I believe I have a trojan that continues to come back after neutralizing. When I would run Ad - aware it would hang up on the file c:\system volume information\_restore....... I was able to find a very similar thread on here where a user (SueR) had a similar problem. I followed the instructions in that thread up to running a highjack this log file. I've included the results of the scan. Any help would be greatly appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 12:22:54 AM, on 12/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXE
C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143684470777
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://wsp.livedownloads.com/nugster/dlControl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
thanks,
Eric
Full Version: Please help.....Infected
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hello and welcome 
Your log looks clean. Take a look at this topic, 3rd post.
Let me know how you get on. I've got couple more tricks if none of those work (we can also empty your restore points and recreate a new one since the freezing happens with system restore).
You should also update your Java since it is critical -- you don't want to get infected with Vundo.
Updating Java and Clearing CacheAfter the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel.
Your log looks clean. Take a look at this topic, 3rd post.
Let me know how you get on. I've got couple more tricks if none of those work (we can also empty your restore points and recreate a new one since the freezing happens with system restore).
You should also update your Java since it is critical -- you don't want to get infected with Vundo.
Updating Java and Clearing Cache
- Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
- Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiem...es/javaicon.jpg
Select it and click Remove.- Now please install the Java Runtime Environment (JRE) 6 manually..
- Note to reboot the computer after updating:
- Downloaded Applets
Downloaded Applications
Other Files
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Hi,
Thanks for the reply and the help. I had already reset the restore points as advised in the other thread I mentioned and now ad-aware runs smoothly. I am currently at school and have to access the internet via my schools network. Something is very wrong though because when I go to open Internet explorer it tells me there is a security certificate issue and recomends that I don't continue on to the site but I have to otherwise I cannot acces the web. Everytime I finish a web session I run my Panda software scan and it always finds the same infections which it describes as spyware. I did what you recomended as far as the java runtime. Also when I go to open Internet explorer it takes , I swear, 20-30 seconds to open very unlike my machine. These issues still persist with Firefox as well. Thanks once again for taking the time to help me.
Eric
Thanks for the reply and the help. I had already reset the restore points as advised in the other thread I mentioned and now ad-aware runs smoothly. I am currently at school and have to access the internet via my schools network. Something is very wrong though because when I go to open Internet explorer it tells me there is a security certificate issue and recomends that I don't continue on to the site but I have to otherwise I cannot acces the web. Everytime I finish a web session I run my Panda software scan and it always finds the same infections which it describes as spyware. I did what you recomended as far as the java runtime. Also when I go to open Internet explorer it takes , I swear, 20-30 seconds to open very unlike my machine. These issues still persist with Firefox as well. Thanks once again for taking the time to help me.
Eric
Could you run Panda and this time let me know what it finds? Filepaths, descriptions, infection names etc..
Also..
Please download Combofix to your desktop:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Also..
Please download Combofix to your desktop:
- Double-click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Thanks for the advice. I first ran Panda as you requested and this time it only found two infected files. Normally it finds around 8-10 or so. I included the text report file that it produced. I then ran the combofix that you requested. My panda program blocked it from running something called regedit.exe. Here is the log that combofix generated. Should I have disabled panda prior to running combofix? Please let me know what I should do. The Panda report looks like it includes a report that is acontinuous tally of all interaction with the program. It may be more info than you needed but I thought that it should be included in this reply. Thanks , and I hope you had a wonderful christmas.
Eric S White - 06-12-26 20:53:38.88 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Eric S White\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-26 to 2006-12-26 ))))))))))))))))))))))))))))))))))
2006-12-24 15:43 <DIR> d-------- C:\Program Files\Audible
2006-12-24 12:36 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-24 00:20 <DIR> d-------- C:\HijackThis
2006-12-22 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-22 18:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-15 10:35 <DIR> d-------- C:\My Movies
2006-12-15 09:50 <DIR> d-------- C:\Program Files\Azureus
2006-12-15 09:50 <DIR> d-------- C:\Documents and Settings\Eric S White\Application Data\Azureus
2006-12-15 09:45 <DIR> d-------- C:\Program Files\DVD Ripper Wizard
2006-11-26 19:30 <DIR> d-------- C:\Program Files\iTunes
2006-11-26 19:28 <DIR> d-------- C:\Program Files\QuickTime
2006-11-26 19:27 <DIR> d-------- C:\Program Files\Apple Software Update
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-24 16:47 -------- d-------- C:\Program Files\Common Files\Skyscape
2006-12-24 14:59 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-24 14:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-24 12:36 -------- d-------- C:\Program Files\Java
2006-12-24 12:36 -------- d-------- C:\Program Files\Common Files
2006-12-23 20:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-14 05:18 -------- d-------- C:\Program Files\Outlook Express
2006-12-14 05:18 -------- d-------- C:\Program Files\Common Files\System
2006-12-14 05:17 -------- d---s---- C:\Documents and Settings\Eric S White\Application Data\Microsoft
2006-12-07 00:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-26 19:30 -------- d-------- C:\Program Files\iPod
2006-11-26 16:09 724992 --a------ C:\WINDOWS\iun6002.exe
2006-11-21 22:26 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 15:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 13:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 13:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 13:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 13:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 13:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 13:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 13:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TP4EX"="tp4ex.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SCANINICIO"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2005 Internet Security\\Inicio.exe\""
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2005 Internet Security\\APVXDWIN.EXE\" /s"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\\\ibmmessages.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"PANDA ANTISPAM SERVER SERVICE"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2005 Internet Security\\PasSrv.exe\""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,2c,01,00,00,00,00,00,00,4c,04,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
Completion time: 06-12-26 20:55:22.35
C:\ComboFix.txt ... 06-12-26 20:55
Panda report is an attached file.
Eric S White - 06-12-26 20:53:38.88 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Eric S White\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-26 to 2006-12-26 ))))))))))))))))))))))))))))))))))
2006-12-24 15:43 <DIR> d-------- C:\Program Files\Audible
2006-12-24 12:36 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-24 00:20 <DIR> d-------- C:\HijackThis
2006-12-22 18:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-22 18:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-15 10:35 <DIR> d-------- C:\My Movies
2006-12-15 09:50 <DIR> d-------- C:\Program Files\Azureus
2006-12-15 09:50 <DIR> d-------- C:\Documents and Settings\Eric S White\Application Data\Azureus
2006-12-15 09:45 <DIR> d-------- C:\Program Files\DVD Ripper Wizard
2006-11-26 19:30 <DIR> d-------- C:\Program Files\iTunes
2006-11-26 19:28 <DIR> d-------- C:\Program Files\QuickTime
2006-11-26 19:27 <DIR> d-------- C:\Program Files\Apple Software Update
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-24 16:47 -------- d-------- C:\Program Files\Common Files\Skyscape
2006-12-24 14:59 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-24 14:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-24 12:36 -------- d-------- C:\Program Files\Java
2006-12-24 12:36 -------- d-------- C:\Program Files\Common Files
2006-12-23 20:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-14 05:18 -------- d-------- C:\Program Files\Outlook Express
2006-12-14 05:18 -------- d-------- C:\Program Files\Common Files\System
2006-12-14 05:17 -------- d---s---- C:\Documents and Settings\Eric S White\Application Data\Microsoft
2006-12-07 00:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-26 19:30 -------- d-------- C:\Program Files\iPod
2006-11-26 16:09 724992 --a------ C:\WINDOWS\iun6002.exe
2006-11-21 22:26 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 15:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 13:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 13:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 13:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 13:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 13:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 13:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 13:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TP4EX"="tp4ex.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SCANINICIO"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2005 Internet Security\\Inicio.exe\""
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2005 Internet Security\\APVXDWIN.EXE\" /s"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"BMMMONWND"="rundll32.exe C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatInfEx.dll,BMMAutonomicMonitor"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\\\ibmmessages.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TpShocks"="TpShocks.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"PANDA ANTISPAM SERVER SERVICE"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2005 Internet Security\\PasSrv.exe\""
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,2c,01,00,00,00,00,00,00,4c,04,00,00,f8,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
Completion time: 06-12-26 20:55:22.35
C:\ComboFix.txt ... 06-12-26 20:55
Panda report is an attached file.
I do not see the panda log file...... It is very long to cut and paste. If I did something wrong please let me know. Thanks.
Eric
Eric
I went ahaed and pasted a small portion of the report from the panda log. this only goes back a few days but I wanted to be able to provide you with something.
thyanks,
Eric
Panda Platinum 2005 Internet Security incident report
Filter selected:Virus detected, Suspicious file, Dangerous file, Script execution, Phone connection, Connection attempt, Port scan attack, Denial of service attack, Spoofing, Attacking IP address blocked, Enabled, Disabled, Update, Scan started, Scan complete, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan complete On-demand antivirus scan 12/26/06 20:45:01 Scan: My Computer
Scan complete On-demand antivirus scan 12/26/06 20:15:20 Scan: Memory
Scan started On-demand antivirus scan 12/26/06 20:11:14 Scan: Memory
Update Update system 12/26/06 20:10:00 Correct New virus signatures: 10
Spyware detected: Cookie/Go On-demand antivirus scan 12/26/06 20:06:44 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/26/06 20:06:44 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[2].txt
Scan started On-demand antivirus scan 12/26/06 20:04:16 Scan: My Computer
Connection attempt Firewall protection 12/26/06 19:59:31 Blocked Application: C:\WINDOWS\system32\svchost.exe
Update Update system 12/26/06 19:29:23 Incorrect Error: Error in the download process
Update Update system 12/26/06 18:49:22 Incorrect Error: Error in the download process
Update Update system 12/26/06 18:09:23 Incorrect Error: Error in the download process
Update Update system 12/26/06 17:29:22 Incorrect Error: Error in the download process
Update Update system 12/26/06 16:49:22 Incorrect Error: Error in the download process
Update Update system 12/26/06 16:09:32 Incorrect Error: Error in the download process
Update Update system 12/26/06 15:29:22 Incorrect Error: Error in the download process
Connection attempt Firewall protection 12/26/06 14:29:27 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/26/06 14:29:21 Blocked Source IP address: 172.20.0.1
Scan complete On-demand antivirus scan 12/26/06 13:32:33 Scan: Memory
Spyware detected: Cookie/Tribalfusion On-demand antivirus scan 12/26/06 13:32:32 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@tribalfusion[1].txt
Spyware detected: Cookie/Traffic Mar... On-demand antivirus scan 12/26/06 13:32:32 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@trafficmp[2].txt
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/26/06 13:32:32 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[1].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[2].txt
Spyware detected: Cookie/PointRoll On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.pointroll[1].txt
Spyware detected: Cookie/AdDynamix On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.addynamix[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/26/06 13:29:55 Scan: Memory
Update Update system 12/26/06 13:29:50 Correct New virus signatures: 473
Connection attempt Firewall protection 12/26/06 12:09:31 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/26/06 12:09:31 Blocked Source IP address: 172.20.0.1
Connection attempt Firewall protection 12/26/06 06:59:03 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/26/06 06:59:00 Blocked Source IP address: 172.20.0.1
Update Update system 12/25/06 21:21:23 Incorrect Error: Error in the download process
Scan complete On-demand antivirus scan 12/25/06 20:45:18 Scan: Memory
Spyware detected: Cookie/Tribalfusion On-demand antivirus scan 12/25/06 20:45:17 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@tribalfusion[1].txt
Spyware detected: Cookie/Traffic Mar... On-demand antivirus scan 12/25/06 20:45:17 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@trafficmp[2].txt
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/25/06 20:45:17 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[1].txt
Spyware detected: Cookie/PointRoll On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.pointroll[1].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[2].txt
Scan started On-demand antivirus scan 12/25/06 20:41:43 Scan: Memory
Update Update system 12/25/06 20:41:38 Correct New virus signatures: 907
Connection attempt Firewall protection 12/25/06 20:32:29 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/25/06 20:32:27 Blocked Source IP address: 172.20.0.1
Connection attempt Firewall protection 12/25/06 20:01:44 Blocked Application: C:\WINDOWS\system32\svchost.exe
Update Update system 12/25/06 20:01:38 Incorrect Error: Error in the download process
Update Update system 12/25/06 05:51:06 Incorrect Error: Error in the download process
Update Update system 12/25/06 05:11:07 Incorrect Error: Error in the download process
Update Update system 12/25/06 04:31:07 Incorrect Error: Error in the download process
Update Update system 12/25/06 03:51:06 Incorrect Error: Error in the download process
Update Update system 12/25/06 03:11:05 Incorrect Error: Error in the download process
Update Update system 12/25/06 02:31:04 Incorrect Error: Error in the download process
Update Update system 12/25/06 01:51:04 Incorrect Error: Error in the download process
Update Update system 12/25/06 01:11:03 Incorrect Error: Error in the download process
Update Update system 12/25/06 00:31:13 Incorrect Error: Error in the download process
Scan complete On-demand antivirus scan 12/25/06 00:30:11 Scan: My Computer
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[2].txt
Spyware detected: Cookie/Atwola On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@atwola[1].txt
Spyware detected: Cookie/PointRoll On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.pointroll[1].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/24/06 23:56:25 Scan: My Computer
Update Update system 12/24/06 23:51:03 Incorrect Error: Error in the download process
Connection attempt Firewall protection 12/24/06 21:58:46 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/24/06 21:58:39 Blocked Source IP address: 172.20.0.1
Connection attempt Firewall protection 12/24/06 16:30:26 Blocked Application: C:\WINDOWS\system32\svchost.exe
Scan complete On-demand antivirus scan 12/24/06 15:40:36 Scan: My Computer
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/24/06 15:32:38 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/24/06 15:32:37 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/24/06 15:32:37 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/24/06 15:32:37 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/24/06 15:29:42 Scan: My Computer
Scan complete On-demand antivirus scan 12/24/06 14:13:00 Scan: My Computer
Spyware detected: Cookie/Traffic Mar... On-demand antivirus scan 12/24/06 13:59:47 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@trafficmp[1].txt
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/24/06 13:59:47 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[1].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/24/06 13:59:46 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/24/06 13:59:46 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/24/06 13:57:03 Scan: My Computer
Connection attempt Firewall protection 12/24/06 13:48:41 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/24/06 13:48:37 Blocked Source IP addre
thyanks,
Eric
Panda Platinum 2005 Internet Security incident report
Filter selected:Virus detected, Suspicious file, Dangerous file, Script execution, Phone connection, Connection attempt, Port scan attack, Denial of service attack, Spoofing, Attacking IP address blocked, Enabled, Disabled, Update, Scan started, Scan complete, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan complete On-demand antivirus scan 12/26/06 20:45:01 Scan: My Computer
Scan complete On-demand antivirus scan 12/26/06 20:15:20 Scan: Memory
Scan started On-demand antivirus scan 12/26/06 20:11:14 Scan: Memory
Update Update system 12/26/06 20:10:00 Correct New virus signatures: 10
Spyware detected: Cookie/Go On-demand antivirus scan 12/26/06 20:06:44 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/26/06 20:06:44 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[2].txt
Scan started On-demand antivirus scan 12/26/06 20:04:16 Scan: My Computer
Connection attempt Firewall protection 12/26/06 19:59:31 Blocked Application: C:\WINDOWS\system32\svchost.exe
Update Update system 12/26/06 19:29:23 Incorrect Error: Error in the download process
Update Update system 12/26/06 18:49:22 Incorrect Error: Error in the download process
Update Update system 12/26/06 18:09:23 Incorrect Error: Error in the download process
Update Update system 12/26/06 17:29:22 Incorrect Error: Error in the download process
Update Update system 12/26/06 16:49:22 Incorrect Error: Error in the download process
Update Update system 12/26/06 16:09:32 Incorrect Error: Error in the download process
Update Update system 12/26/06 15:29:22 Incorrect Error: Error in the download process
Connection attempt Firewall protection 12/26/06 14:29:27 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/26/06 14:29:21 Blocked Source IP address: 172.20.0.1
Scan complete On-demand antivirus scan 12/26/06 13:32:33 Scan: Memory
Spyware detected: Cookie/Tribalfusion On-demand antivirus scan 12/26/06 13:32:32 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@tribalfusion[1].txt
Spyware detected: Cookie/Traffic Mar... On-demand antivirus scan 12/26/06 13:32:32 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@trafficmp[2].txt
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/26/06 13:32:32 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[1].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[2].txt
Spyware detected: Cookie/PointRoll On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.pointroll[1].txt
Spyware detected: Cookie/AdDynamix On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.addynamix[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/26/06 13:32:31 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/26/06 13:29:55 Scan: Memory
Update Update system 12/26/06 13:29:50 Correct New virus signatures: 473
Connection attempt Firewall protection 12/26/06 12:09:31 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/26/06 12:09:31 Blocked Source IP address: 172.20.0.1
Connection attempt Firewall protection 12/26/06 06:59:03 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/26/06 06:59:00 Blocked Source IP address: 172.20.0.1
Update Update system 12/25/06 21:21:23 Incorrect Error: Error in the download process
Scan complete On-demand antivirus scan 12/25/06 20:45:18 Scan: Memory
Spyware detected: Cookie/Tribalfusion On-demand antivirus scan 12/25/06 20:45:17 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@tribalfusion[1].txt
Spyware detected: Cookie/Traffic Mar... On-demand antivirus scan 12/25/06 20:45:17 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@trafficmp[2].txt
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/25/06 20:45:17 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[1].txt
Spyware detected: Cookie/PointRoll On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.pointroll[1].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/25/06 20:45:16 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[2].txt
Scan started On-demand antivirus scan 12/25/06 20:41:43 Scan: Memory
Update Update system 12/25/06 20:41:38 Correct New virus signatures: 907
Connection attempt Firewall protection 12/25/06 20:32:29 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/25/06 20:32:27 Blocked Source IP address: 172.20.0.1
Connection attempt Firewall protection 12/25/06 20:01:44 Blocked Application: C:\WINDOWS\system32\svchost.exe
Update Update system 12/25/06 20:01:38 Incorrect Error: Error in the download process
Update Update system 12/25/06 05:51:06 Incorrect Error: Error in the download process
Update Update system 12/25/06 05:11:07 Incorrect Error: Error in the download process
Update Update system 12/25/06 04:31:07 Incorrect Error: Error in the download process
Update Update system 12/25/06 03:51:06 Incorrect Error: Error in the download process
Update Update system 12/25/06 03:11:05 Incorrect Error: Error in the download process
Update Update system 12/25/06 02:31:04 Incorrect Error: Error in the download process
Update Update system 12/25/06 01:51:04 Incorrect Error: Error in the download process
Update Update system 12/25/06 01:11:03 Incorrect Error: Error in the download process
Update Update system 12/25/06 00:31:13 Incorrect Error: Error in the download process
Scan complete On-demand antivirus scan 12/25/06 00:30:11 Scan: My Computer
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[2].txt
Spyware detected: Cookie/Atwola On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@atwola[1].txt
Spyware detected: Cookie/PointRoll On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ads.pointroll[1].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/24/06 23:59:10 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/24/06 23:56:25 Scan: My Computer
Update Update system 12/24/06 23:51:03 Incorrect Error: Error in the download process
Connection attempt Firewall protection 12/24/06 21:58:46 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/24/06 21:58:39 Blocked Source IP address: 172.20.0.1
Connection attempt Firewall protection 12/24/06 16:30:26 Blocked Application: C:\WINDOWS\system32\svchost.exe
Scan complete On-demand antivirus scan 12/24/06 15:40:36 Scan: My Computer
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/24/06 15:32:38 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[2].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/24/06 15:32:37 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/360i On-demand antivirus scan 12/24/06 15:32:37 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@ct.360i[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/24/06 15:32:37 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/24/06 15:29:42 Scan: My Computer
Scan complete On-demand antivirus scan 12/24/06 14:13:00 Scan: My Computer
Spyware detected: Cookie/Traffic Mar... On-demand antivirus scan 12/24/06 13:59:47 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@trafficmp[1].txt
Spyware detected: Cookie/QuestionMarket On-demand antivirus scan 12/24/06 13:59:47 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@questionmarket[1].txt
Spyware detected: Cookie/Go On-demand antivirus scan 12/24/06 13:59:46 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@go[2].txt
Spyware detected: Cookie/2o7 On-demand antivirus scan 12/24/06 13:59:46 Disinfected Path: C:\Documents and Settings\Eric S White\Cookies\eric_s_white@2o7[1].txt
Scan started On-demand antivirus scan 12/24/06 13:57:03 Scan: My Computer
Connection attempt Firewall protection 12/24/06 13:48:41 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt Firewall protection 12/24/06 13:48:37 Blocked Source IP addre
I still don't see anything referring to malware in those logs. I'll ask for another pair of eyes for this just to check I'm not missing anything
Navigate to and delete the following file...
C:\WINDOWS\iun6002.exe
If it doesn't let you delete, do it in Safe Mode.
Next, please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.
Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Then you can delete the regfile if you want.
As for slow PC... You should run a disk defragmentation & empty temp files. Also, Panda's Antivirus does use a lot of system resources, so an change of Antivirus might also be an option.
Of course it might also be in your browser options.. Do a little tweaking with Firefox & IE.
Let me know how you get on.
C:\WINDOWS\iun6002.exe
If it doesn't let you delete, do it in Safe Mode.
Next, please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.
QUOTE
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=-
Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Then you can delete the regfile if you want.
As for slow PC... You should run a disk defragmentation & empty temp files. Also, Panda's Antivirus does use a lot of system resources, so an change of Antivirus might also be an option.
Of course it might also be in your browser options.. Do a little tweaking with Firefox & IE.
Let me know how you get on.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.