~1\NexusBar\nexusbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: NexusBar - {4E7BD74F-2B8D-469E-C0FF-FD7FA18DBF33} - D:\PROGRA~1\NexusBar\nexusbar.dll
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AlienAutopsy] "D:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Google Updater.lnk = D:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200240530765
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O20 - Winlogon Notify: WB - D:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - D:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

**Ajmukon** · 01-17-2008, 10:20 PM

please download the newest version of Hijack This:
http://www.trendsecure.com/portal/en...HJTInstall.exe

and one of the security experts will come by and take a looksee!

**Budfred** · 01-17-2008, 11:08 PM

Actually, I don't mind the old version... However, the only thing showing here that is even suspicious is this:

O3 - Toolbar: NexusBar - {4E7BD74F-2B8D-469E-C0FF-FD7FA18DBF33} - D:\PROGRA~1\NexusBar\nexusbar.dll

The reports on it are unclear and it could be a threat...

Also, Java is out of date, so an update would be good...

Updating Java:

Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
They should have this icon next to any that are there:
Select any found and click Remove.
Then Download and install the newest version from here:
- http://java.sun.com/javase/downloads/index.jsp

**awaj** · 01-17-2008, 11:55 PM

Looking at the program list, it seems like you have Adaware and Zone Alarm running at the same time, I think I see another one too. I use the paid version of Zone Alarm, and if you have the subscriptions, you might want to stick with that for the time being. That may also present a problem, or so I understand.

It's advisable to only run one Virus program at a time, a lot of the time, more then one virus scanners will fight each other and catch less stuff, and present other problems.

**gracious** · 01-18-2008, 07:18 AM

I was under the impression that the new HJT was primarily for Vista and that the old HJT could still be used for XP. Should I use the new vs.?

I found Nexus in the add/remove programs and uninstalled that. I will be updating my java.

With regards to AdAware and Zone Alarm, I am confused. The only AV program I am running is Nod32, my ZA is my firewall and my AdAware is one of the spyware programs along side with Spybot S&D that I run.

Speaking of which, I know Budfred that you are steering away from ZA because of their toolbar insertions. I was looking at the Kerio site and did not see a personal firewall. Do I want the one through Sunbelt? I also will be getting SpywareBlaster and removing AdAware.

Budfred, I did not see anything showing add/remove in the Java Control Panel, I see General, Update, Java, Security and Advance. Am I looking in the wrong area?

We had the checker.exe popping up and I went through everything to make sure it was gone but wanted to make sure it was gone.

**Budfred** · 01-18-2008, 07:55 AM

awaj,

I have asked you not to comment in malware threads since your advice can actually confuse the situation... There is NO problem running a firewall and an anti-spyware program on the same computer at the same time, it is actually a good idea... There is even no problem running 2 anti-spyware programs at the same time as long as they do something very different, like SpywareBlaster and TeaTimer...

gracious,

The latest version of HJT works on Vista, but it is also for earlier versions of Windows, so it is fine to use it and may provide some improvements over the previous version...

The Control Panel for Windows is where you will find the Add or Remove Programs to remove old Java versions...

The latest version of Kerio is at Sunbelt and seems to be available only for a free trial, but it will continue working after the trial and will just give the occasional nudge to upgrade to the pay version... If you don't want that, you could also go with Outpost or Comodo...

If you want to be more sure that the computer is clean, you could do a ComobFix log...

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**gracious** · 01-18-2008, 07:12 PM

Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.

I misread your line here, I thought the "software icon" meant the Java icon lol, I see that it points to Add/Remove...duh...sorry

If the Kerio only costs $10 I probably will just get that.

And on the other items, will do Budfred!!! YOU ARE AWESOME!

**gracious** · 01-19-2008, 12:04 PM

Ok, ZA is unistalled, Kerio is installed. AdAware is uninstalled, SpywareBlaster is installed and java has updated vs.

Here are the logs, HJT first:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:36 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\AlienGUIse\wbload.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\PnkBstrA.exe
D:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\WINDOWS\System32\msiexec.exe
D:\Program Files\AlienAutopsy\Test_BS.exe
D:\Program Files\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AlienAutopsy] "D:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200240530765
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - D:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

--
End of file - 6645 bytes

**gracious** · 01-19-2008, 12:07 PM

Combo log page 1

ComboFix 08-01-18.5 - Administrator 2008-01-19 10:51:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1649 [GMT -8:00]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys
D:\RECYCLER\desktopA.sys

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 10:49 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-19 10:35 . 2008-01-19 10:37 <DIR> d-------- D:\Program Files\SpywareBlaster
2008-01-19 10:35 . 2005-08-25 18:19 1,066,176 --a------ D:\WINDOWS\system32\MSCOMCTL.OCX
2008-01-19 10:35 . 2005-08-25 18:19 115,920 --a------ D:\WINDOWS\system32\MSINET.OCX
2008-01-19 10:31 . 2008-01-19 10:31 <DIR> d-------- D:\Program Files\Java
2008-01-19 10:31 . 2007-09-24 23:31 69,632 --a------ D:\WINDOWS\system32\javacpl.cpl
2008-01-19 10:30 . 2008-01-19 10:30 <DIR> d-------- D:\Program Files\Common Files\Java
2008-01-19 10:27 . 2008-01-19 10:27 401,720 --a------ D:\Program Files\HiJackThis.exe
2008-01-19 10:17 . 2008-01-19 10:28 276 --a------ D:\WINDOWS\system32\drivers\fwdrv.err
2008-01-19 10:15 . 2008-01-19 10:15 <DIR> d-------- D:\Program Files\Sunbelt Software
2008-01-15 22:59 . 2008-01-15 22:59 5,760,054 --a------ D:\WINDOWS\ALX_1600x1200.bmp
2008-01-15 22:57 . 2008-01-15 22:57 3,932,214 --a------ D:\WINDOWS\AW_XenoMorph1280.bmp
2008-01-14 23:52 . 2008-01-14 23:52 <DIR> d-------- D:\Program Files\Stardock
2008-01-14 23:52 . 2008-01-16 07:54 163,712 --a------ D:\WINDOWS\system32\drivers\vidstub.sys
2008-01-14 23:46 . 2008-01-14 23:46 <DIR> d-------- D:\WINDOWS\system32\Uninstall
2008-01-14 22:54 . 2008-01-14 23:44 45,056 --a------ D:\WINDOWS\system32\sstunst3.exe
2008-01-14 22:54 . 2008-01-14 22:55 69 --a------ D:\WINDOWS\NeroDigital.ini
2008-01-14 22:53 . 2008-01-14 23:44 1,061,188 --a------ D:\WINDOWS\system32\ah.mx1
2008-01-14 22:53 . 2008-01-14 23:44 564,736 --a------ D:\WINDOWS\system32\ah.scr
2008-01-14 22:53 . 2008-01-14 23:44 20,610 --a------ D:\WINDOWS\system32\ah.ibx
2008-01-14 20:44 . 2005-02-01 14:20 5,760,056 --a------ D:\WINDOWS\Darkstar.bmp
2008-01-14 19:37 . 2008-01-15 23:04 3,932,214 --a------ D:\WINDOWS\InvaderDark1280.bmp
2008-01-14 19:33 . 2008-01-14 23:52 <DIR> d-------- D:\Program Files\Common Files\Stardock
2008-01-14 19:33 . 2008-01-15 22:59 <DIR> d-------- D:\Program Files\AlienGUIse
2008-01-14 19:33 . 2003-02-26 22:27 36,864 --a------ D:\WINDOWS\system32\wbsys.dll
2008-01-14 19:33 . 2008-01-14 19:33 56 --a------ D:\WINDOWS\wb.ini
2008-01-14 17:26 . 2008-01-14 17:26 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE
2008-01-14 17:26 . 2007-02-26 17:15 61,984 --a------ D:\WINDOWS\system32\drivers\xusb21.sys
2008-01-14 17:26 . 2008-01-14 17:26 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_010 01.Wdf
2008-01-14 17:16 . 2008-01-14 17:16 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_C oinstaller_Critical.Wdf
2008-01-14 17:16 . 2008-01-14 17:16 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_xusb20_010 01.Wdf
2008-01-14 17:14 . 2008-01-14 17:25 <DIR> d-------- D:\Program Files\Microsoft Xbox 360 Accessories
2008-01-14 07:58 . 2008-01-14 07:58 <DIR> d-------- D:\WINDOWS\Sun
2008-01-13 17:36 . 2008-01-13 17:57 <DIR> d-------- D:\Program Files\Game Elements
2008-01-13 17:36 . 2006-02-08 13:41 176,128 --a------ D:\WINDOWS\system32\GGE910cp.dll
2008-01-13 17:36 . 2005-12-27 13:50 40,960 --a------ D:\WINDOWS\system32\xpadfrc.dll
2008-01-13 17:36 . 2004-08-03 21:58 14,848 --a------ D:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-13 17:36 . 2004-08-03 21:58 14,848 --a--c--- D:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-13 11:21 . 2007-06-29 00:43 123,602 --a------ D:\WINDOWS\system32\nvapps.nvb
2008-01-13 11:20 . 2007-06-29 01:54 356,352 --a------ D:\WINDOWS\system32\NVUNINST.EXE
2008-01-13 10:56 . 2008-01-13 10:56 463 --a------ D:\WINDOWS\system32\CTHELPER.RPT
2008-01-13 10:53 . 2008-01-13 10:53 <DIR> d-------- D:\Program Files\MSXML 4.0
2008-01-13 10:49 . 2006-08-21 01:14 128,896 -----c--- D:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-13 10:49 . 2006-08-21 01:14 23,040 -----c--- D:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-13 10:49 . 2006-08-21 04:21 16,896 -----c--- D:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-13 10:45 . 2007-07-09 05:09 584,192 -----c--- D:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-13 09:24 . 2004-08-03 23:56 221,184 --a------ D:\WINDOWS\system32\wmpns.dll
2008-01-13 09:23 . 2008-01-13 09:23 <DIR> d-------- D:\WINDOWS\provisioning
2008-01-13 09:23 . 2008-01-13 09:23 <DIR> d-------- D:\WINDOWS\peernet
2008-01-13 09:21 . 2008-01-13 09:21 <DIR> d-------- D:\WINDOWS\ServicePackFiles
2008-01-13 09:15 . 2008-01-13 09:15 <DIR> d-------- D:\WINDOWS\EHome
2008-01-13 09:12 . 2002-04-15 21:11 67,866 --------- D:\WINDOWS\system32\drivers\netwlan5.img
2008-01-13 09:12 . 2004-08-04 00:56 11,776 --------- D:\WINDOWS\system32\spnpinst.exe
2008-01-13 09:12 . 2004-08-02 14:20 7,208 --------- D:\WINDOWS\system32\secupd.sig
2008-01-13 09:12 . 2004-08-02 14:20 4,569 --------- D:\WINDOWS\system32\secupd.dat
2008-01-13 08:41 . 2004-08-03 23:56 614,912 --a------ D:\WINDOWS\system32\h323msp.dll

**gracious** · 01-19-2008, 12:08 PM

Combo log page 2:

--a------ D:\WINDOWS\system32\ipnathlp.dll
2008-01-13 08:41 . 2004-08-03 23:56 265,728 --a------ D:\WINDOWS\system32\h323.tsp
2008-01-13 08:41 . 2007-03-08 07:36 40,960 --a------ D:\WINDOWS\system32\mf3216.dll
2008-01-13 08:41 . 2004-01-09 21:11 26,112 --a------ D:\WINDOWS\system32\xpsp1hfm.exe
2008-01-13 08:35 . 2005-10-20 14:20 1,082,368 --a------ D:\WINDOWS\system32\esent.dll
2008-01-13 08:12 . 2008-01-13 10:59 <DIR> d--h----- D:\WINDOWS\$hf_mig$
2008-01-13 08:12 . 2006-02-20 11:12 22,752 --a------ D:\WINDOWS\system32\spupdsvc.exe
2008-01-13 08:11 . 2008-01-13 08:11 <DIR> d-------- D:\WINDOWS\system32\bits
2008-01-13 08:10 . 2004-08-03 23:56 351,232 --a------ D:\WINDOWS\system32\winhttp.dll
2008-01-13 08:10 . 2004-08-03 23:56 18,944 --a------ D:\WINDOWS\system32\qmgrprxy.dll
2008-01-13 08:10 . 2004-08-03 23:56 8,192 --------- D:\WINDOWS\system32\bitsprx2.dll
2008-01-13 08:10 . 2004-08-03 23:56 7,168 --------- D:\WINDOWS\system32\bitsprx3.dll
2008-01-13 08:09 . 2007-07-30 19:19 549,720 --a------ D:\WINDOWS\system32\wuapi.dll
2008-01-13 08:09 . 2007-07-30 19:19 325,976 --a------ D:\WINDOWS\system32\wucltui.dll
2008-01-13 08:09 . 2007-07-30 19:19 216,408 --a------ D:\WINDOWS\system32\wuaucpl.cpl
2008-01-13 08:09 . 2007-07-30 19:19 43,352 --a------ D:\WINDOWS\system32\wups2.dll
2008-01-13 08:09 . 2007-07-30 19:18 34,136 --a------ D:\WINDOWS\system32\wucltui.dll.mui
2008-01-13 08:09 . 2007-07-30 19:18 33,624 --a------ D:\WINDOWS\system32\wups.dll
2008-01-13 08:09 . 2007-07-30 19:19 25,944 --a------ D:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-13 08:09 . 2007-07-30 19:19 25,944 --a------ D:\WINDOWS\system32\wuapi.dll.mui
2008-01-13 08:09 . 2007-07-30 19:18 20,312 --a------ D:\WINDOWS\system32\wuaueng.dll.mui
2008-01-12 21:19 . 2008-01-12 21:19 <DIR> d---s---- D:\Documents and Settings\Administrator\UserData
2008-01-12 21:06 . 2008-01-12 21:08 2,723 --a------ D:\WINDOWS\DevMgr.ini
2008-01-12 21:05 . 2008-01-12 21:05 <DIR> d-------- D:\WINDOWS\system32\NtmsData
2008-01-12 21:05 . 2008-01-12 21:05 <DIR> d-------- D:\Program Files\Hewlett-Packard
2008-01-12 21:05 . 2004-08-03 21:58 207,360 --a------ D:\WINDOWS\system32\drivers\dot4.sys
2008-01-12 21:05 . 2001-08-17 13:47 23,808 --a------ D:\WINDOWS\system32\drivers\Dot4usb.sys
2008-01-12 21:05 . 2001-08-17 13:47 23,808 --a--c--- D:\WINDOWS\system32\dllcache\dot4usb.sys
2008-01-12 21:05 . 2001-08-17 13:47 12,928 --a------ D:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-01-12 21:05 . 2001-08-17 13:47 12,928 --a--c--- D:\WINDOWS\system32\dllcache\dot4prt.sys
2008-01-12 21:05 . 2001-08-17 13:47 8,704 --a------ D:\WINDOWS\system32\drivers\Dot4Scan.sys
2008-01-12 21:05 . 2001-08-17 13:47 8,704 --a--c--- D:\WINDOWS\system32\dllcache\dot4scan.sys
2008-01-12 21:05 . 2008-01-12 21:05 20 --a------ D:\WINDOWS\Hposcv07.INI
2008-01-12 21:04 . 2008-01-12 21:05 <DIR> d-------- D:\WINDOWS\AiOTemp
2008-01-12 21:04 . 2005-12-01 03:57 350,208 --a------ D:\WINDOWS\system32\hpojwiad.dll
2008-01-12 21:04 . 2005-12-01 03:57 90,112 --a------ D:\WINDOWS\system32\hpocon09.exe
2008-01-12 21:04 . 2005-12-01 03:57 22,139 --a------ D:\WINDOWS\system32\hpocoi08.dll
2008-01-12 21:04 . 2005-12-01 03:57 22,048 --a------ D:\WINDOWS\system32\cocpyinf.dll
2008-01-12 20:49 . 2008-01-14 19:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 20:46 . 2008-01-12 20:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 20:26 . 2004-08-03 23:56 192,000 --a------ D:\WINDOWS\system32\iuengine.dll
2008-01-12 20:01 . 2008-01-19 10:09 <DIR> d-------- D:\Program Files\Google
2008-01-12 19:57 . 2008-01-12 19:57 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 19:47 . 2008-01-12 19:47 <DIR> d-------- D:\Program Files\FireTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-19 18:39 6,646 ----a-w D:\Program Files\hijackthis.log
2008-01-06 06:33 669,184 ----a-w D:\WINDOWS\system32\pbsvc.exe
2008-01-06 06:33 66,872 ----a-w D:\WINDOWS\system32\PnkBstrA.exe
2007-11-20 22:36 --------- d-----w D:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w D:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-28 01:39 230,912 ----a-w D:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RemoteCenter"="D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE " [2003-06-12 09:47 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CTSysVol"="D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 10:03 57344]
"CTDVDDET"="D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-06-19 19:55 24576 D:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-03 23:56 11776 D:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 12:08 32768]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 D:\WINDOWS\system32\nwiz.exe]
"POINTER"="point32.exe" []
"AlienAutopsy"="D:\Program Files\AlienAutopsy\Test_BS.exe" [2002-02-26 16:38 98304]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.e xe" [2006-01-12 16:40 155648]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray. dll" [2007-06-29 00:43 81920]
"XboxStat"="D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"BootSkin Startup Jobs"="D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet 7100 series) - 1.lnk - D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-06-24 23:23:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
D:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 D:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfw tdir.sys [2007-12-21 08:21]
R1 fwdrv;Firewall Driver;D:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;D:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R1 TeksKernel;TeksKernel;D:\WINDOWS\system32\Drivers\ TeksKernel.sys [2002-02-26 16:30]
R2 ProductivITService;ProductivIT Service;D:\Program Files\AlienAutopsy\TEKS_Service.exe [2002-02-26 16:39]
S2 SPF4;Sunbelt Personal Firewall 4;"D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S3 XPAD910;XPADFilter Service 910;D:\WINDOWS\system32\DRIVERS\xpad910.sys []
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;D:\WINDOWS\system32\DRIVERS\xusb20.sys [2006-10-13 14:48]

*Newly Created Service* - FWDRV
*Newly Created Service* - KHIPS
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SPF4
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 10:55:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-19 10:56:40
ComboFix-quarantined-files.txt 2008-01-19 18:56:34

**Budfred** · 01-19-2008, 12:58 PM

I don't see any problems... Try this one and if it is clean, it is likely that you are clear...

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

**gracious** · 01-19-2008, 01:11 PM

will do scan next.

I have a question about Kerio firewall. I am so used to ZA and being able to configure which programs I allow to run.....

We use mailwasher pro to check our email. When I click "process mail" it opens up our Outlook express. Now I am receiving Intrusion Alerts and it says

Sunbelt Personal Firewall has detected and blocked an intrusion attempt of the type Code Injection. The technical details about the attack are provided in the window below.

Then it shows

Intruder: D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

and then I click "close" and my outlook express loads. The emails do say that they are checked by NOD32.

Why is it doing this and how do I enable this to run with Kerio?

Please advise

**gracious** · 01-19-2008, 03:55 PM

The scan came out clean. Here is the log. Thank you for all of your assistance Budfred, it is most appreciative. On the Kerio thing, I went into the HIPS and pasted the intrusion D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe as an exclusion and it doesn't pop up anymore. Was this correct to do? I see that spywareblaster is behind the scenes spyware checker, for manual scanning, is spybot S&D all that I need? Thank you again Budfred HUGS HUGS HUGS!!!!!!!!!!!!!!!!!!!!!!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 2:55:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 523903
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 136855
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:59:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_Compress_200706 28_203357_1_1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_PC_CHK.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\Progress_log_Compr ess.txt Object is locked skipped
C:\Program Files\Audible\Bin\ADMTemp.html Object is locked skipped
C:\Program Files\Audible\Bin\AudibleDM_iTunesSetup.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008011920080 120\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
D:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{243BD688-1C7A-4BC1-B863-360EBE87A9F2}\RP180\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\{00000003-00000000-00000002-00001102-00000004-20021102}.CDF Object is locked skipped

Scan process completed.

**Budfred** · 01-19-2008, 06:35 PM

It is possible that one of those locked objects is infected, but it doesn't seem likely...

The way you dealt with the NOD32/Kerio issue is probably what I would have done, but I use Thunderbird and I don't think the issue came up... I have set a few things as exclusions in Kerio and NOD32 so they won't cause problems, but I don't remember exactly which ones I have done... Keep in mind that Kerio has a Simple mode that won't bug you if you want to use it...

Your Java is still one version out of date, so you may want to go for the latest update again...

You can use SpywareBlaster to block nasty ActiveX controls and Spybot for scanning, but I would also activate TeaTimer to provide active protection...

I think you have seen my prevention speech before, but I changed it recently, so here it is:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the "Critical Updates" for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

**gracious** · 01-20-2008, 10:38 AM

Budfred thank you again for all of the help and info. I do have Kerio set to simple mode. It is not so much a problem for me but for my hubbie, who has no patience to figure these things out LOL. Right now we are dealing with Mailwasher pro not being able to report spam, it times out and then mailwasher locks up. I am thinking it might be the Kerio, will have to do research on it. At least I know the machine is clean and that I do thank you for.!!!!! Like I said before, you are AWESOME!

**Budfred** · 01-20-2008, 12:41 PM

I am not sure what you mean about MailWasher not being able to report SPAM... I use NOD32, Kerio and MailWasher myself and haven't had any problem with that combination... Of course, I also use Firefox and Thunderbird...

If you are talking about bouncing the SPAM, please don't do that... It is ineffective and just adds to the problem... If you are talking about forwarding SPAM to SpamCop, I don't use that, so I don't know how Kerio would interfere with that... It probably would require setting an exclusion in Kerio to allow the forwarding...

**gracious** · 01-20-2008, 12:48 PM

I never bounce emails

that would be crazy, I don't want those spammers knowing they have found an email addy to bombard their junk with, plus I have read horror stories of spammers who would take revenge by putting your email addy to their spam so that you end up with a bunch of bounced emails in your inbox. Doesn't sound like fun to me!

I guess what I meant was the First Alert which I guess has had problems with overloads on their servers. We see mailwasher sending the report which takes forever and then it says something to effect that First Alert servers can't be contacted. When we try to process mail, mailwasher locks up. I think I am going to try to unistall Kerio and then reinstall with the advanced mode, this way hubbie can allow or deny and save when he goes online....that is what he was use to with ZA. He said he has noticed that his surfing time is slow and pages sometimes don't load or are very very slow to load. I did uncheck "enable Web filtering" to see if that helps.

**Budfred** · 01-20-2008, 01:18 PM

I was referring to the "Bounce" feature in MailWasher which is supposed to bounce it in a way that suggests to the SPAMmer that your address doesn't exist... Unfortunately, SPAMmers don't care anymore -- they send out to random addresses just so they hit an occasional mailbox... Also, the SPAM is usually sent from some of their victims PCs or from spoofed addresses, so the bounced email bounces around and generates even more useless email traffic which slows down the web... It was a nice idea and may have worked briefly, but it is obsolete now...

I don't use First Alert, so I don't have experience with it... You could just turn it off and see if that makes a difference... Also, you don't need to reinstall Kerio, just opt for the Advanced mode in the Kerio control panel...

**gracious** · 01-21-2008, 07:55 AM

The only thing I left ticked was the spamhaus. I will see if that helps. Anyway, appreciate the help. It is so nice to have a place to post my puter woes and know that I am getting the best advice there is on the planet!
Thank you Budfred.

**gracious** · 01-23-2008, 08:30 AM

Well Budfed, it seems maybe I still do have issues. This morning I started up hubbies puter to check email and went online and a ZA message popped up asking me if I wanted to allow or deny checker.exe to proceed. I marked deny, and to remember this setting. Does that mean it is still lingering around or do I have some software that is using this?

**mjc** · 01-23-2008, 09:11 AM

Did you ever figure out where checker is or what it may be related too...such a nice generic name?

If not, try using Process Explorer to see if you can trace what is triggering it...

**Paul Komski** · 01-23-2008, 09:19 AM

Thread: Issues with checker.exe please check HJT log

Thread Tools

Issues with checker.exe please check HJT log

Thread Information

Users Browsing this Thread

Posting Permissions