# infected file



## paul67 (Mar 20, 2005)

sorry posted in the wrong forum seem to have an infected file in my windows temp folder and cant delete it,keep getting warnings of a trojan pop up.also my hijackthis doesnt work properly.


----------



## paul67 (Mar 20, 2005)

the trojan is trojan.clicker.cm


----------



## paul67 (Mar 20, 2005)

anyone out there?


----------



## sjpritch25 (Sep 8, 2005)

Please download *ATF Cleaner* by Atribune.

*This program is for XP and Windows 2000 only*


 Double-click *ATF-Cleaner.exe* to run the program.
 Under *Main* choose: *Select All*
Click the *Empty Selected* button.

If you use Firefox browser
 Click *Firefox* at the top and choose: *Select All*
 Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click

 *No* at the prompt.

If you use Opera browser
 Click *Opera* at the top and choose: *Select All*
 Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.

Click *Exit* on the Main menu to close the program. For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

====================================

Download *Deckard's System Scanner (DSS)* to your *Desktop*. Note: You must be logged onto an account with administrator privileges.
*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt* <- this one will be maximized and *extra.txt* <-this one will be minimized
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* here.
Please * attach extra.txt* to your post.
To attach a file to a new post, simply
Click the[*Manage Attachments*] button under *Additional Options > Attach Files* on the post composition page, and
*copy and paste* the following into the "*Upload File from your Computer*" box:*C:\Deckard\System Scanner\extra.txt*​
 Click *Upload.*
What DSS will do:
 create a new System Restore point in Windows XP and Vista.
 clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
 check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


----------



## paul67 (Mar 20, 2005)

sorry didnt say that my platforms windows vista


----------



## sjpritch25 (Sep 8, 2005)

That's okay, ATF Cleaner will work on Vista. I need to change that other response.


----------



## paul67 (Mar 20, 2005)

seem to have fixed it by myself lol done several virus scans n cant find a thing now but much thanx anyway


----------



## paul67 (Mar 20, 2005)

thought i sorted it but still seem to have something wrong


----------



## paul67 (Mar 20, 2005)

Deckard's System Scanner v20071014.68
Run by shad on 2007-12-13 17:57:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
6: 2007-12-13 16:45:19 UTC - RP126 - Removed BioShock Demo
5: 2007-12-13 10:41:29 UTC - RP124 - Scheduled Checkpoint
4: 2007-12-12 17:37:06 UTC - RP123 - Scheduled Checkpoint
3: 2007-12-12 00:08:00 UTC - RP122 - Scheduled Checkpoint
2: 2007-12-11 10:49:07 UTC - RP121 - Scheduled Checkpoint

-- First Restore Point -- 
1: 2007-12-10 20:02:25 UTC - RP120 - Windows Update

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 958 MiB (1024 MiB recommended).

-- HijackThis (run as shad.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:00:39, on 13/12/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\shad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xboxmedia.gamespy.com/xbox/i...demned-criminal-origins-20050518071156746.jpg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VistaADeck\HDAudioCPL.exe 1
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: reccd.lnk = C:\Windows\reccd.mht
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio.exe (file missing)

--
End of file - 7069 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R1 WINIO - \??\c:\windows\system32\winio.sys
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 McTskshd.exe (McAfee Task Scheduler) - c:\progra~1\mcafee.com\agent\mctskshd.exe (file missing)
S2 XAudioService - c:\windows\system32\drivers\xaudio.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-13 18:00:19 0 d-------- C:\Program Files\Trend Micro
2007-12-12 17:09:52 0 d-------- C:\Program Files\ATI Technologies
2007-12-12 17:09:46 0 d-------- C:\Program Files\ATI
2007-12-12 17:08:34 0 d-------- C:\ATI
2007-12-09 18:43:22 0 d-------- C:\Program Files\Java
2007-12-09 18:42:55 0 d-------- C:\Program Files\Common Files\Java
2007-12-09 17:43:08 0 d-------- C:\Program Files\2K Games
2007-12-07 20:21:40 0 d-------- C:\Program Files\SEGA
2007-12-02 12:35:43 0 d-------- C:\PICZ
2007-11-24 13:12:40 0 d-------- C:\Program Files\Microsoft Xbox 360 Accessories
2007-11-21 20:43:06 0 d-------- C:\Users\All Users\Viewpoint
2007-11-21 20:43:05 0 d-------- C:\Program Files\Viewpoint
2007-11-21 20:42:52 0 d-------- C:\Users\All Users\AOL OCP
2007-11-21 20:42:51 0 d-------- C:\Users\All Users\AOL
2007-11-21 20:42:29 0 d-------- C:\Program Files\Common Files\AOL
2007-11-16 20:44:35 0 d-------- C:\Program Files\DivX
2007-11-16 17:40:43 0 d-------- C:\Program Files\Winwap Technologies
2007-11-16 09:46:50 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-15 22:53:50 11736 --a------ C:\Windows\system32\drivers\VHIDMini.sys <Not Verified; IVT Corporation; IVT BlueSoleil>
2007-11-15 22:53:50 82148 --a------ C:\Windows\system32\drivers\VcommMgr.sys <Not Verified; IVT Corporation; BlueSoleil>
2007-11-15 22:53:50 61312 --a------ C:\Windows\system32\drivers\VComm.sys <Not Verified; IVT Corporation; BlueSoleil>
2007-11-15 22:53:50 13304 --a------ C:\Windows\system32\drivers\BTNetFilter.sys
2007-11-15 22:53:49 11860 --a------ C:\Windows\system32\drivers\VBTEnum.sys
2007-11-15 22:53:49 116021 --a------ C:\Windows\system32\drivers\fw203x.sys <Not Verified; Broadcom; >
2007-11-15 22:53:49 10804 --a------ C:\Windows\system32\drivers\BtNetDrv.sys <Not Verified; IVT Corporation; BlueSoleil>
2007-11-15 22:53:49 28271 --a------ C:\Windows\system32\drivers\BTHidMgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
2007-11-15 22:53:49 23000 --a------ C:\Windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
2007-11-15 22:53:49 20096 --a------ C:\Windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
2007-11-15 22:53:49 7680 --a------ C:\Windows\system32\btinstall.dll <Not Verified; IVT Corporation; BlueSoleil>
2007-11-15 22:53:49 49152 --a------ C:\Windows\system32\btfunc.dll <Not Verified; IVT Corporation; BlueSoleil>
2007-11-15 22:51:57 63488 -ra------ C:\Windows\system32\drivers\wssbtr1f.sys <Not Verified; National Semiconductor Sweden AB; National Semiconductor Sweden AB BlueCard PCMCIA driver>
2007-11-15 22:51:57 48556 -ra------ C:\Windows\system32\drivers\SktBt2k.sys <Not Verified; Socket Communications, Inc.; SIO9502K>
2007-11-15 22:51:57 77824 -ra------ C:\Windows\system32\drivers\SioUi2k.dll <Not Verified; Socket Communications Inc.; 16C950>
2007-11-15 22:51:57 48076 -ra------ C:\Windows\system32\drivers\Sio9502k.sys <Not Verified; Socket Communications, Inc.; SIO9502K>
2007-11-15 22:51:57 40960 -ra------ C:\Windows\system32\drivers\SCTray.exe <Not Verified; Socket Communications Inc.; SCTray>
2007-11-15 22:51:57 51169 -ra------ C:\Windows\system32\drivers\OXSER.SYS <Not Verified; OEM; >
2007-11-15 20:46:58 0 d-------- C:\Program Files\Opera
2007-11-15 16:37:04 0 d-------- C:\Downloads
2007-11-15 16:36:34 0 d-------- C:\Program Files\BitComet
2007-11-15 15:56:47 0 d-------- C:\Users\All Users\BullGuard
2007-11-15 15:56:30 0 d-------- C:\Program Files\BullGuard Software
2007-11-15 15:41:01 0 d-------- C:\Users\All Users\McAfee.com
2007-11-15 15:38:48 0 d-------- C:\Program Files\McAfee.com
2007-11-15 13:29:55 0 d-------- C:\Users\All Users\Media Center Programs
2007-11-14 23:56:23 0 d-------- C:\Program Files\CDisplay
2007-11-14 22:48:47 0 d-------- C:\Program Files\Common Files\xing shared
2007-11-14 22:48:23 0 d-------- C:\Program Files\Real
2007-11-14 22:48:17 0 d-------- C:\Program Files\Common Files\Real
2007-11-14 16:42:37 61440 --a------ C:\Windows\system32\W32N50.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-11-14 16:42:37 0 d-------- C:\Program Files\D-Link
2007-11-14 16:01:37 0 d-------- C:\Users\All Users\Yahoo! Companion
2007-11-14 15:08:12 0 d-------- C:\Program Files\Download Manager
2007-11-14 14:42:15 0 d-------- C:\STUFF
2007-11-14 13:58:52 0 d-------- C:\Windows\PCHEALTH
2007-11-14 13:57:14 0 d-------- C:\Windows\system32\Macromed
2007-11-14 13:57:05 0 d-------- C:\Users\All Users\Yahoo!
2007-11-14 13:55:46 0 d-------- C:\Program Files\Yahoo!
2007-11-14 13:49:14 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-14 13:48:37 0 d-------- C:\Program Files\Windows Live
2007-11-14 13:48:14 0 d-------- C:\Users\All Users\WLInstaller
2007-11-14 12:41:53 0 dr------- C:\Users\shad\Searches
2007-11-14 12:41:43 0 dr------- C:\Users\shad\Contacts
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Videos
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\Templates
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\Start Menu
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\SendTo
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Saved Games
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\Recent
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\PrintHood
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Pictures
2007-11-14 12:41:36 3932160 --ahs---- C:\Users\shad\NTUSER.DAT
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\NetHood
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\My Documents
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Music
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\Local Settings
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Links
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Favorites
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Downloads
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Documents
2007-11-14 12:41:36 0 dr------- C:\Users\shad\Desktop
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\Cookies
2007-11-14 12:41:36 0 d--hs---- C:\Users\shad\Application Data
2007-11-14 12:41:36 0 d--h----- C:\Users\shad\AppData

-- Find3M Report ---------------------------------------------------------------

2007-12-13 16:45:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-09 18:42:55 0 d-------- C:\Program Files\Common Files
2007-12-09 18:09:56 0 d-------- C:\Users\shad\AppData\Roaming\IGN_DLM
2007-12-09 18:04:59 0 d-------- C:\Users\shad\AppData\Roaming\Bioshock
2007-12-02 13:27:33 20794 --a------ C:\Users\shad\AppData\Roaming\UserTile.png
2007-11-24 16:58:58 0 d-------- C:\Users\shad\AppData\Roaming\BullGuard
2007-11-22 16:23:43 0 d-------- C:\Users\shad\AppData\Roaming\PeerNetworking
2007-11-18 21:27:44 0 d-------- C:\Users\shad\AppData\Roaming\DivX
2007-11-16 21:36:56 6662 --a------ C:\Program Files\install.log
2007-11-15 20:47:19 0 d-------- C:\Users\shad\AppData\Roaming\Opera
2007-11-14 22:55:00 0 d-------- C:\Users\shad\AppData\Roaming\Real
2007-11-14 16:48:57 174 --ahs---- C:\Program Files\desktop.ini
2007-11-14 16:45:04 0 d-------- C:\Program Files\Windows Calendar
2007-11-14 16:44:59 0 d-------- C:\Program Files\Windows Mail
2007-11-14 16:42:10 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-14 13:58:49 0 d-------- C:\Users\shad\AppData\Roaming\Macromedia
2007-11-14 12:41:45 0 d-------- C:\Users\shad\AppData\Roaming\Identities
2007-10-26 11:37:58 0 d-------- C:\Program Files\Alex Feinman
2007-10-24 10:12:48 250329 --a------ C:\recdel.exe
2007-10-20 00:56:16 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-10-20 00:54:28 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-10-20 00:54:28 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-10-20 00:54:12 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-10-20 00:54:12 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-20 00:54:12 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-20 00:54:10 739840 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-10-18 09:02:34 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [15/05/2007 11:44]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\VistaADeck\HDAudioCPL.exe" [01/02/2007 17:18]
"PowerManager"="C:\Program Files\Power Manager\PM.exe" [12/12/2006 15:36]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [12/09/2006 09:22]
"S3Trayp"="S3trayp.exe" [15/12/2006 14:04 C:\Windows\System32\s3trayp.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [22/11/2006 09:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [14/11/2007 22:48]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [06/12/2007 16:01]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [26/09/2007 18:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [15/12/2006 03:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [30/08/2007 17:43]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [06/12/2007 16:01]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [05/03/2007 21:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService	nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted	hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork	PLA DPS BFE mpssvc
BullGuard	BgMainSvc BsFileScan BsMailProxy

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2007-12-13 18:02:08 ------------


----------



## paul67 (Mar 20, 2005)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista Home Basic (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM) Duo CPU T2450 @ 2.00GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 957.88 MiB / 312.69 MiB
Pagefile Memory (total/avail): 2174.61 MiB / 1269.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1894.39 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 18.21 GiB free. 
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - SAMSUNG HM080HI ATA Device - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: BullGuard Antivirus v (BullGuard Software)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\shad\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SHADY3
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\shad
LOCALAPPDATA=C:\Users\shad\AppData\Local
LOGONSERVER=\\SHADY3
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 12, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e0c
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\shad\AppData\Local\Temp
TMP=C:\Users\shad\AppData\Local\Temp
USERDOMAIN=SHADY3
USERNAME=shad
USERPROFILE=C:\Users\shad
windir=C:\Windows

-- User Profiles ---------------------------------------------------------------

shad

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
ALPS Touch Pad Driver --> C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
AW-GM100 1.0.0.52 Vista WHQL driver --> C:\Program Files\InstallShield Installation Information\{35ED3C4A-AA20-43E6-9420-42D89EC3F5D9}\setup.exe -runfromtemp -l0x0009 -removeonly
BitComet 0.96 --> C:\Program Files\BitComet\uninst.exe
BullGuard 7.0 for Vista --> C:\Program Files\BullGuard Software\BullGuard\uninst.exe
CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
Condemned - Criminal Origins Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF6C70DB-7E1E-4A85-B668-F4E80C3CA349}\setup.exe" -l0x9 -removeonly
D-Link AirPlus G+ Wireless Adapter Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A2F67EA3-0721-4E0D-A7B9-AE8F321303AF}\Setup.exe" -l0x9 
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
Download Manager 2.3.6 --> C:\Program Files\Download Manager\uninst.exe
ISO Recorder --> MsiExec.exe /I{39600969-41C3-4658-876E-16F108FC5C92}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=C:\PROGRA~1\McAfee.com\Agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=C:\PROGRA~1\McAfee.com\Agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Xbox 360 Accessories 1.1 --> MsiExec.exe /X{66F0AC35-4805-44BC-A3D4-347D4196F9B3}
Motorola SM56 Data Fax Modem --> rundll32.exe sm56co6a.dll,SM56UnInstaller
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
Opera 9.24 --> MsiExec.exe /X{16913489-B5E3-403E-AFD3-2B19BBE464D4}
Power Manager 2.2.1 --> "C:\Program Files\Power Manager\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
VIA Display Vista Driver 7.14.10.0058 --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u -log UChromeP.uns
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169} 
VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
WinWAP for Windows 4.0 RC1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EFC6F99-16F9-49B1-8DC4-233144B1347D}\Setup.exe" 
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\Windows\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type4680 / Error
Event Submitted/Written: 12/13/2007 04:45:17 PM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {36f21eb8-d1c2-4488-9492-ed0cb9c9ff2a}

Event Record #/Type4661 / Error
Event Submitted/Written: 12/13/2007 10:50:55 AM
Event ID/Source: 5007 / WerSvc
Event Description:
The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

Event Record #/Type4653 / Success
Event Submitted/Written: 12/13/2007 09:53:34 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type4650 / Error
Event Submitted/Written: 12/13/2007 09:52:06 AM
Event ID/Source: 11 / Microsoft-Windows-CAPI2
Event Description:
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type4648 / Success
Event Submitted/Written: 12/13/2007 09:51:50 AM
Event ID/Source: 5617 / WinMgmt
Event Description:

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type19051 / Warning
Event Submitted/Written: 12/13/2007 06:00:57 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SHADY327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SHADY327 can't undo changes that you allow.

For more information please see the following:
%SHADY3275

Scan ID: {3F8A2E57-CAB2-4E1D-8662-88068317E087}

User: SHADY3\shad

Name: %SHADY3271

ID: %SHADY3272

Severity ID: %SHADY3273

Category ID: %SHADY3274

Path Found: %SHADY3276

Alert Type: %SHADY3278

Detection Type: 1.1.1505.02

Event Record #/Type19050 / Warning
Event Submitted/Written: 12/13/2007 06:00:57 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%SHADY327 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SHADY327 can't undo changes that you allow.

For more information please see the following:
%SHADY3275

Scan ID: {87EEDBE7-F6FA-40B1-9F26-F07815645555}

User: SHADY3\shad

Name: %SHADY3271

ID: %SHADY3272

Severity ID: %SHADY3273

Category ID: %SHADY3274

Path Found: %SHADY3276

Alert Type: %SHADY3278

Detection Type: 1.1.1505.02

Event Record #/Type19048 / Warning
Event Submitted/Written: 12/13/2007 00:03:45 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015AF25C5A8. The following error occurred: 
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Record #/Type19030 / Error
Event Submitted/Written: 12/13/2007 00:03:16 PM
Event ID/Source: 31004 / ipnathlp
Event Description:
The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

Event Record #/Type19004 / Warning
Event Submitted/Written: 12/12/2007 11:27:47 PM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:

-- End of Deckard's System Scanner: finished at 2007-12-13 18:02:08 ------------


----------



## paul67 (Mar 20, 2005)

virus thats popping up now is called exploit.adodbstream.j


----------



## sjpritch25 (Sep 8, 2005)

Where is McAfee finding it???


----------



## paul67 (Mar 20, 2005)

not mcafee got bullguard think its in temp folder not sure will check when the alert pops up again


----------



## sjpritch25 (Sep 8, 2005)

okay


----------



## paul67 (Mar 20, 2005)

yeah its in the temp folder


----------



## paul67 (Mar 20, 2005)

its in app data windows temp folder


----------



## sjpritch25 (Sep 8, 2005)

Please post the full path of the file. Thanks.


----------

