Custom Search
 Join the PC homebuilding revolution! Read the all-new, FREE 200-page online guide: How to Build Your Own PC! NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more. Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.

1. ## Issues with checker.exe please check HJT log

Could you please check my HJT log to see if there is anything that I have missed. Thank you!!

Logfile of HijackThis v1.99.1
Scan saved at 8:52:57 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\AlienAutopsy\Test_BS.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\PnkBstrA.exe
D:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: NexusBar - {4E7BD74F-2B8D-469E-C0FF-FD7FA18DBF33} - D:\PROGRA~1\NexusBar\nexusbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: NexusBar - {4E7BD74F-2B8D-469E-C0FF-FD7FA18DBF33} - D:\PROGRA~1\NexusBar\nexusbar.dll
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AlienAutopsy] "D:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XboxStat] "D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200240530765
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O20 - Winlogon Notify: WB - D:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - D:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

http://www.trendsecure.com/portal/en...HJTInstall.exe

and one of the security experts will come by and take a looksee!

3. Actually, I don't mind the old version... However, the only thing showing here that is even suspicious is this:

O3 - Toolbar: NexusBar - {4E7BD74F-2B8D-469E-C0FF-FD7FA18DBF33} - D:\PROGRA~1\NexusBar\nexusbar.dll

The reports on it are unclear and it could be a threat...

Also, Java is out of date, so an update would be good...

Updating Java:
• Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
They should have this icon next to any that are there:
Select any found and click Remove.

4. The Greek god of Audio
Join Date
Dec 2007
Location
CT
Posts
1,852
Looking at the program list, it seems like you have Adaware and Zone Alarm running at the same time, I think I see another one too. I use the paid version of Zone Alarm, and if you have the subscriptions, you might want to stick with that for the time being. That may also present a problem, or so I understand.

It's advisable to only run one Virus program at a time, a lot of the time, more then one virus scanners will fight each other and catch less stuff, and present other problems.

5. I was under the impression that the new HJT was primarily for Vista and that the old HJT could still be used for XP. Should I use the new vs.?

I found Nexus in the add/remove programs and uninstalled that. I will be updating my java.

With regards to AdAware and Zone Alarm, I am confused. The only AV program I am running is Nod32, my ZA is my firewall and my AdAware is one of the spyware programs along side with Spybot S&D that I run.

Speaking of which, I know Budfred that you are steering away from ZA because of their toolbar insertions. I was looking at the Kerio site and did not see a personal firewall. Do I want the one through Sunbelt? I also will be getting SpywareBlaster and removing AdAware.

Budfred, I did not see anything showing add/remove in the Java Control Panel, I see General, Update, Java, Security and Advance. Am I looking in the wrong area?

We had the checker.exe popping up and I went through everything to make sure it was gone but wanted to make sure it was gone.

6. awaj,

I have asked you not to comment in malware threads since your advice can actually confuse the situation... There is NO problem running a firewall and an anti-spyware program on the same computer at the same time, it is actually a good idea... There is even no problem running 2 anti-spyware programs at the same time as long as they do something very different, like SpywareBlaster and TeaTimer...

gracious,

The latest version of HJT works on Vista, but it is also for earlier versions of Windows, so it is fine to use it and may provide some improvements over the previous version...

The Control Panel for Windows is where you will find the Add or Remove Programs to remove old Java versions...

The latest version of Kerio is at Sunbelt and seems to be available only for a free trial, but it will continue working after the trial and will just give the occasional nudge to upgrade to the pay version... If you don't want that, you could also go with Outpost or Comodo...

If you want to be more sure that the computer is clean, you could do a ComobFix log...

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

7. Go to Start > Control Panel double-click on the Software icon > Add or Remove Programs.
I misread your line here, I thought the "software icon" meant the Java icon lol, I see that it points to Add/Remove...duh...sorry

If the Kerio only costs $10 I probably will just get that. And on the other items, will do Budfred!!! YOU ARE AWESOME! Last edited by gracious; 01-18-2008 at 07:19 PM. 8. Ok, ZA is unistalled, Kerio is installed. AdAware is uninstalled, SpywareBlaster is installed and java has updated vs. Here are the logs, HJT first: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:39:36 AM, on 1/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\AlienGUIse\wbload.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE D:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe D:\WINDOWS\system32\rundll32.exe D:\Program Files\Microsoft Hardware\Mouse\point32.exe D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE D:\WINDOWS\System32\CTsvcCDA.exe D:\Program Files\Executive Software\DiskeeperLite\DKService.exe D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe D:\Program Files\Common Files\LightScribe\LSSrvc.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\System32\PnkBstrA.exe D:\Program Files\AlienAutopsy\TEKS_Service.exe D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe D:\WINDOWS\System32\msiexec.exe D:\Program Files\AlienAutopsy\Test_BS.exe D:\Program Files\HiJackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [AlienAutopsy] "D:\Program Files\AlienAutopsy\Test_BS.exe" -h O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [XboxStat] "D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200240530765 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://D:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\System32\PnkBstrA.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - D:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe -- End of file - 6645 bytes Last edited by gracious; 01-19-2008 at 12:10 PM. 9. Combo log page 1 ComboFix 08-01-18.5 - Administrator 2008-01-19 10:51:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1649 [GMT -8:00] Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\RECYCLER\desktopA.sys D:\RECYCLER\desktopA.sys . ((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 ))))))))))))))))))))))))))))))) . 2008-01-19 10:49 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe 2008-01-19 10:35 . 2008-01-19 10:37 <DIR> d-------- D:\Program Files\SpywareBlaster 2008-01-19 10:35 . 2005-08-25 18:19 1,066,176 --a------ D:\WINDOWS\system32\MSCOMCTL.OCX 2008-01-19 10:35 . 2005-08-25 18:19 115,920 --a------ D:\WINDOWS\system32\MSINET.OCX 2008-01-19 10:31 . 2008-01-19 10:31 <DIR> d-------- D:\Program Files\Java 2008-01-19 10:31 . 2007-09-24 23:31 69,632 --a------ D:\WINDOWS\system32\javacpl.cpl 2008-01-19 10:30 . 2008-01-19 10:30 <DIR> d-------- D:\Program Files\Common Files\Java 2008-01-19 10:27 . 2008-01-19 10:27 401,720 --a------ D:\Program Files\HiJackThis.exe 2008-01-19 10:17 . 2008-01-19 10:28 276 --a------ D:\WINDOWS\system32\drivers\fwdrv.err 2008-01-19 10:15 . 2008-01-19 10:15 <DIR> d-------- D:\Program Files\Sunbelt Software 2008-01-15 22:59 . 2008-01-15 22:59 5,760,054 --a------ D:\WINDOWS\ALX_1600x1200.bmp 2008-01-15 22:57 . 2008-01-15 22:57 3,932,214 --a------ D:\WINDOWS\AW_XenoMorph1280.bmp 2008-01-14 23:52 . 2008-01-14 23:52 <DIR> d-------- D:\Program Files\Stardock 2008-01-14 23:52 . 2008-01-16 07:54 163,712 --a------ D:\WINDOWS\system32\drivers\vidstub.sys 2008-01-14 23:46 . 2008-01-14 23:46 <DIR> d-------- D:\WINDOWS\system32\Uninstall 2008-01-14 22:54 . 2008-01-14 23:44 45,056 --a------ D:\WINDOWS\system32\sstunst3.exe 2008-01-14 22:54 . 2008-01-14 22:55 69 --a------ D:\WINDOWS\NeroDigital.ini 2008-01-14 22:53 . 2008-01-14 23:44 1,061,188 --a------ D:\WINDOWS\system32\ah.mx1 2008-01-14 22:53 . 2008-01-14 23:44 564,736 --a------ D:\WINDOWS\system32\ah.scr 2008-01-14 22:53 . 2008-01-14 23:44 20,610 --a------ D:\WINDOWS\system32\ah.ibx 2008-01-14 20:44 . 2005-02-01 14:20 5,760,056 --a------ D:\WINDOWS\Darkstar.bmp 2008-01-14 19:37 . 2008-01-15 23:04 3,932,214 --a------ D:\WINDOWS\InvaderDark1280.bmp 2008-01-14 19:33 . 2008-01-14 23:52 <DIR> d-------- D:\Program Files\Common Files\Stardock 2008-01-14 19:33 . 2008-01-15 22:59 <DIR> d-------- D:\Program Files\AlienGUIse 2008-01-14 19:33 . 2003-02-26 22:27 36,864 --a------ D:\WINDOWS\system32\wbsys.dll 2008-01-14 19:33 . 2008-01-14 19:33 56 --a------ D:\WINDOWS\wb.ini 2008-01-14 17:26 . 2008-01-14 17:26 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE 2008-01-14 17:26 . 2007-02-26 17:15 61,984 --a------ D:\WINDOWS\system32\drivers\xusb21.sys 2008-01-14 17:26 . 2008-01-14 17:26 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_010 01.Wdf 2008-01-14 17:16 . 2008-01-14 17:16 0 --ah----- D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01001_C oinstaller_Critical.Wdf 2008-01-14 17:16 . 2008-01-14 17:16 0 --ah----- D:\WINDOWS\system32\drivers\Msft_Kernel_xusb20_010 01.Wdf 2008-01-14 17:14 . 2008-01-14 17:25 <DIR> d-------- D:\Program Files\Microsoft Xbox 360 Accessories 2008-01-14 07:58 . 2008-01-14 07:58 <DIR> d-------- D:\WINDOWS\Sun 2008-01-13 17:36 . 2008-01-13 17:57 <DIR> d-------- D:\Program Files\Game Elements 2008-01-13 17:36 . 2006-02-08 13:41 176,128 --a------ D:\WINDOWS\system32\GGE910cp.dll 2008-01-13 17:36 . 2005-12-27 13:50 40,960 --a------ D:\WINDOWS\system32\xpadfrc.dll 2008-01-13 17:36 . 2004-08-03 21:58 14,848 --a------ D:\WINDOWS\system32\drivers\kbdhid.sys 2008-01-13 17:36 . 2004-08-03 21:58 14,848 --a--c--- D:\WINDOWS\system32\dllcache\kbdhid.sys 2008-01-13 11:21 . 2007-06-29 00:43 123,602 --a------ D:\WINDOWS\system32\nvapps.nvb 2008-01-13 11:20 . 2007-06-29 01:54 356,352 --a------ D:\WINDOWS\system32\NVUNINST.EXE 2008-01-13 10:56 . 2008-01-13 10:56 463 --a------ D:\WINDOWS\system32\CTHELPER.RPT 2008-01-13 10:53 . 2008-01-13 10:53 <DIR> d-------- D:\Program Files\MSXML 4.0 2008-01-13 10:49 . 2006-08-21 01:14 128,896 -----c--- D:\WINDOWS\system32\dllcache\fltmgr.sys 2008-01-13 10:49 . 2006-08-21 01:14 23,040 -----c--- D:\WINDOWS\system32\dllcache\fltmc.exe 2008-01-13 10:49 . 2006-08-21 04:21 16,896 -----c--- D:\WINDOWS\system32\dllcache\fltlib.dll 2008-01-13 10:45 . 2007-07-09 05:09 584,192 -----c--- D:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-01-13 09:24 . 2004-08-03 23:56 221,184 --a------ D:\WINDOWS\system32\wmpns.dll 2008-01-13 09:23 . 2008-01-13 09:23 <DIR> d-------- D:\WINDOWS\provisioning 2008-01-13 09:23 . 2008-01-13 09:23 <DIR> d-------- D:\WINDOWS\peernet 2008-01-13 09:21 . 2008-01-13 09:21 <DIR> d-------- D:\WINDOWS\ServicePackFiles 2008-01-13 09:15 . 2008-01-13 09:15 <DIR> d-------- D:\WINDOWS\EHome 2008-01-13 09:12 . 2002-04-15 21:11 67,866 --------- D:\WINDOWS\system32\drivers\netwlan5.img 2008-01-13 09:12 . 2004-08-04 00:56 11,776 --------- D:\WINDOWS\system32\spnpinst.exe 2008-01-13 09:12 . 2004-08-02 14:20 7,208 --------- D:\WINDOWS\system32\secupd.sig 2008-01-13 09:12 . 2004-08-02 14:20 4,569 --------- D:\WINDOWS\system32\secupd.dat 2008-01-13 08:41 . 2004-08-03 23:56 614,912 --a------ D:\WINDOWS\system32\h323msp.dll 10. Combo log page 2: --a------ D:\WINDOWS\system32\ipnathlp.dll 2008-01-13 08:41 . 2004-08-03 23:56 265,728 --a------ D:\WINDOWS\system32\h323.tsp 2008-01-13 08:41 . 2007-03-08 07:36 40,960 --a------ D:\WINDOWS\system32\mf3216.dll 2008-01-13 08:41 . 2004-01-09 21:11 26,112 --a------ D:\WINDOWS\system32\xpsp1hfm.exe 2008-01-13 08:35 . 2005-10-20 14:20 1,082,368 --a------ D:\WINDOWS\system32\esent.dll 2008-01-13 08:12 . 2008-01-13 10:59 <DIR> d--h----- D:\WINDOWS\$hf_mig\$
2008-01-13 08:12 . 2006-02-20 11:12 22,752 --a------ D:\WINDOWS\system32\spupdsvc.exe
2008-01-13 08:11 . 2008-01-13 08:11 <DIR> d-------- D:\WINDOWS\system32\bits
2008-01-13 08:10 . 2004-08-03 23:56 351,232 --a------ D:\WINDOWS\system32\winhttp.dll
2008-01-13 08:10 . 2004-08-03 23:56 18,944 --a------ D:\WINDOWS\system32\qmgrprxy.dll
2008-01-13 08:10 . 2004-08-03 23:56 8,192 --------- D:\WINDOWS\system32\bitsprx2.dll
2008-01-13 08:10 . 2004-08-03 23:56 7,168 --------- D:\WINDOWS\system32\bitsprx3.dll
2008-01-13 08:09 . 2007-07-30 19:19 549,720 --a------ D:\WINDOWS\system32\wuapi.dll
2008-01-13 08:09 . 2007-07-30 19:19 325,976 --a------ D:\WINDOWS\system32\wucltui.dll
2008-01-13 08:09 . 2007-07-30 19:19 216,408 --a------ D:\WINDOWS\system32\wuaucpl.cpl
2008-01-13 08:09 . 2007-07-30 19:19 43,352 --a------ D:\WINDOWS\system32\wups2.dll
2008-01-13 08:09 . 2007-07-30 19:18 34,136 --a------ D:\WINDOWS\system32\wucltui.dll.mui
2008-01-13 08:09 . 2007-07-30 19:18 33,624 --a------ D:\WINDOWS\system32\wups.dll
2008-01-13 08:09 . 2007-07-30 19:19 25,944 --a------ D:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-13 08:09 . 2007-07-30 19:19 25,944 --a------ D:\WINDOWS\system32\wuapi.dll.mui
2008-01-13 08:09 . 2007-07-30 19:18 20,312 --a------ D:\WINDOWS\system32\wuaueng.dll.mui
2008-01-12 21:19 . 2008-01-12 21:19 <DIR> d---s---- D:\Documents and Settings\Administrator\UserData
2008-01-12 21:06 . 2008-01-12 21:08 2,723 --a------ D:\WINDOWS\DevMgr.ini
2008-01-12 21:05 . 2008-01-12 21:05 <DIR> d-------- D:\WINDOWS\system32\NtmsData
2008-01-12 21:05 . 2008-01-12 21:05 <DIR> d-------- D:\Program Files\Hewlett-Packard
2008-01-12 21:05 . 2004-08-03 21:58 207,360 --a------ D:\WINDOWS\system32\drivers\dot4.sys
2008-01-12 21:05 . 2001-08-17 13:47 23,808 --a------ D:\WINDOWS\system32\drivers\Dot4usb.sys
2008-01-12 21:05 . 2001-08-17 13:47 23,808 --a--c--- D:\WINDOWS\system32\dllcache\dot4usb.sys
2008-01-12 21:05 . 2001-08-17 13:47 12,928 --a------ D:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-01-12 21:05 . 2001-08-17 13:47 12,928 --a--c--- D:\WINDOWS\system32\dllcache\dot4prt.sys
2008-01-12 21:05 . 2001-08-17 13:47 8,704 --a------ D:\WINDOWS\system32\drivers\Dot4Scan.sys
2008-01-12 21:05 . 2001-08-17 13:47 8,704 --a--c--- D:\WINDOWS\system32\dllcache\dot4scan.sys
2008-01-12 21:05 . 2008-01-12 21:05 20 --a------ D:\WINDOWS\Hposcv07.INI
2008-01-12 21:04 . 2008-01-12 21:05 <DIR> d-------- D:\WINDOWS\AiOTemp
2008-01-12 21:04 . 2005-12-01 03:57 350,208 --a------ D:\WINDOWS\system32\hpojwiad.dll
2008-01-12 21:04 . 2005-12-01 03:57 90,112 --a------ D:\WINDOWS\system32\hpocon09.exe
2008-01-12 21:04 . 2005-12-01 03:57 22,139 --a------ D:\WINDOWS\system32\hpocoi08.dll
2008-01-12 21:04 . 2005-12-01 03:57 22,048 --a------ D:\WINDOWS\system32\cocpyinf.dll
2008-01-12 20:49 . 2008-01-14 19:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 20:46 . 2008-01-12 20:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-12 20:26 . 2004-08-03 23:56 192,000 --a------ D:\WINDOWS\system32\iuengine.dll
2008-01-12 20:01 . 2008-01-19 10:09 <DIR> d-------- D:\Program Files\Google
2008-01-12 19:57 . 2008-01-12 19:57 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 19:47 . 2008-01-12 19:47 <DIR> d-------- D:\Program Files\FireTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-19 18:39 6,646 ----a-w D:\Program Files\hijackthis.log
2008-01-06 06:33 669,184 ----a-w D:\WINDOWS\system32\pbsvc.exe
2008-01-06 06:33 66,872 ----a-w D:\WINDOWS\system32\PnkBstrA.exe
2007-11-20 22:36 --------- d-----w D:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w D:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll
2007-10-28 01:39 230,912 ----a-w D:\WINDOWS\system32\wmasf.dll
.

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RemoteCenter"="D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE " [2003-06-12 09:47 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CTSysVol"="D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 10:03 57344]
"CTDVDDET"="D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-06-19 19:55 24576 D:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-03 23:56 11776 D:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"UpdReg"="D:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 12:08 32768]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 D:\WINDOWS\system32\nwiz.exe]
"POINTER"="point32.exe" []
"AlienAutopsy"="D:\Program Files\AlienAutopsy\Test_BS.exe" [2002-02-26 16:38 98304]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.e xe" [2006-01-12 16:40 155648]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray. dll" [2007-06-29 00:43 81920]
"XboxStat"="D:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"BootSkin Startup Jobs"="D:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]

HPAiODevice(hp officejet 7100 series) - 1.lnk - D:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe [2003-06-24 23:23:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfw tdir.sys [2007-12-21 08:21]
R1 fwdrv;Firewall Driver;D:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;D:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R1 TeksKernel;TeksKernel;D:\WINDOWS\system32\Drivers\ TeksKernel.sys [2002-02-26 16:30]
R2 ProductivITService;ProductivIT Service;D:\Program Files\AlienAutopsy\TEKS_Service.exe [2002-02-26 16:39]
S2 SPF4;Sunbelt Personal Firewall 4;"D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;D:\WINDOWS\system32\DRIVERS\xusb20.sys [2006-10-13 14:48]

*Newly Created Service* - FWDRV
*Newly Created Service* - KHIPS
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SPF4
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 10:55:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-19 10:56:40
ComboFix-quarantined-files.txt 2008-01-19 18:56:34

11. I don't see any problems... Try this one and if it is clean, it is likely that you are clear...

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
• Click on Scan Settings and configure as follows:
• Scan using the following Anti-Virus database:
• Extended
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

12. will do scan next.

I have a question about Kerio firewall. I am so used to ZA and being able to configure which programs I allow to run.....

We use mailwasher pro to check our email. When I click "process mail" it opens up our Outlook express. Now I am receiving Intrusion Alerts and it says

Sunbelt Personal Firewall has detected and blocked an intrusion attempt of the type Code Injection. The technical details about the attack are provided in the window below.

Then it shows

Intruder: D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

and then I click "close" and my outlook express loads. The emails do say that they are checked by NOD32.

Why is it doing this and how do I enable this to run with Kerio?

13. The scan came out clean. Here is the log. Thank you for all of your assistance Budfred, it is most appreciative. On the Kerio thing, I went into the HIPS and pasted the intrusion D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe as an exclusion and it doesn't pop up anymore. Was this correct to do? I see that spywareblaster is behind the scenes spyware checker, for manual scanning, is spybot S&D all that I need? Thank you again Budfred HUGS HUGS HUGS!!!!!!!!!!!!!!!!!!!!!!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 2:55:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 523903
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 136855
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:59:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_Compress_200706 28_203357_1_1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_PC_CHK.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\Progress_log_Compr ess.txt Object is locked skipped
C:\Program Files\Audible\Bin\ADMTemp.html Object is locked skipped
C:\Program Files\Audible\Bin\AudibleDM_iTunesSetup.exe Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008011920080 120\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
D:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
D:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{243BD688-1C7A-4BC1-B863-360EBE87A9F2}\RP180\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\{00000003-00000000-00000002-00001102-00000004-20021102}.CDF Object is locked skipped

Scan process completed.
Last edited by gracious; 01-19-2008 at 04:39 PM.

14. It is possible that one of those locked objects is infected, but it doesn't seem likely...

The way you dealt with the NOD32/Kerio issue is probably what I would have done, but I use Thunderbird and I don't think the issue came up... I have set a few things as exclusions in Kerio and NOD32 so they won't cause problems, but I don't remember exactly which ones I have done... Keep in mind that Kerio has a Simple mode that won't bug you if you want to use it...

Your Java is still one version out of date, so you may want to go for the latest update again...

You can use SpywareBlaster to block nasty ActiveX controls and Spybot for scanning, but I would also activate TeaTimer to provide active protection...

I think you have seen my prevention speech before, but I changed it recently, so here it is:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

15. Budfred thank you again for all of the help and info. I do have Kerio set to simple mode. It is not so much a problem for me but for my hubbie, who has no patience to figure these things out LOL. Right now we are dealing with Mailwasher pro not being able to report spam, it times out and then mailwasher locks up. I am thinking it might be the Kerio, will have to do research on it. At least I know the machine is clean and that I do thank you for.!!!!! Like I said before, you are AWESOME!

16. I am not sure what you mean about MailWasher not being able to report SPAM... I use NOD32, Kerio and MailWasher myself and haven't had any problem with that combination... Of course, I also use Firefox and Thunderbird...

If you are talking about bouncing the SPAM, please don't do that... It is ineffective and just adds to the problem... If you are talking about forwarding SPAM to SpamCop, I don't use that, so I don't know how Kerio would interfere with that... It probably would require setting an exclusion in Kerio to allow the forwarding...

17. I never bounce emails that would be crazy, I don't want those spammers knowing they have found an email addy to bombard their junk with, plus I have read horror stories of spammers who would take revenge by putting your email addy to their spam so that you end up with a bunch of bounced emails in your inbox. Doesn't sound like fun to me!

I guess what I meant was the First Alert which I guess has had problems with overloads on their servers. We see mailwasher sending the report which takes forever and then it says something to effect that First Alert servers can't be contacted. When we try to process mail, mailwasher locks up. I think I am going to try to unistall Kerio and then reinstall with the advanced mode, this way hubbie can allow or deny and save when he goes online....that is what he was use to with ZA. He said he has noticed that his surfing time is slow and pages sometimes don't load or are very very slow to load. I did uncheck "enable Web filtering" to see if that helps.

18. I was referring to the "Bounce" feature in MailWasher which is supposed to bounce it in a way that suggests to the SPAMmer that your address doesn't exist... Unfortunately, SPAMmers don't care anymore -- they send out to random addresses just so they hit an occasional mailbox... Also, the SPAM is usually sent from some of their victims PCs or from spoofed addresses, so the bounced email bounces around and generates even more useless email traffic which slows down the web... It was a nice idea and may have worked briefly, but it is obsolete now...

I don't use First Alert, so I don't have experience with it... You could just turn it off and see if that makes a difference... Also, you don't need to reinstall Kerio, just opt for the Advanced mode in the Kerio control panel...

19. The only thing I left ticked was the spamhaus. I will see if that helps. Anyway, appreciate the help. It is so nice to have a place to post my puter woes and know that I am getting the best advice there is on the planet!
Thank you Budfred.

20. Well Budfed, it seems maybe I still do have issues. This morning I started up hubbies puter to check email and went online and a ZA message popped up asking me if I wanted to allow or deny checker.exe to proceed. I marked deny, and to remember this setting. Does that mean it is still lingering around or do I have some software that is using this?

21. Did you ever figure out where checker is or what it may be related too...such a nice generic name?

If not, try using Process Explorer to see if you can trace what is triggering it...

22. Do a Silent Runners log so we may be able to get a better idea of what might be causing this... The presence of this file and the firewall issues suggest it could be malware...

http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

23. Did you ever figure out where checker is or what it may be related too...such a nice generic name?

If not, try using Process Explorer to see if you can trace what is triggering it...
Wow that looks like a really neat tool, I will try to see where it is generating from.

Paul thank you for the link, I also went to the links from that thread and I guess this checker.exe could also be from a legit program or a virus, so that is kind of scary not knowing.

Budfred, hubbie is using puter right now, at Ebay . As soon as he is done I will kick him off and run the silent runners program and also the Process explorer.

24. I downloaded the Process Explorer and didn't see checker.exe so then I used "run" to search for the file and I now know that it is a safe program. It has to do with the XBox 380 game pad controller!

I downloaded to the desktop the silent runners but for the life of me could not find where the log is. It says it is in 'startup programs owner 2008, 01/23 .txt.

Where is that?

Also, we ran SpywareDoctor and this was found and eliminated:

Trojan.generic
Trojan-PWS.tanspy