Sign in to follow this  
Thoracias

Red Dot In Task Bar Problem

Recommended Posts

Somehow I picked up the red dot in the task bar that says "Your activity is recorded" when you hover over it and pops up a password entry box when you click it. I read through the thread of the lady that had it and you helped her fix it.

http://www.lavasoftsupport.com/index.php?showtopic=11387

I have my log and will post as soon as you give me the go-ahead. Could you please tell me how to get rid of this thing? It is scaring me!!! Thank you so much!

Share this post


Link to post
Share on other sites

Thoracias,

 

Did you install this PcPandora? Or did you install another Keylogging tool? Because this one is not installed by malware, but installed, because you installed it with the purpose to monitor someone else using this computer - or someone else installed this to monitor you instead. So what do you think is the case here?

 

Also, Please perform this online scan: Kaspersky Webscan

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. When the download is complete it will say ready, click "Next"

6. Select a target to scan: Click on "My Computer"

7. When the scan is complete choose to save the results as "Save as Text"

8. Post the Kaspersky scan results in your next reply.

Share this post


Link to post
Share on other sites

The link to the webscan does not work. I found the Kaspersky website but which trial do I download? I was going to get the Anti-Virus 7.0 but everytime I click the link I get PAGE NOT FOUND.

Share this post


Link to post
Share on other sites

The link to the webscan does not work. I found the Kaspersky website but which trial do I download? I was going to get the Anti-Virus 7.0 but everytime I click the link I get PAGE NOT FOUND.

Also, I did not install this keylogger. I do not think anyone else could have installed it as my PC is password protected and not even my kids can get in. I was thinking I might have gotten in downloading from Limewire maybe? That is about the time everything went haywore and the red dot appeared. Also, it crashed my iTunes player. Not sure if that was related or not but I was downloading music in Limewire and transferring the files into my iTunes player one night and the next morning, the red dot is there.

However, I do have an ex-husband causing problems and he was in my home last weekend without my permision while I was away. He is not very computer literate so I highly doubt he would have been able to do this but....well, it doesn't matter now, does it? I just want to get this thing off of here now. It freaks me out! Thank you for you response!

Share this post


Link to post
Share on other sites

Hi,

 

I don't know what Antivirus you have currently installed, but keep in mind, installing more than one Antivirus may cause a lot of problems since they are not compatible with eachother. So if you want to install Kaspersky Antivirus, you should uninstall your current Antivirus first and reboot.

 

Anyway, guess it's your hosts file which is responsible for blocking access to the Kaspersky site, so do next please..

 

* Download: HostsXpert

Unzip hoster to an own folder, eg C:\HostsXpert

Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

 

Then try to do the Kaspersky Online scan again. Keep in mind, this scan doesn't work in Firefox. You need Internet Explorer for that.

Share this post


Link to post
Share on other sites

OK after searching around for the Kaspersky Webscan, I finally found the online scanner and read the privacy statement...but when I click ACCEPT, nothing appears. At the bottom of that page it only says "Done" or "Error on Page"

I am using IE 6.0 and it says that it works with 6.0 and higher so now I am not sure what to do.

Thank you.

Share this post


Link to post
Share on other sites

I was running AVG and McAfee. I uninstalled McAfee last week because someone else mentioned the 2 programs causing problems. I have now uninstalled AVG as well so there are no virus programs running at this point. I have reset the MS host as you asked and I still cannot get the page to the Kaspersky scan.

Share this post


Link to post
Share on other sites

So you currently have no Antivirus installed?

 

Please install Avira Antivirus: http://www.free-av.com/

Avira detects this one as well.

 

Perform a full scan with Avira and let it remove everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Share this post


Link to post
Share on other sites

OK I downloaded the Avira and it is finding a trojan named TR/Dldr.Boodo.3 but the Detection screen keeps popping up over and over again! And when I try to delete or deny acccess it says NOT RESPONDING! I can't even control-alt-delete them! There are 16 of them currently! YIKES!

Share this post


Link to post
Share on other sites

Ok, guess there's a LOT more going on there...

Please let Avira finish its scan and reboot afterwards.

Then post the log as I asked.

 

Also do next..

 

* Download Trend Micro Hijack Thisâ„¢

Doubleclick the HJTInstall.exe to start it.

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

HijackThis will open after install. Press the Scan button below.

This will start the scan and open a log.

Copy and paste the contents of the log in your next reply.

Share this post


Link to post
Share on other sites

OK I ended up having to shut down because those boxes would not stop popping up and then "not responding".

Here is the log but it seems it is an update log, not the actual scan. Not sure what happened there.

 

03.09.2007,13:39:53 - Installation Directory: C:\Program Files\AntiVir PersonalEdition Classic\ Backup Dir: Temp dir:

03.09.2007,13:39:53 - Backup Directory: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\BACKUP\

03.09.2007,13:39:53 - Temp Directory: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_46dc46e8\

03.09.2007,13:39:53 - Start the Update GUI... Displaymode: 0

 

03.09.2007,13:39:53 - Installation Directory: C:\Program Files\AntiVir PersonalEdition Classic\ Backup Dir: Temp dir:

03.09.2007,13:39:53 - Backup Directory: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\BACKUP\

03.09.2007,13:39:53 - Temp Directory: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_46dc46e8\

03.09.2007,13:39:53 - Start the Update GUI... Displaymode: 0

 

03.09.2007,13:39:58 - Keyfile: OK [FULL Mode]

 

03.09.2007,13:39:58 - Avira AntiVir PersonalEdition Classic

 

03.09.2007,13:41:11 - Connection failed while downloading the file http://dl3.avgate.net/upd/idx/master.idx.

03.09.2007,13:41:11 - Switching to next update server

03.09.2007,13:41:12 - Master IDX file has changed

03.09.2007,13:41:13 - Downloading the product.info file from http://dl3.avgate.net/upd/idx/classic-nt-en.info.gz

03.09.2007,13:41:34 - There was a problem updating from the specified server: Connection failed while downloading the file http://dl3.avgate.net/upd/idx/classic-nt-en.info.gz.

03.09.2007,13:41:34 - Switching to next update server

03.09.2007,13:41:39 - Master IDX file has changed

03.09.2007,13:41:39 - Downloading the product.info file from http://dl4.avgate.net/upd/idx/classic-nt-en.info.gz

03.09.2007,13:42:01 - There was a problem updating from the specified server: Connection failed while downloading the file http://dl4.avgate.net/upd/idx/classic-nt-en.info.gz.

03.09.2007,13:42:01 - Switching to next update server

03.09.2007,13:42:23 - Connection failed while downloading the file http://dl1.avgate.net/upd/idx/master.idx.

03.09.2007,13:42:23 - Switching to next update server

03.09.2007,13:42:24 - Master IDX file has changed

03.09.2007,13:42:24 - Downloading the product.info file from http://dl7.avgate.net/upd/idx/classic-nt-en.info.gz

03.09.2007,13:42:42 - File basic-nt/2k/avgntflt.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/avadmin.exe's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/avgio64.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/psapi.dll's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/shlext64.dll's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/vista64/avgntflt.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/wsctool.exe's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/xp64/avgntflt.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/2k/avgntdd.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/2k/avgntmgr.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/nt/avgntdd.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - File basic-nt/nt/avgntmgr.sys's operating system doesn't match the current one. File ignored.

03.09.2007,13:42:42 - Downloading the product.info file from http://dl7.avgate.net/upd/idx/vdf_preload.info.gz

03.09.2007,13:42:43 - Downloading the product.info file from http://dl7.avgate.net/upd/idx/vdf.info.gz

03.09.2007,13:42:52 - Keyfile: OK [FULL Mode]

 

03.09.2007,13:43:15 - Downloading the product.info file from http://dl7.avgate.net/upd/idx/specvir-nt.info.gz

03.09.2007,13:43:37 - There was a problem updating from the specified server: Connection failed while downloading the file http://dl7.avgate.net/upd/idx/specvir-nt.info.gz.

03.09.2007,13:43:37 - Switching to next update server

03.09.2007,13:43:58 - Connection failed while downloading the file http://dl2.avgate.net/upd/idx/master.idx.

03.09.2007,13:43:58 - Switching to next update server

03.09.2007,13:44:20 - Connection failed while downloading the file http://dl5.avgate.net/upd/idx/master.idx.

03.09.2007,13:44:20 - Switching to next update server

03.09.2007,13:44:42 - There was a problem updating from the specified server: Connection failed while downloading the file http://dl6.avgate.net/upd/idx/master.idx.

03.09.2007,13:44:42 - Switching to next update server

03.09.2007,13:45:03 - There was a problem updating from the specified server: Connection failed while downloading the file http://dl6.avgate.net/upd/idx/master.idx.

03.09.2007,13:45:03 - Switching to next update server

03.09.2007,13:45:24 - There was a problem updating from the specified server: Connection failed while downloading the file http://dl6.avgate.net/upd/idx/master.idx.

03.09.2007,13:45:24 - Switching to next update server

03.09.2007,13:45:36 - Master IDX file has changed

03.09.2007,13:45:36 - Downloading the product.info file from http://dl8.freeav.net/upd/idx/specvir-nt.info.gz

03.09.2007,13:45:57 - Registry entry created successfully: Software\H+BEDV\AntiVir PersonalEdition Classic V 7 |UpdateInProgress

 

03.09.2007,13:45:57 - Critical error: Update process was cancelled.

 

 

Here is the log for HiJack This:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:04:53 PM, on 9/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O20 - Winlogon Notify: actpop - C:\WINDOWS\SYSTEM32\actpop.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

 

--

End of file - 8571 bytes

Share this post


Link to post
Share on other sites

Hi,

 

You posted the wrong log from Avira. You selected the "Update" report.

Wasn't there a "scan" report as well?

Share this post


Link to post
Share on other sites

That is what I thot. I think the scan is what kept saying not responding. It was stuck or something so I had to reboot. I will try again. Here goes nothing...

Share this post


Link to post
Share on other sites

Anyway, if there's no scan report, the reason why this is actually important is because I want to know what file(s) are exactly being flagged as TR/Dldr.Boodo.3

Normally during scan, it should also show the exact location of the file.

The fact that it "hangs" while you select ignore or delete, makes me think it is a cab file, because some scanners do have problems with unpacking it/dealing with it. So if we can get the location of these files first, then we can delete them manually.

So scan again with Avira and write down where the file is located.

 

Then Avira will be able to proceed with the scan once these are gone and flag the PCPandora files. Because with PcPandora, the problem is that the files are random everytime. I see one related PCPandora file in your log, but we need them all.

Also, the problem with these PCPandora files is, it uses "older" dates, so having reports of all latest files being created doesn't make sense either.

Anyway, I still have other ways to find them, but let's see how Avira does its job first, since I know it detects them and is able to delete them as well.

Share this post


Link to post
Share on other sites

Sidenote, I just tried the Kaspersky Online scanner as well, and I can't properly load it here either. It appears that there's indeed a problem with their Online scanner. So it's not on your side. :)

Share this post


Link to post
Share on other sites

OK it finally finished.

 

AntiVir PersonalEdition Classic

Report file date: Monday, September 03, 2007 14:21

 

Scanning for 740715 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: A Diana

Computer name: THORACIAS

 

Version information:

BUILD.DAT : 247 14437 Bytes 5/10/2007 11:55:00

AVSCAN.EXE : 7.0.4.15 282664 Bytes 4/20/2007 17:37:14

AVSCAN.DLL : 7.0.4.4 33832 Bytes 3/27/2007 17:31:54

LUKE.DLL : 7.0.4.11 143400 Bytes 3/27/2007 17:26:04

LUKERES.DLL : 7.0.4.0 10280 Bytes 3/19/2007 17:18:59

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 19:08:58

ANTIVIR1.VDF : 6.37.1.151 4303360 Bytes 2/23/2007 19:09:01

ANTIVIR2.VDF : 6.38.0.214 729600 Bytes 4/12/2007 19:09:02

ANTIVIR3.VDF : 6.38.0.225 50688 Bytes 4/16/2007 19:09:02

AVEWIN32.DLL : 7.4.0.12 2404864 Bytes 4/13/2007 19:04:24

AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26

AVPREF.DLL : 7.0.2.1 24616 Bytes 3/27/2007 17:31:50

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24

AVPACK32.DLL : 7.3.0.8 360488 Bytes 3/27/2007 13:48:28

AVREG.DLL : 7.0.1.2 31784 Bytes 3/15/2007 14:05:08

AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 3/27/2007 17:16:05

AVARKT.DLL : 1.0.0.17 278568 Bytes 5/2/2007 16:32:26

NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42

RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 3/13/2007 15:46:18

RCTEXT.DLL : 7.0.45.0 86056 Bytes 3/19/2007 17:42:42

 

Configuration settings for the scan:

Jobname..........................: Local Hard Disks

Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: C:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Monday, September 03, 2007 14:21

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'HijackThis.exe' - '1' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'MySpaceIM.exe' - '1' Module(s) have been scanned

Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'AAWTray.exe' - '1' Module(s) have been scanned

Scan process 'SDTrayApp.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned

Scan process 'realsched.exe' - '1' Module(s) have been scanned

Scan process 'iTouch.exe' - '1' Module(s) have been scanned

Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned

Scan process 'IntelMEM.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'swdsvc.exe' - '1' Module(s) have been scanned

Scan process 'svcntaux.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

41 processes with 41 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '25' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\C Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-59afe7f7-2abfceae.zip

[0] Archive type: ZIP

--> HiPointInstallShieldRT.class

[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen

[iNFO] The file was moved to '473056cb.qua'!

C:\Documents and Settings\C Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-5e7eb989-354bb23a.zip

[0] Archive type: ZIP

--> HiPointInstallShieldRT.class

[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen

[iNFO] The file was moved to '473056d2.qua'!

 

 

End of the scan: Monday, September 03, 2007 15:46

Used time: 1:25:35 min

 

The scan has been done completely.

 

11544 Scanning directories

289577 Files were scanned

2 viruses and/or unwanted programs were found

2 classified as suspicious:

0 files were deleted

0 files were repaired

2 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

289573 Files not concerned

10388 Archives were scanned

2 Warnings

0 Notes

0 Hidden objects were found

Share this post


Link to post
Share on other sites

Oh and the red dot is no longer showing...does that mean Avira found it? I know it detected 2 files but that TR/Dlbr.Boodo.3 never popped up again.

 

Also, I can see the quarantine report and it has that TR file listed several times and a couple of places (says it is something about Java?)

 

I can't see a way to copy that report and paste it here though.

 

Oh here is the report I think u really needed...not sure I gave u the right one before. That was the one that popped up after the scan. This one is shorter but maybe more direct for you:

 

 

 

AntiVir PersonalEdition Classic

Report file date: Monday, September 03, 2007 14:21

 

Scanning for 740715 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: A Diana

Computer name: THORACIAS

 

Version information:

BUILD.DAT : 247 14437 Bytes 5/10/2007 11:55:00

AVSCAN.EXE : 7.0.4.15 282664 Bytes 4/20/2007 17:37:14

AVSCAN.DLL : 7.0.4.4 33832 Bytes 3/27/2007 17:31:54

LUKE.DLL : 7.0.4.11 143400 Bytes 3/27/2007 17:26:04

LUKERES.DLL : 7.0.4.0 10280 Bytes 3/19/2007 17:18:59

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 19:08:58

ANTIVIR1.VDF : 6.37.1.151 4303360 Bytes 2/23/2007 19:09:01

ANTIVIR2.VDF : 6.38.0.214 729600 Bytes 4/12/2007 19:09:02

ANTIVIR3.VDF : 6.38.0.225 50688 Bytes 4/16/2007 19:09:02

AVEWIN32.DLL : 7.4.0.12 2404864 Bytes 4/13/2007 19:04:24

AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26

AVPREF.DLL : 7.0.2.1 24616 Bytes 3/27/2007 17:31:50

AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24

AVPACK32.DLL : 7.3.0.8 360488 Bytes 3/27/2007 13:48:28

AVREG.DLL : 7.0.1.2 31784 Bytes 3/15/2007 14:05:08

AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 3/27/2007 17:16:05

AVARKT.DLL : 1.0.0.17 278568 Bytes 5/2/2007 16:32:26

NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42

RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 3/13/2007 15:46:18

RCTEXT.DLL : 7.0.45.0 86056 Bytes 3/19/2007 17:42:42

 

Configuration settings for the scan:

Jobname..........................: Local Hard Disks

Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: C:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Monday, September 03, 2007 14:21

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'HijackThis.exe' - '1' Module(s) have been scanned

Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'MySpaceIM.exe' - '1' Module(s) have been scanned

Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'AAWTray.exe' - '1' Module(s) have been scanned

Scan process 'SDTrayApp.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned

Scan process 'realsched.exe' - '1' Module(s) have been scanned

Scan process 'iTouch.exe' - '1' Module(s) have been scanned

Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned

Scan process 'IntelMEM.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'swdsvc.exe' - '1' Module(s) have been scanned

Scan process 'svcntaux.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

41 processes with 41 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '25' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\C Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\eRT.jar-59afe7f7-2abfceae.zip

[0] Archive type: ZIP

--> HiPointInstallShieldRT.class

[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen

[iNFO] The file was moved to '473056cb.qua'!

C:\Documents and Settings\C Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\nRT.jar-5e7eb989-354bb23a.zip

[0] Archive type: ZIP

--> HiPointInstallShieldRT.class

[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen

[iNFO] The file was moved to '473056d2.qua'!

 

 

End of the scan: Monday, September 03, 2007 15:46

Used time: 1:25:35 min

 

The scan has been done completely.

 

11544 Scanning directories

289577 Files were scanned

2 viruses and/or unwanted programs were found

2 classified as suspicious:

0 files were deleted

0 files were repaired

2 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

289573 Files not concerned

10388 Archives were scanned

2 Warnings

0 Notes

0 Hidden objects were found

Edited by Thoracias

Share this post


Link to post
Share on other sites

Yes, that's the right log.

 

Oh and the red dot is no longer showing...does that mean Avira found it?
Yes, that's possible. However, Avira should detect is as PCPandora though - but it's always possible it's being flagged as something else.

But, it could be possible that in your first scan attempt it was already deleted as well, because I don't see the TR/Dlbr.Boodo.3 being flagged there as well in your latest report.

 

Can you RESCAN with HijackThis and post a new HijackThislog please? This will show if Avira indeed detected and removed it :)

Share this post


Link to post
Share on other sites
Also, I can see the quarantine report and it has that TR file listed several times and a couple of places (says it is something about Java?)
Yes, I see Avira quarantined those. They were present in your Java Cache.

 

But, it may be better if you also perform next:

 

Clear your Java cache:

Clearing Java Cache:

  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Settings button.
  • Click the Delete Files... button below. Make sure next are checked:
      Applications and Applets
      Trace and Log Files

    [*]Click OK on Delete Temporary Files Window.

     

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

And, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Share this post


Link to post
Share on other sites

OK, removed all older versions of Java and ran the update. While it was running, Avira found that same TR again. I "quarantined" it. And nothing else significant has happened.

Here's the new log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:07:17 PM, on 9/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Spyware Doctor\svcntaux.exe

C:\Program Files\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spyware Doctor\SDTrayApp.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O20 - Winlogon Notify: actpop - C:\WINDOWS\SYSTEM32\actpop.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

 

--

End of file - 8538 bytes

Share this post


Link to post
Share on other sites

Well, it's still present though...

 

Strange, because I know Avira should detect it.

 

Anyway, Fsecure does detect it as well, so perform next..

 

* Click here to use the F-Secure Online Scanner

  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.

Share this post


Link to post
Share on other sites

I cannot download this F-Secure thing. It gets to the Download stage and then an error occurs and it says "Unable to download necessary Online Scanner components. Please try again."

I have tried 4 times. ;)

 

It gets to 12826 out of 12829 kb!!! Then it stops. :o

 

Edit: I just tried doing the custom install just for kicks...got nowhere but I did get a new message...

"Insufficient rights to use Active X controls! Please check your user rights and Internet Explorer security settings!"

 

I have never changed my IE settings in any way and I have always been able to install Active X controls before.

Edited by Thoracias

Share this post


Link to post
Share on other sites

Can you temporary uninstall your Spyware doctor? Because I guess Spyware doctor is causing this. It's not the first time I have seen this.

Then reboot after uninstall.

After reboot,

 

* Open the Internet icon in your Control Panel, from your Start menu.

* This should open the Internet Properties window.

* Click on the Advanced tab.

* At the bottom of the window their will be a Restore Defaults button.

* Click the Restore Defaults button.

* Click the OK button.

Share this post


Link to post
Share on other sites

Sorry it took so long to reply--I have been working long hours. Thank you for your help so far!

 

I cannot totally uninstall SpyDoctor becuz I do not have th key I registered with anymore and since I paid for a year, I'm afraid to take it off completely, however I diabled it and I restored defaults under Internet Options. I tried to run F-Scan again and got the same results as before. :D

Share this post


Link to post
Share on other sites

ok, no hassle anymore with online scans - let's try to find these files with another tool...

 

Download and install Agent Ransack from here: http://www.mythicsoft.com/agentransack/Pag...x?page=download

 

After you have installed it, Start the Agent Ransack tool (you'll find the program in start > all programs).

In the main Window of Agent Ransack, in the right corner, make sure *Expert User is checked.

 

There you'll also a couple of fields. The first one: "File name": -- leave that empty --

The second field: "Containing Text". Check the checkbox in front of Containing Text and in the field type: PcPandora

The third field, "Look in": type in C:\ (By default, it should already be C:\ there)

 

*Check the box to search sub folders

 

Don't check anything under it where it says Size and Modified. Leave these checkboxes empty.

 

Then click the "Start Search" button in the right top corner.

 

This will search your entire drive for files where it contains the strings PcPandora, because I know these files contain these strings.

 

Then, when the search is done, on top in the menu, you'll find: 'file' > 'save results'

"clipboard" is checked by default, also check "save results for *all files" and Save information *File name"

Do NOT check "contents"

Then click the SAVE button.

Now rightclick in your next reply and choose 'Paste', that will copy and paste the results from Agent Ransack.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this