Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Spyware attack
Options
-
21-06-2008 9:39amJust about recovered from a nasty spyware attack over the last few days. Several runs of Ad-Aware and Spybot seem to have cleared most everything up, but I have 2 issues left.
1. When I startup, there's a cmd.exe running in my task manager taking up 60-80% cpu usage. There's no visible evidence of this command prompt, and shutting it down doesn't appear to cause any issue.
2. Again on startup, I'm told that c:\windows\17pholmes.exe cannot be found. I know this is related to the spyware I had, but where is this load attempt coming from? I've looked through msconfig but can't find it.
My dss logs are attached.0
Comments
-
Post the logs instead of attaching them0
-
main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-21 09:22:49
Computer is in Normal Mode.
-- System Restore
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
44: 2008-06-21 08:22:58 UTC - RP1265 - Deckard's System Scanner Restore Point
43: 2008-06-21 02:02:32 UTC - RP1264 - Software Distribution Service 3.0
42: 2008-06-20 06:34:18 UTC - RP1263 - Spybot-S&D Spyware removal
41: 2008-06-19 20:14:54 UTC - RP1262 - Installed Ad-Aware
40: 2008-06-16 14:57:08 UTC - RP1261 - System Checkpoint
-- First Restore Point --
1: 2008-03-19 05:02:48 UTC - RP1222 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis Clone
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-21 09:29:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\cavrid.exe
C:\Program Files\0Spam.com Express\Express.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\cidaemon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mgdd.net/bookmarx/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easydivx.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: targetedbanner browser optimizer - {93f08f4b-84f8-b5d1-0d50-43475d0a9bf2} - C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\system32\oichlpr.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [1Click Clocksync] "C:\Program Files\1Click Clocksync\clocksync.exe" /auto /auto /auto
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\RunServices: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: AutorunsDisabled
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'C:\Program Files\NewDotNet\newdotnet6_38.dll' missing
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\POP3Intercept_lsp.dll
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E31CEAC-E29F-4EC7-9B16-FAE44AC1D383}: NameServer = 192.168.11.1,63.218.52.35
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O21 - SSODL: bedmbyjs - {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
--
End of file - 11427 bytes
-- File Associations
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 PrecSim - c:\windows\system32\drivers\precsim.sys <Not Verified; Engelmann GmbH; PrecSim>
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 vcdrom (Virtual CD-ROM Device Driver) - c:\windows\system32\drivers\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>
R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys
S3 bDMusicb - c:\docume~1\owner\locals~1\temp\bdmusicb.sys (file missing)
S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
S3 Usblink (Usblink Driver) - c:\windows\system32\drivers\ulink.sys <Not Verified; ; USB SUPERLINK ADAPTER>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
R2 Apache - "c:\program files\apache group\apache\apache.exe" --ntservice
R2 RetroLauncher (Retrospect Launcher) - c:\progra~1\dantz\retros~1\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe
S2 Apache2 - "c:\program files\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
-- Device Manager: Disabled
No disabled devices found.
-- Files created between 2008-05-21 and 2008-06-21
2008-06-21 08:38:18 0 dr
C:\Documents and Settings\Administrator\Favorites
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Desktop
2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-21 08:38:18 0 dr-h
C:\Documents and Settings\Administrator\Application Data
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Intervideo
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-21 08:38:17 0 d
C:\Documents and Settings\Administrator\WINDOWS
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\Templates
2008-06-21 08:38:17 0 dr
C:\Documents and Settings\Administrator\Start Menu
2008-06-21 08:38:17 0 dr-h
C:\Documents and Settings\Administrator\SendTo
2008-06-21 08:38:17 0 dr-h
C:\Documents and Settings\Administrator\Recent
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\PrintHood
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\NetHood
2008-06-21 08:38:17 0 dr
C:\Documents and Settings\Administrator\My Documents
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\Local Settings
2008-06-21 08:38:16 2097152 --ah
C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-20 07:47:12 691545 --a
C:\WINDOWS\unins000.exe
2008-06-20 07:47:12 2542 --a
C:\WINDOWS\unins000.dat
2008-06-19 21:54:36 14336 --ah
C:\Documents and Settings\Owner\runSetup.exe
2008-06-19 21:14:59 0 d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 21:02:56 10752 --a
C:\WINDOWS\time.exe
2008-06-19 21:02:56 32256 --a
C:\WINDOWS\svcinit.exe
2008-06-19 21:02:55 31232 --a
C:\WINDOWS\svchost32.exe
2008-06-19 21:02:55 20480 --a
C:\WINDOWS\sistem.exe
2008-06-19 21:02:55 16384 --a
C:\WINDOWS\searchword.dll
2008-06-19 21:02:54 24320 --a
C:\WINDOWS\rundll16.exe
2008-06-19 21:02:54 13824 --a
C:\WINDOWS\quicken.exe
2008-06-19 21:02:54 21248 --a
C:\WINDOWS\qttasks.exe
2008-06-19 21:02:54 22528 --a
C:\WINDOWS\mswsc20.dll
2008-06-19 21:02:54 29952 --a
C:\WINDOWS\mswsc10.dll
2008-06-19 21:02:53 23296 --a
C:\WINDOWS\msspi.dll
2008-06-19 21:02:53 22784 --a
C:\WINDOWS\msconfd.dll
2008-06-19 21:02:52 22528 --a
C:\WINDOWS\internet.exe
2008-06-19 21:02:52 18944 --a
C:\WINDOWS\inetinf.exe
2008-06-19 21:02:52 32256 --a
C:\WINDOWS\helpcvs.exe
2008-06-19 21:02:51 29952 --a
C:\WINDOWS\gfmnaaa.dll
2008-06-19 21:02:51 9728 --a
C:\WINDOWS\funny.exe
2008-06-19 21:02:51 14336 --a
C:\WINDOWS\funniest.exe
2008-06-19 21:02:51 14592 --a
C:\WINDOWS\explorer32.exe
2008-06-19 21:02:51 13568 --a
C:\WINDOWS\explore.exe
2008-06-19 21:02:51 19456 --a
C:\WINDOWS\editpad.exe
2008-06-19 21:02:51 18688 --a
C:\WINDOWS\dnsrelay.dll
2008-06-19 21:02:51 20480 --a
C:\WINDOWS\directx32.exe
2008-06-19 21:02:50 17664 --a
C:\WINDOWS\ctrlpan.dll
2008-06-19 21:02:50 13568 --a
C:\WINDOWS\ctfmon32.exe
2008-06-19 20:49:44 0 d
C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-19 20:49:30 0 d
C:\WINDOWS\system32\wH1
2008-06-19 20:49:30 0 d
C:\WINDOWS\system32\mI5
2008-06-19 20:49:23 0 d
C:\WINDOWS\system32\netrax06
2008-06-19 20:49:02 122880 --a
C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
2008-06-19 20:47:47 0 d
C:\Program Files\uTorrent
2008-06-19 20:47:31 4 --a
C:\WINDOWS\system32\hljwugsf.bin
2008-06-19 20:46:40 8784 --ah
C:\Documents and Settings\Owner\runUpdater.exe
2008-06-17 08:14:37 0 d
C:\Program Files\Airport Mania
2008-06-17 08:14:25 0 d
C:\Program Files\ReflexiveArcade
2008-06-17 08:14:21 21818 --a
C:\WINDOWS\system32\msupdte.exe
2008-06-10 21:36:45 191 --a
C:\WINDOWS\setuplog
2008-05-26 17:02:42 364544 --a
C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
-- Find3M Report
2008-06-21 09:17:30 0 d
C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-06-21 09:16:57 0 d
C:\Program Files\Microsoft AntiSpyware
2008-06-19 21:52:02 0 d
C:\Documents and Settings\Owner\Application Data\Free Download Manager
2008-06-19 21:15:01 0 d
C:\Program Files\Lavasoft
2008-06-19 21:13:17 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 19:52:00 0 d
C:\Documents and Settings\Owner\Application Data\Skype
2008-06-19 18:18:06 18500 --a
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-10 21:36:46 0 d--h
C:\Program Files\InstallShield Installation Information
2008-06-10 21:35:19 0 d
C:\Documents and Settings\Owner\Application Data\Creative
2008-06-10 21:35:06 0 d
C:\Program Files\Creative
2008-06-10 07:29:56 0 d
C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-08 17:27:54 0 d
C:\Program Files\National Lampoon's University Tycoon
2008-05-13 21:24:02 0 d
C:\Program Files\Bullfrog
2008-05-10 15:28:19 41632 --a
C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-10 09:06:02 0 d
C:\Program Files\BoontyGames
2008-05-09 19:31:51 0 d
C:\Program Files\PeerGuardian2
2008-05-08 19:26:53 0 d
C:\Program Files\Common Files
2008-05-06 21:31:59 10 --a
C:\WINDOWS\popcinfo.dat
2008-05-05 23:19:11 0 d
C:\Program Files\DOSBox-0.72
2008-05-05 00:01:20 0 d
C:\Program Files\Zuma Deluxe
2008-04-22 20:35:14 0 d
C:\Program Files\Palm
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93f08f4b-84f8-b5d1-0d50-43475d0a9bf2}]
26/05/2008 17:02 364544 --a
C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [21/12/2004 22:10]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 17:04]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 16:38]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 04:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
"KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 21:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 21:43]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29/06/2007 00:43]
"nwiz"="nwiz.exe" [29/06/2007 00:43 C:\WINDOWS\system32\nwiz.exe]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 04:00]
"AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [15/11/2005 13:12]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [07/04/2003 19:09]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [08/09/2007 02:32]
"0Spam.com Express"="C:\Program Files\0Spam.com Express\Express.exe" [22/02/2005 22:33]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [28/11/2005 15:02]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [28/11/2005 15:02]
"VTTimer"="VTTimer.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/01/2005 00:46]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 15:57]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [16/10/2005 02:15]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/09/2007 02:32]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 18:19]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [16/10/2002 17:57]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29/06/2007 00:43]
"Microsoft WinUpdate"="C:\WINDOWS\system32\msupdte.exe" [17/06/2008 08:14]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [09/01/2004 02:34]
"Active Desktop Calendar"="C:\Program Files\Active Desktop Calendar\ADC.exe" []
"1Click Clocksync"="C:\Program Files\1Click Clocksync\clocksync.exe" [07/04/2005 20:08]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [27/10/2005 19:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"0Spam.com Express"=C:\Program Files\0Spam.com Express\Express.exe /silent
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [23/09/2005 14:36:42]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [30/05/2005 00:07:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [04/01/2008 17:03:16]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [09/06/2004 15:27:34]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 13:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [23/09/2004 17:18:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bedmbyjs"= {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll [19/06/2008 20:49 122880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
backup=C:\WINDOWS\pss\ORB.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ORB.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
"C:\Program Files\AveDesk\AveDesk.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\21315.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
"C:\Program Files\Desktop Sidebar\dsidebar.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll" DllStart
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}]
C:\WINDOWS\System32\RunDLL32.exe
-- Hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8744 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-06-21 09:31:21
extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: AMD Athlon(tm) 64 Processor 3200+
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1023.29 MiB / 572.71 MiB
Pagefile Memory (total/avail): 2458.14 MiB / 2058.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.82 MiB
C: is Fixed (NTFS) - 181.33 GiB total, 51.16 GiB free.
is Fixed (FAT32) - 4.96 GiB total, 1.19 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is CDROM (UDF)
L: is CDROM (No Media)
M: is CDROM (No Media)
N: is Fixed (NTFS) - 149.05 GiB total, 65.59 GiB free.
O: is Removable (No Media)
P: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - ST3200822A - 186.31 GiB - 2 partitions
\PARTITION0 - Unknown - 4.97 GiB -
\PARTITION1 (bootable) - Installable File System - 181.33 GiB - C:
\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device
\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device
\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device
\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device
\\.\PHYSICALDRIVE5 - Maxtor OneTouch USB Device - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.05 GiB - N:
-- Security Center
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AV: CA Anti-Virus v8.1.0.188 (CA, Inc.)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MYGAMES
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\MYGAMES
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 10, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=040a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=MYGAMES
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
-- User Profiles
Owner (admin)
Administrator (new local, admin)
-- Add/Remove Programs
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
0Spam.com Express --> C:\PROGRA~1\0SPAM~1.COM\UNWISE.EXE C:\PROGRA~1\0SPAM~1.COM\INSTALL.LOG
1Click Clocksync 2.0 --> "C:\Program Files\1Click Clocksync\unins000.exe"
2JPEG --> "C:\Program Files\2JPEG\unins000.exe"
Abexo Free Registry Cleaner --> C:\Program Files\Abexo\afrc\uninst.exe
Acronis True Image --> MsiExec.exe /X{CA83357B-931E-44DC-AD43-9996FEEB8116}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
Agere Systems PCI Soft Modem --> agrsmdel
AiO_Scan -->
AIOMinimal -->
AiOSoftware -->
Allok Video Splitter 1.6.4 --> "C:\Program Files\Allok Video Splitter\unins000.exe"
AltoMP3 Gold 5.06 --> "C:\Program Files\AltoMP3 Gold\unins000.exe"
Apache HTTP Server 1.3.33 --> MsiExec.exe /I{5D29A4EF-A57F-4F47-89F8-4EB3C5302A53}
Apache HTTP Server 2.0.52 --> MsiExec.exe /I{3A862C7D-0504-48BC-AEF8-7F7479C7C158}
Batch Image Resizer 2.79 --> "C:\Program Files\Batch Image Resizer\unins000.exe"
BitComet 0.70 --> C:\Program Files\BitComet\uninst.exe
Bus Driver 1.0 --> C:\Program Files\Bus Driver\uninst.exe
CA Anti-Virus --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
CameraDrivers -->
CDCheck --> "C:\Program Files\CDCheck\uninst.exe"
CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
CDRWIN 5 --> MsiExec.exe /I{9B2B0EAD-2CC7-4589-B3AA-D23BAB724065}
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
Copy -->
Core FTP Lite 1.3b --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
coverXP (remove only) --> "C:\Program Files\coverXP\cxp-uninst.exe"
Creative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /remove
Creative WebCam Instant Driver (1.03.02.0425) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script PD0620.uns -unsext NT -plugin P0620Pin.dll -pluginres CtCamPin.crl
CreativeProjects -->
CutePDF Writer 2.3 --> C:\WINDOWS\System32\uninscpw.exe C:\Program Files\
Darwinia --> C:\WINDOWS\IsUninst.exe -fC:\Games\Darwinia\Uninst.isu
DeepBurner v1.1.2.137 --> "C:\Program Files\DeepBurner\Uninstall.exe" "C:\Program Files\DeepBurner\install.log"
Director -->
DiscJuggler --> MsiExec.exe /I{C3C538E5-524C-4253-AA74-0EEEF34990EA}
DivX 5.0.2 Bundle --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\uninstal.log
DivxToDVD 0.5.1 --> "C:\Program Files\DivxToDVD\unins000.exe"
DocProc -->
Documents To Go --> MsiExec.exe /X{EB807EB6-5179-48B7-98D4-7B4934A57A81}
DriveImage XML --> "C:\Program Files\Runtime Software\DriveImage XML\Uninstall.exe" "C:\Program Files\Runtime Software\DriveImage XML\install.log" -u
Dup Detector --> C:\WINDOWS\DelPiv.exe C:\Program Files\DupDetector
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
dvdSanta 3.45 --> "C:\Program Files\dvdSanta\unins000.exe"
Enhancement Browser Tools Targetedbanner --> C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll-uninst.exe
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\SETUP.EXE" -l0x9 uninst
EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x9 uninst
EPSON PhotoStarter3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C48817E7-AA05-4151-A99D-1E1E550CE801}\SETUP.EXE" -l0x9 uninst
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\SETUP.EXE" -l0x9 -SYSTEM
EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
ESPR300 Reference Guide --> C:\Program Files\EPSON\ESPR300\REF_G\DOCUNINS.EXE
ESPR300 Software Guide --> C:\Program Files\EPSON\ESPR300\PQU_G\DOCUNINS.EXE
ESPR300 Standalone Guide --> C:\Program Files\EPSON\ESPR300\STA_G\DOCUNINS.EXE
Fax -->
Free CD-DA Extractor 4.8 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Free CD-DA Extractor 4.8\irunin.ini"
Free Download Manager 2.1 --> "C:\Program Files\Free Download Manager\unins000.exe"
FreeUndelete --> C:\Program Files\FreeUndelete\GLF1D7.exe /handle:fru
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Image Zone Plus 3.5 --> C:\Program Files\HP\Digital Imaging\{C6C44651-7C66-4b11-92E8-17565D3D22DD}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Pavilion PC Help --> C:\PROGRA~1\HPPAVI~1\UNWISE.EXE C:\PROGRA~1\HPPAVI~1\INSTALL.LOG
HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
hpg2436 -->
hpg3970 -->
hpg4600 -->
hpg5530 -->
hpg8200 -->
HPIZ350 --> MsiExec.exe /X{F247869D-3643-4A9F-821B-3534145928E3}
HPIZFix3 -->
hpmdtab -->
HpSdpAppCoreApp -->
HPSystemDiagnostics -->
InstantShare -->
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
ISO Recorder --> MsiExec.exe /I{0F6A7971-0F11-4A79-A0E9-133D0963A570}
iTunes -->
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
jetAudio VX for X5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly
JetShell for iAUDIO X5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{55713865-2265-49E8-93C2-B994DE70FBBB}\setup.exe" -l0x9
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Konfabulator --> MsiExec.exe /X{4EE339E6-60B2-4031-86BA-2ABDD454C76B}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MdbToMySQL XP --> MsiExec.exe /I{C9E855CA-0870-4EE5-861D-17A7156E7442}
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft AntiSpyware --> MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works --> MsiExec.exe /I{B9966F27-9678-4620-9579-925E3084647E}
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe /ARP F:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{33BEE6F3-9987-4F98-A069-97A64EC8321A}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (0.8) --> C:\WINDOWS\UninstallThunderbird.exe /ua "0.8 (en)"
MP3 Audio Converter --> "C:\Program Files\MP3 Audio Converter\unins000.exe"
MP3 Splitter --> "C:\Program Files\mp3split\unins000.exe"
MP3 Workshop 1.2 --> "C:\Program Files\MP3 Workshop\unins000.exe"
MySQL Connector/ODBC 3.51 --> MsiExec.exe /I{0CB3C535-1171-4A20-B549-E2CB5DEB9723}
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
O-Card --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\OCARDG.INF, DefaultUninstall.ntx86
ObjectDock --> C:\PROGRA~1\Stardock\OBJECT~2\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~2\INSTALL.LOG
OpenOffice.org 2.0 --> MsiExec.exe /I{76BB7B2D-748F-4AE9-89C3-78C051833EA1}
OpenTTD 0.4.8.0 --> C:\Games\OpenTTD\uninstall.exe
Overland -->
Paint Shop Pro 7 Anniversary Edition --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Palm --> MsiExec.exe /X{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
PhotoGallery -->
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PHP 4.1.1 --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\INSTALL.LOG
PIF DESIGNER2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59B9F-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PrintScreen -->
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
PSShortcutsP -->
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QFolder -->
QuickProjects -->
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Readme -->
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Rename-It! --> C:\Program Files\Rename-It!\Uninst.exe
Retrospect 6.0 --> MsiExec.exe /I{C4354214-B919-4C8F-84EB-4F9B84ACC02C}
Scan -->
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\SETUP.EXE" ADDREMOVEDLG
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SkinsHP1 -->
SkinsHP2 -->
Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
SkypeMate --> "C:\Program Files\SkypeMate\uninstall.exe"
Spam Arrest --> C:\Program Files\Spam Arrest\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Steam(TM) --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SyncBack --> "C:\Program Files\SyncBack\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Tag&Rename 3.2 --> "C:\Program Files\TagRename\unins000.exe"
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
Theme Hospital --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Bullfrog\Hospital\DeIsL1.isu"
TMPGEnc DVD Author 1.5 --> MsiExec.exe /I{49062DAB-7009-4EBD-903A-830B283407C4}
Totally MAD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Totally MAD\DeIsL1.isu"
TrayApp -->
TreeSize Professional 3.3 --> "C:\Program Files\TreeSize Professional\unins000.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Tweak UI --> "C:\WINDOWS\System32\mshta.exe" "res://C:\WINDOWS\System32\TweakUI.exe/uninstall.hta"
Unload -->
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
Uplink --> C:\WINDOWS\IsUninst.exe -fC:\Games\Uplink\Uninst.isu
USB 2.0 Setup program --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\VIA Technologies, INC.\USB 2.0 Setup program\Uninst.isu"
USB Storage Adapter FX (MXO) --> MXOun.exe MXOFX
Video mp3 Extractor --> "C:\Program Files\Video mp3 Extractor\unins000.exe"
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WebCam Instant Product Registration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x9 /remove
WebFldrs XP -->
WebReg -->
WinAVI VideoConverter --> "C:\Program Files\WinAVI VideoConverter\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.30 --> "C:\Program Files\WinHTTrack\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
YP-T4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABD162C-44D1-42E2-ACAD-C6065F3D1295}\Setup.exe" -l0x9
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
Zuma Deluxe RA --> C:\PROGRA~1\ZUMADE~1\UNWISE.EXE C:\PROGRA~1\ZUMADE~1\INSTALL.LOG
ZX Spectrum Emulator 2.00.04.04 (beta) --> C:\Games\ZXSPEC~1\UNZX32.EXE C:\Games\ZXSPEC~1\INSTALL.LOG
-- Application Event Log
Event Record #/Type8574 / Error
Event Submitted/Written: 06/21/2008 09:16:08 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named reported the following error:
>>> Unable to open logs .
Event Record #/Type8573 / Error
Event Submitted/Written: 06/21/2008 09:16:08 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named reported the following error:
>>> no listening sockets available, shutting down .
Event Record #/Type8572 / Error
Event Submitted/Written: 06/21/2008 09:16:08 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named reported the following error:
>>> (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 .
Event Record #/Type8568 / Error
Event Submitted/Written: 06/21/2008 03:15:37 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named reported the following error:
>>> Unable to open logs .
Event Record #/Type8567 / Error
Event Submitted/Written: 06/21/2008 03:15:37 AM
Event ID/Source: 3299 / Apache Service
Event Description:
The Apache service named reported the following error:
>>> no listening sockets available, shutting down .
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event Record #/Type48881 / Warning
Event Submitted/Written: 06/21/2008 09:29:04 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk5\D during a paging operation.
Event Record #/Type48880 / Warning
Event Submitted/Written: 06/21/2008 09:23:06 AM
Event ID/Source: 51 / Disk
Event Description:
An error was detected on device \Device\Harddisk5\D during a paging operation.
Event Record #/Type48877 / Error
Event Submitted/Written: 06/21/2008 09:21:17 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460
Event Record #/Type48862 / Error
Event Submitted/Written: 06/21/2008 09:16:15 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
%%10047
Event Record #/Type48861 / Error
Event Submitted/Written: 06/21/2008 09:16:15 AM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Apache2 service terminated with service-specific error 1 (0x1).
-- End of Deckard's System Scanner: finished at 2008-06-21 09:31:21
0 -
Bit of work to do
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum.
First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.
To Get rid of NewDotNet, go to:
Start > Control Panel > Add or Remove Programs and remove the following:
New.Net Applications or New.Net Domains (anything that says New.Net)
If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.
In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.
Then reboot and post a new DSS log0 -
sdfix report.txt
SDFix: Version 1.195
Run by Administrator on 21/06/2008 at 15:13
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\netrax06\netrax061083.exe - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\msupdte.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\time.exe - Deleted
Folder C:\Temp\1cb - Removed
Folder C:\WINDOWS\system32\netrax06 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 15:21:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:96d8261a
"s1"=dword:e315ec7d
"s2"=dword:b487de71
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2b,67,e9,6b,f4,d7,70,70,71,b7,b8,f5,f8,c3,4c,5e,c8,7b,e9,9e,92,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,47,82,b8,73,4c,77,7a,71,0b,2e,53,81,d9,83,d7,1b,19,..
"khjeh"=hex:b9,51,61,c7,83,88,92,2b,6d,6d,fd,22,96,62,94,fe,ef,48,2c,36,b4,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:36,7c,ce,f5,47,66,6d,83,df,54,78,6b,da,21,f7,18,5c,3b,c6,54,b7,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,ff,1d,2b,b4,e2,14,ff,a2,1b,4a,bb,23,ca,9a,f5,8f,cc,e6,58,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2b,67,e9,6b,f4,d7,70,70,71,b7,b8,f5,f8,c3,4c,5e,c8,7b,e9,9e,92,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,47,82,b8,73,4c,77,7a,71,0b,2e,53,81,d9,83,d7,1b,19,..
"khjeh"=hex:b9,51,61,c7,83,88,92,2b,6d,6d,fd,22,96,62,94,fe,ef,48,2c,36,b4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:36,7c,ce,f5,47,66,6d,83,df,54,78,6b,da,21,f7,18,5c,3b,c6,54,b7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:32,ff,1d,2b,b4,e2,14,ff,a2,1b,4a,bb,23,ca,9a,f5,8f,cc,e6,58,1b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:2b,67,e9,6b,f4,d7,70,70,71,b7,b8,f5,f8,c3,4c,5e,c8,7b,e9,9e,92,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,47,82,b8,73,4c,77,7a,71,0b,2e,53,81,d9,83,d7,1b,19,..
"khjeh"=hex:19,13,5f,1a,0a,23,c8,59,02,be,1e,70,1f,c8,42,38,67,b4,13,74,69,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:8c,8a,1a,78,7a,ba,9b,01,35,03,8b,ea,50,a4,60,8b,b7,9a,ad,82,6f,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\sdfix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 9 Oct 2004 196 A.SHR --- "C:\BOOT.BAK"
Thu 19 Jun 2008 14,336 A..H. --- "C:\Documents and Settings\Owner\runSetup.exe"
Thu 19 Jun 2008 8,784 A..H. --- "C:\Documents and Settings\Owner\runUpdater.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 11 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 23 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
Finished!
===========================================
dss main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-21 15:35:07
Computer is in Normal Mode.
-- HijackThis Clone
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-21 15:35:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\WINDOWS\system32\hphmon05.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\cavrid.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\0Spam.com Express\Express.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mgdd.net/bookmarx/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easydivx.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: targetedbanner browser optimizer - {93f08f4b-84f8-b5d1-0d50-43475d0a9bf2} - C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\system32\oichlpr.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [1Click Clocksync] "C:\Program Files\1Click Clocksync\clocksync.exe" /auto /auto /auto
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\RunServices: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: AutorunsDisabled
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'C:\Program Files\NewDotNet\newdotnet6_38.dll' missing
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\POP3Intercept_lsp.dll
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E31CEAC-E29F-4EC7-9B16-FAE44AC1D383}: NameServer = 192.168.11.1,63.218.52.35
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O21 - SSODL: bedmbyjs - {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
--
End of file - 11308 bytes
-- Files created between 2008-05-21 and 2008-06-21
2008-06-21 15:08:00 0 d
C:\WINDOWS\ERUNT
2008-06-21 08:38:18 0 dr
C:\Documents and Settings\Administrator\Favorites
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Desktop
2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-21 08:38:18 0 dr-h
C:\Documents and Settings\Administrator\Application Data
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Intervideo
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-21 08:38:17 0 d
C:\Documents and Settings\Administrator\WINDOWS
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\Templates
2008-06-21 08:38:17 0 dr
C:\Documents and Settings\Administrator\Start Menu
2008-06-21 08:38:17 0 dr-h
C:\Documents and Settings\Administrator\SendTo
2008-06-21 08:38:17 0 dr-h
C:\Documents and Settings\Administrator\Recent
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\PrintHood
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\NetHood
2008-06-21 08:38:17 0 dr
C:\Documents and Settings\Administrator\My Documents
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\Local Settings
2008-06-21 08:38:16 2097152 --ah
C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-20 07:47:12 691545 --a
C:\WINDOWS\unins000.exe
2008-06-20 07:47:12 2542 --a
C:\WINDOWS\unins000.dat
2008-06-19 21:54:36 14336 --ah
C:\Documents and Settings\Owner\runSetup.exe
2008-06-19 21:14:59 0 d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 20:49:44 0 d
C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-19 20:49:30 0 d
C:\WINDOWS\system32\wH1
2008-06-19 20:49:30 0 d
C:\WINDOWS\system32\mI5
2008-06-19 20:49:02 122880 --a
C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
2008-06-19 20:47:47 0 d
C:\Program Files\uTorrent
2008-06-19 20:46:40 8784 --ah
C:\Documents and Settings\Owner\runUpdater.exe
2008-06-17 08:14:37 0 d
C:\Program Files\Airport Mania
2008-06-17 08:14:25 0 d
C:\Program Files\ReflexiveArcade
2008-06-10 21:36:45 191 --a
C:\WINDOWS\setuplog
2008-05-26 17:02:42 364544 --a
C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
-- Find3M Report
2008-06-21 15:28:35 0 d
C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-06-21 15:27:55 0 d
C:\Program Files\Microsoft AntiSpyware
2008-06-21 15:04:02 0 d
C:\Documents and Settings\Owner\Application Data\Skype
2008-06-19 21:52:02 0 d
C:\Documents and Settings\Owner\Application Data\Free Download Manager
2008-06-19 21:15:01 0 d
C:\Program Files\Lavasoft
2008-06-19 21:13:17 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 18:18:06 18500 --a
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-10 21:36:46 0 d--h
C:\Program Files\InstallShield Installation Information
2008-06-10 21:35:19 0 d
C:\Documents and Settings\Owner\Application Data\Creative
2008-06-10 21:35:06 0 d
C:\Program Files\Creative
2008-06-10 07:29:56 0 d
C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-08 17:27:54 0 d
C:\Program Files\National Lampoon's University Tycoon
2008-05-13 21:24:02 0 d
C:\Program Files\Bullfrog
2008-05-10 15:28:19 41632 --a
C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-10 09:06:02 0 d
C:\Program Files\BoontyGames
2008-05-09 19:31:51 0 d
C:\Program Files\PeerGuardian2
2008-05-08 19:26:53 0 d
C:\Program Files\Common Files
2008-05-06 21:31:59 10 --a
C:\WINDOWS\popcinfo.dat
2008-05-05 23:19:11 0 d
C:\Program Files\DOSBox-0.72
2008-05-05 00:01:20 0 d
C:\Program Files\Zuma Deluxe
2008-04-22 20:35:14 0 d
C:\Program Files\Palm
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93f08f4b-84f8-b5d1-0d50-43475d0a9bf2}]
26/05/2008 17:02 364544 --a
C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [21/12/2004 22:10]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 17:04]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 16:38]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 04:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
"KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 21:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 21:43]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29/06/2007 00:43]
"nwiz"="nwiz.exe" [29/06/2007 00:43 C:\WINDOWS\system32\nwiz.exe]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 04:00]
"AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [15/11/2005 13:12]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [07/04/2003 19:09]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [08/09/2007 02:32]
"0Spam.com Express"="C:\Program Files\0Spam.com Express\Express.exe" [22/02/2005 22:33]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [28/11/2005 15:02]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [28/11/2005 15:02]
"VTTimer"="VTTimer.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/01/2005 00:46]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 15:57]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [16/10/2005 02:15]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/09/2007 02:32]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 18:19]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [16/10/2002 17:57]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29/06/2007 00:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [09/01/2004 02:34]
"Active Desktop Calendar"="C:\Program Files\Active Desktop Calendar\ADC.exe" []
"1Click Clocksync"="C:\Program Files\1Click Clocksync\clocksync.exe" [07/04/2005 20:08]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [27/10/2005 19:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"0Spam.com Express"=C:\Program Files\0Spam.com Express\Express.exe /silent
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [23/09/2005 14:36:42]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [30/05/2005 00:07:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [04/01/2008 17:03:16]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [09/06/2004 15:27:34]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 13:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [23/09/2004 17:18:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bedmbyjs"= {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll [19/06/2008 20:49 122880]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
backup=C:\WINDOWS\pss\ORB.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ORB.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
"C:\Program Files\AveDesk\AveDesk.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\21315.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
"C:\Program Files\Desktop Sidebar\dsidebar.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll" DllStart
*Newly Created Service* - PGFILTER
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}]
C:\WINDOWS\System32\RunDLL32.exe
-- End of Deckard's System Scanner: finished at 2008-06-21 15:36:36
0 -
I don't have any New.Net apps in my program list. I also don't have a floppy disk or indeed a drive to attempt removal procedure 4 on the link you supplied.
ETA: I just noticed that after rebooting, I get niether the extraneous cmd.exe process or the 17pholmes open attempt, so that's good, but I'm sure there's more to be done?0 -
Advertisement
-
Bit more
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.- Please download LSPFix from here.
- Run the LSPFix.exe that you have just finished downloading.
- Check the I know what I'm doing box.
- In the Keep box you should see one or more instances of C:\Program Files\NewDotNet\newdotnet6_38.dll and C:\WINDOWS\system32\POP3Intercept_lsp.dll
- Select every instance of newdotnet6_38.dll and POP3Intercept_lsp.dll and move each one to the Remove box by clicking the >> button.
- When you are done click Finish>>.
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: targetedbanner browser optimizer - {93f08f4b-84f8-b5d1-0d50-43475d0a9bf2} - C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - - (no file)
O21 - SSODL: bedmbyjs - {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer] C:\WINDOWS\system32\wH1 C:\WINDOWS\system32\mI5 C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll C:\Documents and Settings\Owner\runUpdater.exe C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll C:\Program Files\BoontyGames C:\WINDOWS\popcinfo.dat HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f} C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402} C:\Program Files\NewDotNet C:\WINDOWS\system32\POP3Intercept_lsp.dll HKEY_CLASSES_ROOT\CLSID\{39e4a80d-231b-4df8-b08e-743efdeb453f} HKEY_CLASSES_ROOT\CLSID\{016926EC-A7C2-EB46-0200-040003000402} purity EmptyTemp [start explorer]
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
- Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt2
Reboot and post a new DSS log0 -
(Thanks for your continued help, btw, much appreciated)
I ran lspfix, and there were no NewDotNet instances in the Keep box, but the ones you mention were already on the Remove side, so I went ahead and got rid.
Got HijackThis to fix the problems you listed - they were all there except the O3 - Toolbar: (no name) - - (no file) one.
OTMoveIt2 log
Explorer killed successfully
C:\WINDOWS\system32\wH1 moved successfully.
C:\WINDOWS\system32\mI5 moved successfully.
C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll unregistered successfully.
C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll moved successfully.
C:\Documents and Settings\Owner\runUpdater.exe moved successfully.
File/Folder C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll not found.
C:\Program Files\BoontyGames\Components moved successfully.
C:\Program Files\BoontyGames moved successfully.
C:\WINDOWS\popcinfo.dat moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer\\ deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f} >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}\\ deleted successfully.
File/Folder C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll not found.
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402} >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}\\ deleted successfully.
File/Folder C:\Program Files\NewDotNet not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\POP3Intercept_lsp.dll
C:\WINDOWS\system32\POP3Intercept_lsp.dll NOT unregistered.
C:\WINDOWS\system32\POP3Intercept_lsp.dll moved successfully.
< HKEY_CLASSES_ROOT\CLSID\{39e4a80d-231b-4df8-b08e-743efdeb453f} >
Registry key HKEY_CLASSES_ROOT\CLSID\{39e4a80d-231b-4df8-b08e-743efdeb453f}\\ not found.
< HKEY_CLASSES_ROOT\CLSID\{016926EC-A7C2-EB46-0200-040003000402} >
Registry key HKEY_CLASSES_ROOT\CLSID\{016926EC-A7C2-EB46-0200-040003000402}\\ not found.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2C9C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF3915.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF564C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF6128.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFA5D.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06212008_174319
Files moved on Reboot...
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2C9C.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF3915.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF564C.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF6128.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFA5D.tmp moved successfully.
DSS main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-21 18:07:35
Computer is in Normal Mode.
-- HijackThis (run as Owner.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:55, on 21/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\0Spam.com Express\Express.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mgdd.net/bookmarx/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easydivx.org/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\System32\oichlpr.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [1Click Clocksync] "C:\Program Files\1Click Clocksync\clocksync.exe" /auto /auto /auto
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\RunServices: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: AutorunsDisabled
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E31CEAC-E29F-4EC7-9B16-FAE44AC1D383}: NameServer = 192.168.11.1,63.218.52.35
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
--
End of file - 10264 bytes
-- Files created between 2008-05-21 and 2008-06-21
2008-06-21 15:08:00 0 d
C:\WINDOWS\ERUNT
2008-06-21 08:38:18 0 dr
C:\Documents and Settings\Administrator\Favorites
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Desktop
2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-21 08:38:18 0 dr-h
C:\Documents and Settings\Administrator\Application Data
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Intervideo
2008-06-21 08:38:18 0 d
C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-21 08:38:17 0 d
C:\Documents and Settings\Administrator\WINDOWS
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\Templates
2008-06-21 08:38:17 0 dr
C:\Documents and Settings\Administrator\Start Menu
2008-06-21 08:38:17 0 dr-h
C:\Documents and Settings\Administrator\SendTo
2008-06-21 08:38:17 0 dr-h
C:\Documents and Settings\Administrator\Recent
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\PrintHood
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\NetHood
2008-06-21 08:38:17 0 dr
C:\Documents and Settings\Administrator\My Documents
2008-06-21 08:38:17 0 d--h
C:\Documents and Settings\Administrator\Local Settings
2008-06-21 08:38:16 2097152 --ah
C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-20 07:47:12 691545 --a
C:\WINDOWS\unins000.exe
2008-06-20 07:47:12 2542 --a
C:\WINDOWS\unins000.dat
2008-06-19 21:54:36 14336 --ah
C:\Documents and Settings\Owner\runSetup.exe
2008-06-19 21:14:59 0 d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 20:49:44 0 d
C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-19 20:47:47 0 d
C:\Program Files\uTorrent
2008-06-17 08:14:37 0 d
C:\Program Files\Airport Mania
2008-06-17 08:14:25 0 d
C:\Program Files\ReflexiveArcade
2008-06-10 21:36:45 191 --a
C:\WINDOWS\setuplog
-- Find3M Report
2008-06-21 17:56:38 0 d
C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-06-21 17:53:33 0 d
C:\Program Files\Microsoft AntiSpyware
2008-06-21 17:46:17 0 d
C:\Documents and Settings\Owner\Application Data\Skype
2008-06-19 21:52:02 0 d
C:\Documents and Settings\Owner\Application Data\Free Download Manager
2008-06-19 21:15:01 0 d
C:\Program Files\Lavasoft
2008-06-19 21:13:17 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 18:18:06 18500 --a
C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-10 21:36:46 0 d--h
C:\Program Files\InstallShield Installation Information
2008-06-10 21:35:19 0 d
C:\Documents and Settings\Owner\Application Data\Creative
2008-06-10 21:35:06 0 d
C:\Program Files\Creative
2008-06-10 07:29:56 0 d
C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-06-08 17:27:54 0 d
C:\Program Files\National Lampoon's University Tycoon
2008-05-13 21:24:02 0 d
C:\Program Files\Bullfrog
2008-05-10 15:28:19 41632 --a
C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-09 19:31:51 0 d
C:\Program Files\PeerGuardian2
2008-05-08 19:26:53 0 d
C:\Program Files\Common Files
2008-05-05 23:19:11 0 d
C:\Program Files\DOSBox-0.72
2008-05-05 00:01:20 0 d
C:\Program Files\Zuma Deluxe
2008-04-22 20:35:14 0 d
C:\Program Files\Palm
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [21/12/2004 22:10]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 17:04]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 16:38]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 04:23]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
"KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 21:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 21:43]
"AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29/06/2007 00:43]
"nwiz"="nwiz.exe" [29/06/2007 00:43 C:\WINDOWS\system32\nwiz.exe]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 04:00]
"AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [15/11/2005 13:12]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [07/04/2003 19:09]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [08/09/2007 02:32]
"0Spam.com Express"="C:\Program Files\0Spam.com Express\Express.exe" [22/02/2005 22:33]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [28/11/2005 15:02]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [28/11/2005 15:02]
"VTTimer"="VTTimer.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/01/2005 00:46]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 15:57]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [16/10/2005 02:15]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/09/2007 02:32]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 18:19]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [16/10/2002 17:57]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29/06/2007 00:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [09/01/2004 02:34]
"Active Desktop Calendar"="C:\Program Files\Active Desktop Calendar\ADC.exe" []
"1Click Clocksync"="C:\Program Files\1Click Clocksync\clocksync.exe" [07/04/2005 20:08]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [27/10/2005 19:00]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"0Spam.com Express"=C:\Program Files\0Spam.com Express\Express.exe /silent
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [23/09/2005 14:36:42]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [30/05/2005 00:07:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [04/01/2008 17:03:16]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [09/06/2004 15:27:34]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 13:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [23/09/2004 17:18:46]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
backup=C:\WINDOWS\pss\ORB.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ORB.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\PCHButton.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
"C:\Program Files\AveDesk\AveDesk.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
"C:\Program Files\Desktop Sidebar\dsidebar.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
-- End of Deckard's System Scanner: finished at 2008-06-21 18:13:35
0 -
Nearly done now
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:-
Select
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.- Now click on the Save as Text button:
[*]Copy and paste that information in your next post.
0 -
Wow, that was thorough! Nearly 14 hours!
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 22, 2008 11:18:47 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/06/2008
Kaspersky Anti-Virus database records: 880049
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\
Scan Statistics:
Total number of scanned objects: 126197
Number of viruses found: 19
Number of infected objects: 59
Number of suspicious objects: 12
Duration of the scan process: 13:59:17
Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\Downloader.exe Infected: Trojan-Downloader.Win32.Small.wxl skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp/data0002/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp/data0002 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp NSIS: infected - 3 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsy31E.tmp/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsy31E.tmp/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsy31E.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\snpp.exe/data0006 Infected: Trojan-Downloader.Win32.VB.eyc skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\snpp.exe NSIS: infected - 1 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/accesss.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/win32e.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip/systeem.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-1b8286eb/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-1b8286eb ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\3a99d727-5c8ce34d/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.t skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\3a99d727-5c8ce34d ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\2dc5607f-6bcfe15b/Mein.class Infected: Trojan.Java.Binny.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\2dc5607f-6bcfe15b/Beyond.class Infected: Trojan.Java.Binny.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\2dc5607f-6bcfe15b ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77e05f0b-245207d8.zip/Mein.class Infected: Trojan.Java.Binny.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77e05f0b-245207d8.zip/Beyond.class Infected: Trojan.Java.Binny.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77e05f0b-245207d8.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-6d374422.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.t skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-6d374422.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5d9993d4.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5d9993d4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galin <mpgalvin@eircom.net>][Date Wed, 01 Dec 2004 21:27:47 +0000]/Please/[From "Services PayPal" <services@paypal.com>][Date Sun, 19 Dec 2004 06:13:41 -0300]/html Infected: Trojan-Spy.HTML.Paylap.bg skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galin <mpgalvin@eircom.net>][Date Wed, 01 Dec 2004 21:27:47 +0000]/Please Infected: Trojan-Spy.HTML.Paylap.bg skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 21:52:23 +0100]/UNNAMED/[From Michael Galvin <mpgalvin@eircom.net>][Date Fri, 27 May 2005 20:56:14 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Tue, 10 Jan 2006 17:32:37 +0000]/Message Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 21:52:23 +0100]/UNNAMED/[From Michael Galvin <mpgalvin@eircom.net>][Date Fri, 27 May 2005 20:56:14 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 21:52:23 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent MailBerkeleymboxx: infected - 6 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF320F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5950.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5970.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6E.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF68B7.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8FF4.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Owner\runUpdater.html Infected: Trojan-Downloader.Win32.Small.xhc skipped
C:\Downloads\o-txp473.zip/start.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Downloads\o-txp473.zip ZIP: infected - 1 skipped
C:\Program Files\Apache Group\Apache\logs\access.log Object is locked skipped
C:\Program Files\Apache Group\Apache\logs\error.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\sdfix\SDFix\backups\backups.zip/backups/msupdte.exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
C:\sdfix\SDFix\backups\backups.zip/backups/netrax061083.exe Infected: Trojan-Downloader.Win32.VB.eyc skipped
C:\sdfix\SDFix\backups\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010008.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\A0102393.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\A0102395.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\A0102401.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103720.exe Infected: Trojan-Downloader.Win32.VB.eyc skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103745.exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103766.exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103769.exe Infected: Trojan-Downloader.Win32.VB.eyc skipped
C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\change.log Object is locked skipped
C:\WINDOWS\3d.exe Infected: Trojan.Win32.Small.tp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd6589.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\ntsd32.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaBack.c skipped
C:\WINDOWS\system32\ntsd32.exe/data0003 Infected: Trojan-Clicker.Win32.VB.dn skipped
C:\WINDOWS\system32\ntsd32.exe/data0004 Infected: Trojan.Win32.VB.rh skipped
C:\WINDOWS\system32\ntsd32.exe NSIS: infected - 3 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\06212008_174319\Documents and Settings\Owner\Application Data\Microsoft\dtsc\21315.exe Infected: Trojan-Downloader.Win32.Agent.shg skipped
C:\_OTMoveIt\MovedFiles\06212008_174319\Documents and Settings\Owner\runUpdater.exe Infected: Trojan-Downloader.Win32.Small.xhc skipped
N:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.0 -
Hello
Please download the OTMoveIt2 by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe C:\Documents and Settings\Owner\runUpdater.html C:\Downloads\o-txp473.zip C:\WINDOWS\3d.exe C:\WINDOWS\system32\ntsd32.exe purity EmptyTemp [start explorer]
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
- Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt2
Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.@echo off dir "C:\Downloads">C:\peek.txt start C:\peek.txt del peek.bat
Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in peek.bat
In the Save as type drop down box select All Files
Close Notepad.
Now, find peek.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.
Post the resulting notepad file that appears0 -
Advertisement
-
contents of downloads (I've removed a few files that are not for er... "public consumption")
Volume in drive C is HP_PAVILION
Volume Serial Number is E82B-BB1C
Directory of C:\Downloads12/05/2008 22:49 <DIR> . 12/05/2008 22:49 <DIR> .. 23/07/2005 18:22 1,735,201 0SpamExpress.exe 12/07/2007 23:41 40,554 1031972133banana.zip 18/03/2002 14:12 2,322,614 147512_MTPatch1_3.exe 06/08/2007 17:09 48,968,752 162.18_forceware_winxp_32bit_english_whql.exe 21/07/2007 13:40 5,466,408 20060824_moonshell14finalbeta.zip 21/11/2003 22:52 4,002,597 2jpeg.zip 26/10/2001 23:49 2,116,414 a32-18.exe 13/04/2006 19:42 721 Abexo Free Registry Cleaner.lnk 31/08/2002 12:50 12,250 access_to_mysql.txt 03/06/2005 00:09 2,180,996 adc.exe 06/06/2002 21:50 1,264,844 addressbook.nt.tar.gz 06/04/2008 11:09 1,968,049 atrain.zip 29/12/2004 23:10 2,010,000 AveDesk11.exe 23/04/2005 10:19 3,487,352 BlindWrite_5.2.13.147.rar 24/03/2004 20:03 711,637 calipers.zip 07/01/2008 19:09 1,524,079 CDCheckSetup.exe 28/05/2005 21:26 <DIR> CDRWin_5_05_001 23/09/2005 20:11 601,088 ClocksyncSetup.exe 22/01/2000 13:29 138,155 Coasterworld.zip 06/04/2008 11:03 126,438 confmeps.zip 01/03/2005 00:20 3,240,960 converter.exe 09/09/2007 10:26 499,862 cpu-z-141.zip 10/05/2000 22:50 294,888 crystocx.zip 13/02/2005 19:36 1,101,824 CuteWriter.exe 05/02/2005 18:02 1,283,346 cvrtmate.exe 06/02/2005 17:26 3,362,502 cxp_free.exe 04/11/2004 15:36 504,320 daemon347.exe 05/05/2006 08:52 1,449,368 daemon403-x86.exe 22/10/2001 23:55 173,216 datepick.zip 19/08/2000 23:00 38,366 dbman.zip 13/02/2005 18:18 2,915,699 DeepBurner1.exe 03/01/2001 20:49 1,042,944 demotivationalposters.pps 14/03/2005 02:58 169,747,698 DEMO_IM_UK_PC.zip 01/12/2007 00:37 1,761,029 dixmlsetup.exe 06/04/2008 14:48 1,258,638 DOSBox0.72-win32-installer.exe 03/11/2004 20:28 <DIR> dvd 14/10/2001 14:57 871,409 EasyPegSetup.exe 17/05/2005 08:38 4,424,776 EZAntivirus.exe 05/02/2005 00:42 1,340,406 fdminst.exe 07/01/2008 14:21 886,808 freeundelete.exe 26/02/2000 09:40 1,698,304 f_x86t32.exe 04/01/2004 23:09 3,394,522 httrack-3.30.exe 19/06/2005 10:37 497,371 Ifoedit0971.zip 10/01/2002 01:03 1,707,856 instmsi.exe 26/03/2005 18:59 732,942,336 KNOPPIX_V3.7-2004-12-08-EN.iso 30/11/2001 21:34 2,060,617 litsetup_v20.zip 13/01/2006 19:37 <DIR> Lucasarts Games 17/12/2004 20:42 6,552,939 mame089b.zip 26/03/2005 19:01 1,450,805 mbtagger-setup-0.10.5.exe 21/09/2002 12:55 5,527,594 MDBBrowserEditor.EXE 02/06/2007 21:06 701,251 MDBPlus.zip 02/06/2007 21:10 199,074 MdbToMySQL.zip 04/02/2005 22:38 2,357,023 mp3workshop.exe 25/09/2003 23:40 91,853 multiDesk.zip 10/09/2000 20:43 632,862 netloadSetup.exe 29/05/2005 23:32 8,332,416 objectdock_freeware.exe 05/02/2006 00:19 <DIR> OpenOfficeorg 2.0 Installation Files 12/05/2008 22:42 3,529,095 openttd-0.6.0-win32.exe 22/06/2007 18:50 893,224 optimize-setup-2003.exe 01/12/2002 12:03 747,508 OWASPGuideV1[1].1.1.pdf 07/08/2003 23:20 4,967,687 phedinst.exe 20/12/2005 22:08 962,174 powermax.exe 18/02/2006 20:33 145,330 pppclientinstall.exe 07/03/2004 14:44 2,855,552 ppview97.exe 09/01/2005 18:35 1,951,432 ppviewer.exe 09/01/2002 23:28 31,957 protect2035b2.zip 19/09/2001 21:37 511,440 q290108.exe 07/07/2005 21:10 800,136 regclean.exe 15/04/2006 16:29 358,545 RegSeeker.zip 02/03/2005 23:57 1,020,686 renameit-3.32-install.exe 10/10/2000 23:27 7,583 search.zip 17/12/2003 23:37 598,122 SetupDD3.zip 17/01/2008 23:29 3,003,113 Setup_MagicISO.exe 01/01/2005 21:46 <DIR> silkscreen 22/06/2000 21:16 355,024 SITEX10.EXE 12/03/2006 15:43 4,634 tcnytrn4.zip 26/01/2006 19:05 1,312,220 tedv060.zip 30/04/2006 08:43 860,160 tedv065setup.exe 02/05/2004 12:49 6,059,520 TortoiseSVN-1.0.3-UNICODE_svn-1.0.1.msi 24/03/2004 19:29 20,993,973 trueimage7[1].0_s_en.exe 25/01/2007 21:51 <DIR> TTZips 11/02/2005 21:38 150,192 TweakUiPowertoySetup.exe 07/01/2008 14:42 870,952 undelete_plus_setup.exe 22/12/2004 00:41 7,071,334 vlc-0.8.1-win32.exe 29/10/2007 10:42 9,679,815 vlc-0.8.6c-win32.exe 07/01/2005 23:58 <DIR> vsStyles 12/06/2005 22:25 <DIR> WinAVI Video Converter 6.3 16/04/2005 23:41 1,126,824 WinRAR v3.42.zip 13/08/1999 19:50 943,835 winzip70.exe 18/08/2002 17:49 1,803,848 winzip81.exe 94 File(s) 1,187,205,640 bytes 12 Dir(s) 51,939,319,808 bytes free
moveit log
Explorer killed successfully
< C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe >
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe moved successfully.
C:\Documents and Settings\Owner\runUpdater.html moved successfully.
C:\Downloads\o-txp473.zip moved successfully.
C:\WINDOWS\3d.exe moved successfully.
C:\WINDOWS\system32\ntsd32.exe moved successfully.
< purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1656.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF969B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFC281.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5F4.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF729.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_153441
Files moved on Reboot...
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1656.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF969B.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFC281.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5F4.tmp moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF729.tmp moved successfully.0 -
No problem
- Make sure you have an Internet Connection.
- Double-click OTMoveIt2.exe to run it.
- Click on the CleanUp! button
- A list of tool components used in the Cleanup of malware will be downloaded.
- If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
- Click Yes to beging the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here
Now we need to create a new System Restore point.
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here
* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
Make Internet Explorer more secure- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here
Thank you for your patience, and performing all of the procedures requested.0 -
Thanks a million for all your help, very much appreciated. I'm off to download some pr0n now from a russian mafia site
I don't use IE at all - I had trouble even finding it on this PC to run the KAV (didn't appear to work on FF) - any of your recommendations necessary on FF aswell?0 -
Yes those recommendations are for FF as well0
Advertisement