Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Spyware attack

  • 21-06-2008 8:39am
    #1
    Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭


    Just about recovered from a nasty spyware attack over the last few days. Several runs of Ad-Aware and Spybot seem to have cleared most everything up, but I have 2 issues left.

    1. When I startup, there's a cmd.exe running in my task manager taking up 60-80% cpu usage. There's no visible evidence of this command prompt, and shutting it down doesn't appear to cause any issue.

    2. Again on startup, I'm told that c:\windows\17pholmes.exe cannot be found. I know this is related to the spyware I had, but where is this load attempt coming from? I've looked through msconfig but can't find it.

    My dss logs are attached.


Comments

  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Post the logs instead of attaching them


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    main.txt

    Deckard's System Scanner v20071014.68
    Run by Owner on 2008-06-21 09:22:49
    Computer is in Normal Mode.

    -- System Restore

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    44: 2008-06-21 08:22:58 UTC - RP1265 - Deckard's System Scanner Restore Point
    43: 2008-06-21 02:02:32 UTC - RP1264 - Software Distribution Service 3.0
    42: 2008-06-20 06:34:18 UTC - RP1263 - Spybot-S&D Spyware removal
    41: 2008-06-19 20:14:54 UTC - RP1262 - Installed Ad-Aware
    40: 2008-06-16 14:57:08 UTC - RP1261 - System Checkpoint


    -- First Restore Point --
    1: 2008-03-19 05:02:48 UTC - RP1222 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis Clone


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-06-21 09:29:37
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Apache Group\Apache\Apache.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Apache Group\Apache\Apache.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\WINDOWS\system\hpsysdrv.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\hp\KBD\kbd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\cavrid.exe
    C:\Program Files\0Spam.com Express\Express.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\PowerISO\SCDEmuApp.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Documents and Settings\Owner\Desktop\dss.exe
    C:\WINDOWS\system32\cidaemon.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mgdd.net/bookmarx/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easydivx.org/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: targetedbanner browser optimizer - {93f08f4b-84f8-b5d1-0d50-43475d0a9bf2} - C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
    O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\system32\oichlpr.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - - (no file)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
    O4 - HKCU\..\Run: [1Click Clocksync] "C:\Program Files\1Click Clocksync\clocksync.exe" /auto /auto /auto
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
    O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
    O4 - HKCU\..\RunServices: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - Startup: AutorunsDisabled
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'C:\Program Files\NewDotNet\newdotnet6_38.dll' missing
    O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\POP3Intercept_lsp.dll
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E31CEAC-E29F-4EC7-9B16-FAE44AC1D383}: NameServer = 192.168.11.1,63.218.52.35
    O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O21 - SSODL: bedmbyjs - {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe


    --
    End of file - 11427 bytes

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R0 PrecSim - c:\windows\system32\drivers\precsim.sys <Not Verified; Engelmann GmbH; PrecSim>
    R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
    R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
    R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
    R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
    R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
    R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology; StarForce Protection System>
    R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
    R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
    R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
    R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
    R1 vcdrom (Virtual CD-ROM Device Driver) - c:\windows\system32\drivers\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>
    R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>
    R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
    R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
    R3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

    S3 bDMusicb - c:\docume~1\owner\locals~1\temp\bdmusicb.sys (file missing)
    S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
    S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)
    S3 Usblink (Usblink Driver) - c:\windows\system32\drivers\ulink.sys <Not Verified; ; USB SUPERLINK ADAPTER>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>
    R2 Apache - "c:\program files\apache group\apache\apache.exe" --ntservice
    R2 RetroLauncher (Retrospect Launcher) - c:\progra~1\dantz\retros~1\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
    R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe

    S2 Apache2 - "c:\program files\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>


    -- Device Manager: Disabled

    No disabled devices found.


    -- Files created between 2008-05-21 and 2008-06-21

    2008-06-21 08:38:18 0 dr
    C:\Documents and Settings\Administrator\Favorites
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Desktop
    2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
    2008-06-21 08:38:18 0 dr-h
    C:\Documents and Settings\Administrator\Application Data
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Sun
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Intervideo
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Identities
    2008-06-21 08:38:17 0 d
    C:\Documents and Settings\Administrator\WINDOWS
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\Templates
    2008-06-21 08:38:17 0 dr
    C:\Documents and Settings\Administrator\Start Menu
    2008-06-21 08:38:17 0 dr-h
    C:\Documents and Settings\Administrator\SendTo
    2008-06-21 08:38:17 0 dr-h
    C:\Documents and Settings\Administrator\Recent
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\PrintHood
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\NetHood
    2008-06-21 08:38:17 0 dr
    C:\Documents and Settings\Administrator\My Documents
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\Local Settings
    2008-06-21 08:38:16 2097152 --ah
    C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-06-20 07:47:12 691545 --a
    C:\WINDOWS\unins000.exe
    2008-06-20 07:47:12 2542 --a
    C:\WINDOWS\unins000.dat
    2008-06-19 21:54:36 14336 --ah
    C:\Documents and Settings\Owner\runSetup.exe
    2008-06-19 21:14:59 0 d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-19 21:02:56 10752 --a
    C:\WINDOWS\time.exe
    2008-06-19 21:02:56 32256 --a
    C:\WINDOWS\svcinit.exe
    2008-06-19 21:02:55 31232 --a
    C:\WINDOWS\svchost32.exe
    2008-06-19 21:02:55 20480 --a
    C:\WINDOWS\sistem.exe
    2008-06-19 21:02:55 16384 --a
    C:\WINDOWS\searchword.dll
    2008-06-19 21:02:54 24320 --a
    C:\WINDOWS\rundll16.exe
    2008-06-19 21:02:54 13824 --a
    C:\WINDOWS\quicken.exe
    2008-06-19 21:02:54 21248 --a
    C:\WINDOWS\qttasks.exe
    2008-06-19 21:02:54 22528 --a
    C:\WINDOWS\mswsc20.dll
    2008-06-19 21:02:54 29952 --a
    C:\WINDOWS\mswsc10.dll
    2008-06-19 21:02:53 23296 --a
    C:\WINDOWS\msspi.dll
    2008-06-19 21:02:53 22784 --a
    C:\WINDOWS\msconfd.dll
    2008-06-19 21:02:52 22528 --a
    C:\WINDOWS\internet.exe
    2008-06-19 21:02:52 18944 --a
    C:\WINDOWS\inetinf.exe
    2008-06-19 21:02:52 32256 --a
    C:\WINDOWS\helpcvs.exe
    2008-06-19 21:02:51 29952 --a
    C:\WINDOWS\gfmnaaa.dll
    2008-06-19 21:02:51 9728 --a
    C:\WINDOWS\funny.exe
    2008-06-19 21:02:51 14336 --a
    C:\WINDOWS\funniest.exe
    2008-06-19 21:02:51 14592 --a
    C:\WINDOWS\explorer32.exe
    2008-06-19 21:02:51 13568 --a
    C:\WINDOWS\explore.exe
    2008-06-19 21:02:51 19456 --a
    C:\WINDOWS\editpad.exe
    2008-06-19 21:02:51 18688 --a
    C:\WINDOWS\dnsrelay.dll
    2008-06-19 21:02:51 20480 --a
    C:\WINDOWS\directx32.exe
    2008-06-19 21:02:50 17664 --a
    C:\WINDOWS\ctrlpan.dll
    2008-06-19 21:02:50 13568 --a
    C:\WINDOWS\ctfmon32.exe
    2008-06-19 20:49:44 0 d
    C:\Documents and Settings\Owner\Application Data\uTorrent
    2008-06-19 20:49:30 0 d
    C:\WINDOWS\system32\wH1
    2008-06-19 20:49:30 0 d
    C:\WINDOWS\system32\mI5
    2008-06-19 20:49:23 0 d
    C:\WINDOWS\system32\netrax06
    2008-06-19 20:49:02 122880 --a
    C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
    2008-06-19 20:47:47 0 d
    C:\Program Files\uTorrent
    2008-06-19 20:47:31 4 --a
    C:\WINDOWS\system32\hljwugsf.bin
    2008-06-19 20:46:40 8784 --ah
    C:\Documents and Settings\Owner\runUpdater.exe
    2008-06-17 08:14:37 0 d
    C:\Program Files\Airport Mania
    2008-06-17 08:14:25 0 d
    C:\Program Files\ReflexiveArcade
    2008-06-17 08:14:21 21818 --a
    C:\WINDOWS\system32\msupdte.exe
    2008-06-10 21:36:45 191 --a
    C:\WINDOWS\setuplog
    2008-05-26 17:02:42 364544 --a
    C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll


    -- Find3M Report

    2008-06-21 09:17:30 0 d
    C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
    2008-06-21 09:16:57 0 d
    C:\Program Files\Microsoft AntiSpyware
    2008-06-19 21:52:02 0 d
    C:\Documents and Settings\Owner\Application Data\Free Download Manager
    2008-06-19 21:15:01 0 d
    C:\Program Files\Lavasoft
    2008-06-19 21:13:17 0 d
    C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-19 19:52:00 0 d
    C:\Documents and Settings\Owner\Application Data\Skype
    2008-06-19 18:18:06 18500 --a
    C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-06-10 21:36:46 0 d--h
    C:\Program Files\InstallShield Installation Information
    2008-06-10 21:35:19 0 d
    C:\Documents and Settings\Owner\Application Data\Creative
    2008-06-10 21:35:06 0 d
    C:\Program Files\Creative
    2008-06-10 07:29:56 0 d
    C:\Documents and Settings\Owner\Application Data\AdobeUM
    2008-06-08 17:27:54 0 d
    C:\Program Files\National Lampoon's University Tycoon
    2008-05-13 21:24:02 0 d
    C:\Program Files\Bullfrog
    2008-05-10 15:28:19 41632 --a
    C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2008-05-10 09:06:02 0 d
    C:\Program Files\BoontyGames
    2008-05-09 19:31:51 0 d
    C:\Program Files\PeerGuardian2
    2008-05-08 19:26:53 0 d
    C:\Program Files\Common Files
    2008-05-06 21:31:59 10 --a
    C:\WINDOWS\popcinfo.dat
    2008-05-05 23:19:11 0 d
    C:\Program Files\DOSBox-0.72
    2008-05-05 00:01:20 0 d
    C:\Program Files\Zuma Deluxe
    2008-04-22 20:35:14 0 d
    C:\Program Files\Palm


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93f08f4b-84f8-b5d1-0d50-43475d0a9bf2}]
    26/05/2008 17:02 364544 --a
    C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [21/12/2004 22:10]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 17:04]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 16:38]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 04:23]
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
    "KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 21:02]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 21:43]
    "AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29/06/2007 00:43]
    "nwiz"="nwiz.exe" [29/06/2007 00:43 C:\WINDOWS\system32\nwiz.exe]
    "EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 04:00]
    "AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
    "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [15/11/2005 13:12]
    "MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [07/04/2003 19:09]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
    "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [08/09/2007 02:32]
    "0Spam.com Express"="C:\Program Files\0Spam.com Express\Express.exe" [22/02/2005 22:33]
    "TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [28/11/2005 15:02]
    "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [28/11/2005 15:02]
    "VTTimer"="VTTimer.exe" []
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/01/2005 00:46]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 15:57]
    "SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [16/10/2005 02:15]
    "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/09/2007 02:32]
    "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 18:19]
    "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
    "PS2"="C:\WINDOWS\system32\ps2.exe" [16/10/2002 17:57]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29/06/2007 00:43]
    "Microsoft WinUpdate"="C:\WINDOWS\system32\msupdte.exe" [17/06/2008 08:14]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [09/01/2004 02:34]
    "Active Desktop Calendar"="C:\Program Files\Active Desktop Calendar\ADC.exe" []
    "1Click Clocksync"="C:\Program Files\1Click Clocksync\clocksync.exe" [07/04/2005 20:08]
    "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
    "Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [27/10/2005 19:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
    "0Spam.com Express"=C:\Program Files\0Spam.com Express\Express.exe /silent

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [23/09/2005 14:36:42]
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [30/05/2005 00:07:04]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
    DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [04/01/2008 17:03:16]
    HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [09/06/2004 15:27:34]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 13:19:24]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
    Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [23/09/2004 17:18:46]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "bedmbyjs"= {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll [19/06/2008 20:49 122880]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 relog_ap

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @=&quot;Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
    backup=C:\WINDOWS\pss\ORB.lnkCommon Startup
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ORB.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
    C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\PCHButton.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
    "C:\Program Files\AveDesk\AveDesk.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\21315.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
    RunDLL32.exe P0620Pin.dll,RunDLL32EP 513

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
    "C:\Program Files\Desktop Sidebar\dsidebar.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}]
    C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll" DllStart


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}]
    C:\WINDOWS\System32\RunDLL32.exe



    -- Hosts

    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com

    8744 more entries in hosts file.


    -- End of Deckard's System Scanner: finished at 2008-06-21 09:31:21

    extra.txt

    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.

    -- System Information

    Microsoft Windows XP Home Edition (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: AMD Athlon(tm) 64 Processor 3200+
    Percentage of Memory in Use: 44%
    Physical Memory (total/avail): 1023.29 MiB / 572.71 MiB
    Pagefile Memory (total/avail): 2458.14 MiB / 2058.41 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1925.82 MiB

    C: is Fixed (NTFS) - 181.33 GiB total, 51.16 GiB free.
    D: is Fixed (FAT32) - 4.96 GiB total, 1.19 GiB free.
    E: is CDROM (No Media)
    F: is CDROM (No Media)
    G: is CDROM (No Media)
    H: is Removable (No Media)
    I: is Removable (No Media)
    J: is Removable (No Media)
    K: is CDROM (UDF)
    L: is CDROM (No Media)
    M: is CDROM (No Media)
    N: is Fixed (NTFS) - 149.05 GiB total, 65.59 GiB free.
    O: is Removable (No Media)
    P: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - ST3200822A - 186.31 GiB - 2 partitions
    \PARTITION0 - Unknown - 4.97 GiB - D:
    \PARTITION1 (bootable) - Installable File System - 181.33 GiB - C:

    \\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

    \\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

    \\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

    \\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

    \\.\PHYSICALDRIVE5 - Maxtor OneTouch USB Device - 149.05 GiB - 1 partition
    \PARTITION0 (bootable) - Installable File System - 149.05 GiB - N:



    -- Security Center

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    AV: CA Anti-Virus v8.1.0.188 (CA, Inc.)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


    -- Environment Variables

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Owner\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=MYGAMES
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Owner
    LOGONSERVER=\\MYGAMES
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 10, AuthenticAMD
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=040a
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
    USERDOMAIN=MYGAMES
    USERNAME=Owner
    USERPROFILE=C:\Documents and Settings\Owner
    windir=C:\WINDOWS


    -- User Profiles

    Owner (admin)
    Administrator (new local, admin)


    -- Add/Remove Programs

    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    -->
    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
    --> c:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x9
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
    0Spam.com Express --> C:\PROGRA~1\0SPAM~1.COM\UNWISE.EXE C:\PROGRA~1\0SPAM~1.COM\INSTALL.LOG
    1Click Clocksync 2.0 --> "C:\Program Files\1Click Clocksync\unins000.exe"
    2JPEG --> "C:\Program Files\2JPEG\unins000.exe"
    Abexo Free Registry Cleaner --> C:\Program Files\Abexo\afrc\uninst.exe
    Acronis True Image --> MsiExec.exe /X{CA83357B-931E-44DC-AD43-9996FEEB8116}
    Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
    Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
    Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
    Agere Systems PCI Soft Modem --> agrsmdel
    AiO_Scan -->
    AIOMinimal -->
    AiOSoftware -->
    Allok Video Splitter 1.6.4 --> "C:\Program Files\Allok Video Splitter\unins000.exe"
    AltoMP3 Gold 5.06 --> "C:\Program Files\AltoMP3 Gold\unins000.exe"
    Apache HTTP Server 1.3.33 --> MsiExec.exe /I{5D29A4EF-A57F-4F47-89F8-4EB3C5302A53}
    Apache HTTP Server 2.0.52 --> MsiExec.exe /I{3A862C7D-0504-48BC-AEF8-7F7479C7C158}
    Batch Image Resizer 2.79 --> "C:\Program Files\Batch Image Resizer\unins000.exe"
    BitComet 0.70 --> C:\Program Files\BitComet\uninst.exe
    Bus Driver 1.0 --> C:\Program Files\Bus Driver\uninst.exe
    CA Anti-Virus --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u /product=av
    CameraDrivers -->
    CDCheck --> "C:\Program Files\CDCheck\uninst.exe"
    CDisplay 1.8 --> "C:\Program Files\CDisplay\unins000.exe"
    CDRWIN 5 --> MsiExec.exe /I{9B2B0EAD-2CC7-4589-B3AA-D23BAB724065}
    ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
    Copy -->
    Core FTP Lite 1.3b --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
    coverXP (remove only) --> "C:\Program Files\coverXP\cxp-uninst.exe"
    Creative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /remove
    Creative WebCam Instant Driver (1.03.02.0425) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script PD0620.uns -unsext NT -plugin P0620Pin.dll -pluginres CtCamPin.crl
    CreativeProjects -->
    CutePDF Writer 2.3 --> C:\WINDOWS\System32\uninscpw.exe C:\Program Files\
    Darwinia --> C:\WINDOWS\IsUninst.exe -fC:\Games\Darwinia\Uninst.isu
    DeepBurner v1.1.2.137 --> "C:\Program Files\DeepBurner\Uninstall.exe" "C:\Program Files\DeepBurner\install.log"
    Director -->
    DiscJuggler --> MsiExec.exe /I{C3C538E5-524C-4253-AA74-0EEEF34990EA}
    DivX 5.0.2 Bundle --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\uninstal.log
    DivxToDVD 0.5.1 --> "C:\Program Files\DivxToDVD\unins000.exe"
    DocProc -->
    Documents To Go --> MsiExec.exe /X{EB807EB6-5179-48B7-98D4-7B4934A57A81}
    DriveImage XML --> "C:\Program Files\Runtime Software\DriveImage XML\Uninstall.exe" "C:\Program Files\Runtime Software\DriveImage XML\install.log" -u
    Dup Detector --> C:\WINDOWS\DelPiv.exe C:\Program Files\DupDetector
    DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
    DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
    dvdSanta 3.45 --> "C:\Program Files\dvdSanta\unins000.exe"
    Enhancement Browser Tools Targetedbanner --> C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll-uninst.exe
    EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\SETUP.EXE" -l0x9 uninst
    EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x9 uninst
    EPSON PhotoStarter3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C48817E7-AA05-4151-A99D-1E1E550CE801}\SETUP.EXE" -l0x9 uninst
    EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\SETUP.EXE" -l0x9 -SYSTEM
    EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
    EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
    ESPR300 Reference Guide --> C:\Program Files\EPSON\ESPR300\REF_G\DOCUNINS.EXE
    ESPR300 Software Guide --> C:\Program Files\EPSON\ESPR300\PQU_G\DOCUNINS.EXE
    ESPR300 Standalone Guide --> C:\Program Files\EPSON\ESPR300\STA_G\DOCUNINS.EXE
    Fax -->
    Free CD-DA Extractor 4.8 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Free CD-DA Extractor 4.8\irunin.ini"
    Free Download Manager 2.1 --> "C:\Program Files\Free Download Manager\unins000.exe"
    FreeUndelete --> C:\Program Files\FreeUndelete\GLF1D7.exe /handle:fru
    High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
    Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
    HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
    HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
    HP Image Zone Plus 3.5 --> C:\Program Files\HP\Digital Imaging\{C6C44651-7C66-4b11-92E8-17565D3D22DD}\setup\hpzscr01.exe -datfile hpdscr01.dat
    HP Pavilion PC Help --> C:\PROGRA~1\HPPAVI~1\UNWISE.EXE C:\PROGRA~1\HPPAVI~1\INSTALL.LOG
    HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
    HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
    HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
    hpg2436 -->
    hpg3970 -->
    hpg4600 -->
    hpg5530 -->
    hpg8200 -->
    HPIZ350 --> MsiExec.exe /X{F247869D-3643-4A9F-821B-3534145928E3}
    HPIZFix3 -->
    hpmdtab -->
    HpSdpAppCoreApp -->
    HPSystemDiagnostics -->
    InstantShare -->
    Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
    InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
    InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
    ISO Recorder --> MsiExec.exe /I{0F6A7971-0F11-4A79-A0E9-133D0963A570}
    iTunes -->
    iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
    J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
    J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
    J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
    J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
    Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
    Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
    jetAudio VX for X5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly
    JetShell for iAUDIO X5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{55713865-2265-49E8-93C2-B994DE70FBBB}\setup.exe" -l0x9
    KBD --> C:\HP\KBD\KBD.EXE uninstalled
    Konfabulator --> MsiExec.exe /X{4EE339E6-60B2-4031-86BA-2ABDD454C76B}
    Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
    Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
    MdbToMySQL XP --> MsiExec.exe /I{C9E855CA-0870-4EE5-861D-17A7156E7442}
    Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
    Microsoft AntiSpyware --> MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
    Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
    Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
    Microsoft Works --> MsiExec.exe /I{B9966F27-9678-4620-9579-925E3084647E}
    Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe /ARP F:\
    Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{33BEE6F3-9987-4F98-A069-97A64EC8321A}
    Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    Mozilla Thunderbird (0.8) --> C:\WINDOWS\UninstallThunderbird.exe /ua "0.8 (en)"
    MP3 Audio Converter --> "C:\Program Files\MP3 Audio Converter\unins000.exe"
    MP3 Splitter --> "C:\Program Files\mp3split\unins000.exe"
    MP3 Workshop 1.2 --> "C:\Program Files\MP3 Workshop\unins000.exe"
    MySQL Connector/ODBC 3.51 --> MsiExec.exe /I{0CB3C535-1171-4A20-B549-E2CB5DEB9723}
    Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
    O-Card --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\OCARDG.INF, DefaultUninstall.ntx86
    ObjectDock --> C:\PROGRA~1\Stardock\OBJECT~2\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~2\INSTALL.LOG
    OpenOffice.org 2.0 --> MsiExec.exe /I{76BB7B2D-748F-4AE9-89C3-78C051833EA1}
    OpenTTD 0.4.8.0 --> C:\Games\OpenTTD\uninstall.exe
    Overland -->
    Paint Shop Pro 7 Anniversary Edition --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
    Palm --> MsiExec.exe /X{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}
    PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
    PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
    PhotoGallery -->
    Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
    PHP 4.1.1 --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\INSTALL.LOG
    PIF DESIGNER2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59B9F-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
    PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
    PrintScreen -->
    PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
    PSShortcutsP -->
    Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
    Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
    QFolder -->
    QuickProjects -->
    QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
    Readme -->
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
    Rename-It! --> C:\Program Files\Rename-It!\Uninst.exe
    Retrospect 6.0 --> MsiExec.exe /I{C4354214-B919-4C8F-84EB-4F9B84ACC02C}
    Scan -->
    ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\SETUP.EXE" ADDREMOVEDLG
    Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
    Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
    SkinsHP1 -->
    SkinsHP2 -->
    Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
    SkypeMate --> "C:\Program Files\SkypeMate\uninstall.exe"
    Spam Arrest --> C:\Program Files\Spam Arrest\uninst.exe
    Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
    Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
    Steam(TM) --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
    SyncBack --> "C:\Program Files\SyncBack\unins000.exe"
    System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
    Tag&Rename 3.2 --> "C:\Program Files\TagRename\unins000.exe"
    TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
    Theme Hospital --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Bullfrog\Hospital\DeIsL1.isu"
    TMPGEnc DVD Author 1.5 --> MsiExec.exe /I{49062DAB-7009-4EBD-903A-830B283407C4}
    Totally MAD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Totally MAD\DeIsL1.isu"
    TrayApp -->
    TreeSize Professional 3.3 --> "C:\Program Files\TreeSize Professional\unins000.exe"
    Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
    Tweak UI --> "C:\WINDOWS\System32\mshta.exe" "res://C:\WINDOWS\System32\TweakUI.exe/uninstall.hta"
    Unload -->
    Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
    Uplink --> C:\WINDOWS\IsUninst.exe -fC:\Games\Uplink\Uninst.isu
    USB 2.0 Setup program --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\VIA Technologies, INC.\USB 2.0 Setup program\Uninst.isu"
    USB Storage Adapter FX (MXO) --> MXOun.exe MXOFX
    Video mp3 Extractor --> "C:\Program Files\Video mp3 Extractor\unins000.exe"
    VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
    WebCam Instant Product Registration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x9 /remove
    WebFldrs XP -->
    WebReg -->
    WinAVI VideoConverter --> "C:\Program Files\WinAVI VideoConverter\unins000.exe"
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
    WinHTTrack Website Copier 3.30 --> "C:\Program Files\WinHTTrack\unins000.exe"
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
    YP-T4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3ABD162C-44D1-42E2-ACAD-C6065F3D1295}\Setup.exe" -l0x9
    ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
    Zuma Deluxe RA --> C:\PROGRA~1\ZUMADE~1\UNWISE.EXE C:\PROGRA~1\ZUMADE~1\INSTALL.LOG
    ZX Spectrum Emulator 2.00.04.04 (beta) --> C:\Games\ZXSPEC~1\UNZX32.EXE C:\Games\ZXSPEC~1\INSTALL.LOG


    -- Application Event Log

    Event Record #/Type8574 / Error
    Event Submitted/Written: 06/21/2008 09:16:08 AM
    Event ID/Source: 3299 / Apache Service
    Event Description:
    The Apache service named reported the following error:
    >>> Unable to open logs .

    Event Record #/Type8573 / Error
    Event Submitted/Written: 06/21/2008 09:16:08 AM
    Event ID/Source: 3299 / Apache Service
    Event Description:
    The Apache service named reported the following error:
    >>> no listening sockets available, shutting down .

    Event Record #/Type8572 / Error
    Event Submitted/Written: 06/21/2008 09:16:08 AM
    Event ID/Source: 3299 / Apache Service
    Event Description:
    The Apache service named reported the following error:
    >>> (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 .

    Event Record #/Type8568 / Error
    Event Submitted/Written: 06/21/2008 03:15:37 AM
    Event ID/Source: 3299 / Apache Service
    Event Description:
    The Apache service named reported the following error:
    >>> Unable to open logs .

    Event Record #/Type8567 / Error
    Event Submitted/Written: 06/21/2008 03:15:37 AM
    Event ID/Source: 3299 / Apache Service
    Event Description:
    The Apache service named reported the following error:
    >>> no listening sockets available, shutting down .



    -- Security Event Log

    No Errors/Warnings found.


    -- System Event Log

    Event Record #/Type48881 / Warning
    Event Submitted/Written: 06/21/2008 09:29:04 AM
    Event ID/Source: 51 / Disk
    Event Description:
    An error was detected on device \Device\Harddisk5\D during a paging operation.

    Event Record #/Type48880 / Warning
    Event Submitted/Written: 06/21/2008 09:23:06 AM
    Event ID/Source: 51 / Disk
    Event Description:
    An error was detected on device \Device\Harddisk5\D during a paging operation.

    Event Record #/Type48877 / Error
    Event Submitted/Written: 06/21/2008 09:21:17 AM
    Event ID/Source: 7023 / Service Control Manager
    Event Description:
    The Computer Browser service terminated with the following error:
    %%1460

    Event Record #/Type48862 / Error
    Event Submitted/Written: 06/21/2008 09:16:15 AM
    Event ID/Source: 7023 / Service Control Manager
    Event Description:
    The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
    %%10047

    Event Record #/Type48861 / Error
    Event Submitted/Written: 06/21/2008 09:16:15 AM
    Event ID/Source: 7024 / Service Control Manager
    Event Description:
    The Apache2 service terminated with service-specific error 1 (0x1).



    -- End of Deckard's System Scanner: finished at 2008-06-21 09:31:21


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Bit of work to do

    Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum.




    First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

    To Get rid of NewDotNet, go to:

    Start > Control Panel > Add or Remove Programs and remove the following:

    New.Net Applications or New.Net Domains (anything that says New.Net)

    If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

    In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.



    Then reboot and post a new DSS log


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    sdfix report.txt

    SDFix: Version 1.195
    Run by Administrator on 21/06/2008 at 15:13

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\sdfix\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\Temp\1cb\syscheck.log - Deleted
    C:\WINDOWS\system32\netrax06\netrax061083.exe - Deleted
    C:\WINDOWS\ctfmon32.exe - Deleted
    C:\WINDOWS\ctrlpan.dll - Deleted
    C:\WINDOWS\directx32.exe - Deleted
    C:\WINDOWS\dnsrelay.dll - Deleted
    C:\WINDOWS\editpad.exe - Deleted
    C:\WINDOWS\explore.exe - Deleted
    C:\WINDOWS\explorer32.exe - Deleted
    C:\WINDOWS\funniest.exe - Deleted
    C:\WINDOWS\funny.exe - Deleted
    C:\WINDOWS\gfmnaaa.dll - Deleted
    C:\WINDOWS\helpcvs.exe - Deleted
    C:\WINDOWS\inetinf.exe - Deleted
    C:\WINDOWS\internet.exe - Deleted
    C:\WINDOWS\msconfd.dll - Deleted
    C:\WINDOWS\msspi.dll - Deleted
    C:\WINDOWS\mswsc10.dll - Deleted
    C:\WINDOWS\mswsc20.dll - Deleted
    C:\WINDOWS\qttasks.exe - Deleted
    C:\WINDOWS\quicken.exe - Deleted
    C:\WINDOWS\rundll16.exe - Deleted
    C:\WINDOWS\rundll32.vbe - Deleted
    C:\WINDOWS\searchword.dll - Deleted
    C:\WINDOWS\sistem.exe - Deleted
    C:\WINDOWS\svchost32.exe - Deleted
    C:\WINDOWS\svcinit.exe - Deleted
    C:\WINDOWS\system32\hljwugsf.bin - Deleted
    C:\WINDOWS\system32\msupdte.exe - Deleted
    C:\WINDOWS\system32\pac.txt - Deleted
    C:\WINDOWS\time.exe - Deleted



    Folder C:\Temp\1cb - Removed
    Folder C:\WINDOWS\system32\netrax06 - Removed


    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-21 15:21:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s0"=dword:96d8261a
    "s1"=dword:e315ec7d
    "s2"=dword:b487de71
    "h0"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:2b,67,e9,6b,f4,d7,70,70,71,b7,b8,f5,f8,c3,4c,5e,c8,7b,e9,9e,92,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,47,82,b8,73,4c,77,7a,71,0b,2e,53,81,d9,83,d7,1b,19,..
    "khjeh"=hex:b9,51,61,c7,83,88,92,2b,6d,6d,fd,22,96,62,94,fe,ef,48,2c,36,b4,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:36,7c,ce,f5,47,66,6d,83,df,54,78,6b,da,21,f7,18,5c,3b,c6,54,b7,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:32,ff,1d,2b,b4,e2,14,ff,a2,1b,4a,bb,23,ca,9a,f5,8f,cc,e6,58,1b,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:2b,67,e9,6b,f4,d7,70,70,71,b7,b8,f5,f8,c3,4c,5e,c8,7b,e9,9e,92,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,47,82,b8,73,4c,77,7a,71,0b,2e,53,81,d9,83,d7,1b,19,..
    "khjeh"=hex:b9,51,61,c7,83,88,92,2b,6d,6d,fd,22,96,62,94,fe,ef,48,2c,36,b4,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:36,7c,ce,f5,47,66,6d,83,df,54,78,6b,da,21,f7,18,5c,3b,c6,54,b7,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:32,ff,1d,2b,b4,e2,14,ff,a2,1b,4a,bb,23,ca,9a,f5,8f,cc,e6,58,1b,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="C:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:2b,67,e9,6b,f4,d7,70,70,71,b7,b8,f5,f8,c3,4c,5e,c8,7b,e9,9e,92,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,47,82,b8,73,4c,77,7a,71,0b,2e,53,81,d9,83,d7,1b,19,..
    "khjeh"=hex:19,13,5f,1a,0a,23,c8,59,02,be,1e,70,1f,c8,42,38,67,b4,13,74,69,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:8c,8a,1a,78,7a,ba,9b,01,35,03,8b,ea,50,a4,60,8b,b7,9a,ad,82,6f,..

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

    Remaining Files :


    File Backups: - C:\sdfix\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Sat 9 Oct 2004 196 A.SHR --- "C:\BOOT.BAK"
    Thu 19 Jun 2008 14,336 A..H. --- "C:\Documents and Settings\Owner\runSetup.exe"
    Thu 19 Jun 2008 8,784 A..H. --- "C:\Documents and Settings\Owner\runUpdater.exe"
    Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
    Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
    Fri 11 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sat 23 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"

    Finished!

    ===========================================

    dss main.txt

    Deckard's System Scanner v20071014.68
    Run by Owner on 2008-06-21 15:35:07
    Computer is in Normal Mode.



    -- HijackThis Clone


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-06-21 15:35:37
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Apache Group\Apache\Apache.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Apache Group\Apache\Apache.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\WINDOWS\system\hpsysdrv.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\hp\KBD\kbd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\cavrid.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\0Spam.com Express\Express.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\PowerISO\SCDEmuApp.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Creative\Shared Files\CamTray.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Documents and Settings\Owner\Desktop\dss.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mgdd.net/bookmarx/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easydivx.org/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: targetedbanner browser optimizer - {93f08f4b-84f8-b5d1-0d50-43475d0a9bf2} - C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
    O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\system32\oichlpr.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - - (no file)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
    O4 - HKCU\..\Run: [1Click Clocksync] "C:\Program Files\1Click Clocksync\clocksync.exe" /auto /auto /auto
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
    O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
    O4 - HKCU\..\RunServices: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - Startup: AutorunsDisabled
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'C:\Program Files\NewDotNet\newdotnet6_38.dll' missing
    O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\POP3Intercept_lsp.dll
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E31CEAC-E29F-4EC7-9B16-FAE44AC1D383}: NameServer = 192.168.11.1,63.218.52.35
    O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O21 - SSODL: bedmbyjs - {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\vetmsg.exe


    --
    End of file - 11308 bytes

    -- Files created between 2008-05-21 and 2008-06-21

    2008-06-21 15:08:00 0 d
    C:\WINDOWS\ERUNT
    2008-06-21 08:38:18 0 dr
    C:\Documents and Settings\Administrator\Favorites
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Desktop
    2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
    2008-06-21 08:38:18 0 dr-h
    C:\Documents and Settings\Administrator\Application Data
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Sun
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Intervideo
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Identities
    2008-06-21 08:38:17 0 d
    C:\Documents and Settings\Administrator\WINDOWS
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\Templates
    2008-06-21 08:38:17 0 dr
    C:\Documents and Settings\Administrator\Start Menu
    2008-06-21 08:38:17 0 dr-h
    C:\Documents and Settings\Administrator\SendTo
    2008-06-21 08:38:17 0 dr-h
    C:\Documents and Settings\Administrator\Recent
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\PrintHood
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\NetHood
    2008-06-21 08:38:17 0 dr
    C:\Documents and Settings\Administrator\My Documents
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\Local Settings
    2008-06-21 08:38:16 2097152 --ah
    C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-06-20 07:47:12 691545 --a
    C:\WINDOWS\unins000.exe
    2008-06-20 07:47:12 2542 --a
    C:\WINDOWS\unins000.dat
    2008-06-19 21:54:36 14336 --ah
    C:\Documents and Settings\Owner\runSetup.exe
    2008-06-19 21:14:59 0 d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-19 20:49:44 0 d
    C:\Documents and Settings\Owner\Application Data\uTorrent
    2008-06-19 20:49:30 0 d
    C:\WINDOWS\system32\wH1
    2008-06-19 20:49:30 0 d
    C:\WINDOWS\system32\mI5
    2008-06-19 20:49:02 122880 --a
    C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
    2008-06-19 20:47:47 0 d
    C:\Program Files\uTorrent
    2008-06-19 20:46:40 8784 --ah
    C:\Documents and Settings\Owner\runUpdater.exe
    2008-06-17 08:14:37 0 d
    C:\Program Files\Airport Mania
    2008-06-17 08:14:25 0 d
    C:\Program Files\ReflexiveArcade
    2008-06-10 21:36:45 191 --a
    C:\WINDOWS\setuplog
    2008-05-26 17:02:42 364544 --a
    C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll


    -- Find3M Report

    2008-06-21 15:28:35 0 d
    C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
    2008-06-21 15:27:55 0 d
    C:\Program Files\Microsoft AntiSpyware
    2008-06-21 15:04:02 0 d
    C:\Documents and Settings\Owner\Application Data\Skype
    2008-06-19 21:52:02 0 d
    C:\Documents and Settings\Owner\Application Data\Free Download Manager
    2008-06-19 21:15:01 0 d
    C:\Program Files\Lavasoft
    2008-06-19 21:13:17 0 d
    C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-19 18:18:06 18500 --a
    C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-06-10 21:36:46 0 d--h
    C:\Program Files\InstallShield Installation Information
    2008-06-10 21:35:19 0 d
    C:\Documents and Settings\Owner\Application Data\Creative
    2008-06-10 21:35:06 0 d
    C:\Program Files\Creative
    2008-06-10 07:29:56 0 d
    C:\Documents and Settings\Owner\Application Data\AdobeUM
    2008-06-08 17:27:54 0 d
    C:\Program Files\National Lampoon's University Tycoon
    2008-05-13 21:24:02 0 d
    C:\Program Files\Bullfrog
    2008-05-10 15:28:19 41632 --a
    C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2008-05-10 09:06:02 0 d
    C:\Program Files\BoontyGames
    2008-05-09 19:31:51 0 d
    C:\Program Files\PeerGuardian2
    2008-05-08 19:26:53 0 d
    C:\Program Files\Common Files
    2008-05-06 21:31:59 10 --a
    C:\WINDOWS\popcinfo.dat
    2008-05-05 23:19:11 0 d
    C:\Program Files\DOSBox-0.72
    2008-05-05 00:01:20 0 d
    C:\Program Files\Zuma Deluxe
    2008-04-22 20:35:14 0 d
    C:\Program Files\Palm


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93f08f4b-84f8-b5d1-0d50-43475d0a9bf2}]
    26/05/2008 17:02 364544 --a
    C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [21/12/2004 22:10]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 17:04]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 16:38]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 04:23]
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
    "KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 21:02]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 21:43]
    "AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29/06/2007 00:43]
    "nwiz"="nwiz.exe" [29/06/2007 00:43 C:\WINDOWS\system32\nwiz.exe]
    "EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 04:00]
    "AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
    "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [15/11/2005 13:12]
    "MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [07/04/2003 19:09]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
    "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [08/09/2007 02:32]
    "0Spam.com Express"="C:\Program Files\0Spam.com Express\Express.exe" [22/02/2005 22:33]
    "TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [28/11/2005 15:02]
    "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [28/11/2005 15:02]
    "VTTimer"="VTTimer.exe" []
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/01/2005 00:46]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 15:57]
    "SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [16/10/2005 02:15]
    "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/09/2007 02:32]
    "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 18:19]
    "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
    "PS2"="C:\WINDOWS\system32\ps2.exe" [16/10/2002 17:57]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29/06/2007 00:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [09/01/2004 02:34]
    "Active Desktop Calendar"="C:\Program Files\Active Desktop Calendar\ADC.exe" []
    "1Click Clocksync"="C:\Program Files\1Click Clocksync\clocksync.exe" [07/04/2005 20:08]
    "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
    "Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [27/10/2005 19:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
    "0Spam.com Express"=C:\Program Files\0Spam.com Express\Express.exe /silent

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [23/09/2005 14:36:42]
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [30/05/2005 00:07:04]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
    DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [04/01/2008 17:03:16]
    HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [09/06/2004 15:27:34]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 13:19:24]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
    Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [23/09/2004 17:18:46]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "bedmbyjs"= {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll [19/06/2008 20:49 122880]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 relog_ap

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @=&quot;Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
    backup=C:\WINDOWS\pss\ORB.lnkCommon Startup
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ORB.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
    C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\PCHButton.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
    "C:\Program Files\AveDesk\AveDesk.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\21315.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
    RunDLL32.exe P0620Pin.dll,RunDLL32EP 513

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
    "C:\Program Files\Desktop Sidebar\dsidebar.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}]
    C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll" DllStart

    *Newly Created Service* - PGFILTER

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}]
    C:\WINDOWS\System32\RunDLL32.exe



    -- End of Deckard's System Scanner: finished at 2008-06-21 15:36:36


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    I don't have any New.Net apps in my program list. I also don't have a floppy disk or indeed a drive to attempt removal procedure 4 on the link you supplied.

    ETA: I just noticed that after rebooting, I get niether the extraneous cmd.exe process or the 17pholmes open attempt, so that's good, but I'm sure there's more to be done?


  • Advertisement
  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Bit more

    A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
    1. Please download LSPFix from here.
    2. Run the LSPFix.exe that you have just finished downloading.
    3. Check the I know what I'm doing box.
    4. In the Keep box you should see one or more instances of C:\Program Files\NewDotNet\newdotnet6_38.dll and C:\WINDOWS\system32\POP3Intercept_lsp.dll
    5. Select every instance of newdotnet6_38.dll and POP3Intercept_lsp.dll and move each one to the Remove box by clicking the >> button.
    6. When you are done click Finish>>.




    1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: targetedbanner browser optimizer - {93f08f4b-84f8-b5d1-0d50-43475d0a9bf2} - C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
    O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - - (no file)
    O21 - SSODL: bedmbyjs - {550ed115-e3ca-44da-8395-e94936f3ea5c} - C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll


    2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.





    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      [kill explorer]
      C:\WINDOWS\system32\wH1
      C:\WINDOWS\system32\mI5
      C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll
      C:\Documents and Settings\Owner\runUpdater.exe
      C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
      C:\Program Files\BoontyGames
      C:\WINDOWS\popcinfo.dat
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer
      C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}
      C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}
      C:\Program Files\NewDotNet
      C:\WINDOWS\system32\POP3Intercept_lsp.dll
      HKEY_CLASSES_ROOT\CLSID\{39e4a80d-231b-4df8-b08e-743efdeb453f}
      HKEY_CLASSES_ROOT\CLSID\{016926EC-A7C2-EB46-0200-040003000402}
      purity 
      EmptyTemp
      [start explorer]
      
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




    Reboot and post a new DSS log


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    (Thanks for your continued help, btw, much appreciated)

    I ran lspfix, and there were no NewDotNet instances in the Keep box, but the ones you mention were already on the Remove side, so I went ahead and got rid.

    Got HijackThis to fix the problems you listed - they were all there except the O3 - Toolbar: (no name) - - (no file) one.

    OTMoveIt2 log

    Explorer killed successfully
    C:\WINDOWS\system32\wH1 moved successfully.
    C:\WINDOWS\system32\mI5 moved successfully.
    C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll unregistered successfully.
    C:\Documents and Settings\All Users\Application Data\bedmbyjs.dll moved successfully.
    C:\Documents and Settings\Owner\runUpdater.exe moved successfully.
    File/Folder C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll not found.
    C:\Program Files\BoontyGames\Components moved successfully.
    C:\Program Files\BoontyGames moved successfully.
    C:\WINDOWS\popcinfo.dat moved successfully.
    < HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer >
    Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer\\ deleted successfully.
    C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc moved successfully.
    < HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f} >
    Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{39e4a80d-231b-4df8-b08e-743efdeb453f}\\ deleted successfully.
    File/Folder C:\WINDOWS\system32\{e8207046-f502-0c8d-a695-907c2ca12c90}.dll not found.
    < HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402} >
    Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{016926EC-A7C2-EB46-0200-040003000402}\\ deleted successfully.
    File/Folder C:\Program Files\NewDotNet not found.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\POP3Intercept_lsp.dll
    C:\WINDOWS\system32\POP3Intercept_lsp.dll NOT unregistered.
    C:\WINDOWS\system32\POP3Intercept_lsp.dll moved successfully.
    < HKEY_CLASSES_ROOT\CLSID\{39e4a80d-231b-4df8-b08e-743efdeb453f} >
    Registry key HKEY_CLASSES_ROOT\CLSID\{39e4a80d-231b-4df8-b08e-743efdeb453f}\\ not found.
    < HKEY_CLASSES_ROOT\CLSID\{016926EC-A7C2-EB46-0200-040003000402} >
    Registry key HKEY_CLASSES_ROOT\CLSID\{016926EC-A7C2-EB46-0200-040003000402}\\ not found.
    < purity >
    < EmptyTemp >
    File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2C9C.tmp scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF3915.tmp scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF564C.tmp scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF6128.tmp scheduled to be deleted on reboot.
    File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFA5D.tmp scheduled to be deleted on reboot.
    Temp folders emptied.
    IE temp folders emptied.
    Explorer started successfully

    OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06212008_174319

    Files moved on Reboot...
    C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2C9C.tmp moved successfully.
    C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF3915.tmp moved successfully.
    C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF564C.tmp moved successfully.
    C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF6128.tmp moved successfully.
    C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFA5D.tmp moved successfully.


    DSS main.txt

    Deckard's System Scanner v20071014.68
    Run by Owner on 2008-06-21 18:07:35
    Computer is in Normal Mode.



    -- HijackThis (run as Owner.exe)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:08:55, on 21/06/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Apache Group\Apache\Apache.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Apache Group\Apache\Apache.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\UAService7.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\0Spam.com Express\Express.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\PowerISO\SCDEmuApp.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Creative\Shared Files\CamTray.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Owner\Desktop\dss.exe
    C:\DOCUME~1\Owner\Desktop\Owner.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mgdd.net/bookmarx/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IE&c=Q304&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easydivx.org/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: O-Card Utility - {B88D6F42-A1AC-11D3-8424-00105A9B8D85} - C:\WINDOWS\System32\oichlpr.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop Calendar\ADC.exe
    O4 - HKCU\..\Run: [1Click Clocksync] "C:\Program Files\1Click Clocksync\clocksync.exe" /auto /auto /auto
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
    O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
    O4 - HKCU\..\RunServices: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - Startup: AutorunsDisabled
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E31CEAC-E29F-4EC7-9B16-FAE44AC1D383}: NameServer = 192.168.11.1,63.218.52.35
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

    --
    End of file - 10264 bytes

    -- Files created between 2008-05-21 and 2008-06-21

    2008-06-21 15:08:00 0 d
    C:\WINDOWS\ERUNT
    2008-06-21 08:38:18 0 dr
    C:\Documents and Settings\Administrator\Favorites
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Desktop
    2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Cookies
    2008-06-21 08:38:18 0 dr-h
    C:\Documents and Settings\Administrator\Application Data
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Sun
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-06-21 08:38:18 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Intervideo
    2008-06-21 08:38:18 0 d
    C:\Documents and Settings\Administrator\Application Data\Identities
    2008-06-21 08:38:17 0 d
    C:\Documents and Settings\Administrator\WINDOWS
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\Templates
    2008-06-21 08:38:17 0 dr
    C:\Documents and Settings\Administrator\Start Menu
    2008-06-21 08:38:17 0 dr-h
    C:\Documents and Settings\Administrator\SendTo
    2008-06-21 08:38:17 0 dr-h
    C:\Documents and Settings\Administrator\Recent
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\PrintHood
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\NetHood
    2008-06-21 08:38:17 0 dr
    C:\Documents and Settings\Administrator\My Documents
    2008-06-21 08:38:17 0 d--h
    C:\Documents and Settings\Administrator\Local Settings
    2008-06-21 08:38:16 2097152 --ah
    C:\Documents and Settings\Administrator\NTUSER.DAT
    2008-06-20 07:47:12 691545 --a
    C:\WINDOWS\unins000.exe
    2008-06-20 07:47:12 2542 --a
    C:\WINDOWS\unins000.dat
    2008-06-19 21:54:36 14336 --ah
    C:\Documents and Settings\Owner\runSetup.exe
    2008-06-19 21:14:59 0 d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-19 20:49:44 0 d
    C:\Documents and Settings\Owner\Application Data\uTorrent
    2008-06-19 20:47:47 0 d
    C:\Program Files\uTorrent
    2008-06-17 08:14:37 0 d
    C:\Program Files\Airport Mania
    2008-06-17 08:14:25 0 d
    C:\Program Files\ReflexiveArcade
    2008-06-10 21:36:45 191 --a
    C:\WINDOWS\setuplog


    -- Find3M Report

    2008-06-21 17:56:38 0 d
    C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
    2008-06-21 17:53:33 0 d
    C:\Program Files\Microsoft AntiSpyware
    2008-06-21 17:46:17 0 d
    C:\Documents and Settings\Owner\Application Data\Skype
    2008-06-19 21:52:02 0 d
    C:\Documents and Settings\Owner\Application Data\Free Download Manager
    2008-06-19 21:15:01 0 d
    C:\Program Files\Lavasoft
    2008-06-19 21:13:17 0 d
    C:\Program Files\Common Files\Wise Installation Wizard
    2008-06-19 18:18:06 18500 --a
    C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2008-06-10 21:36:46 0 d--h
    C:\Program Files\InstallShield Installation Information
    2008-06-10 21:35:19 0 d
    C:\Documents and Settings\Owner\Application Data\Creative
    2008-06-10 21:35:06 0 d
    C:\Program Files\Creative
    2008-06-10 07:29:56 0 d
    C:\Documents and Settings\Owner\Application Data\AdobeUM
    2008-06-08 17:27:54 0 d
    C:\Program Files\National Lampoon's University Tycoon
    2008-05-13 21:24:02 0 d
    C:\Program Files\Bullfrog
    2008-05-10 15:28:19 41632 --a
    C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2008-05-09 19:31:51 0 d
    C:\Program Files\PeerGuardian2
    2008-05-08 19:26:53 0 d
    C:\Program Files\Common Files
    2008-05-05 23:19:11 0 d
    C:\Program Files\DOSBox-0.72
    2008-05-05 00:01:20 0 d
    C:\Program Files\Zuma Deluxe
    2008-04-22 20:35:14 0 d
    C:\Program Files\Palm


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [21/12/2004 22:10]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [07/05/1998 17:04]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 16:38]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 04:23]
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 04:15]
    "KBD"="C:\HP\KBD\KBD.EXE" [11/02/2003 21:02]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [14/04/2004 21:43]
    "AGRSMMSG"="AGRSMMSG.exe" [29/06/2004 10:06 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29/06/2007 00:43]
    "nwiz"="nwiz.exe" [29/06/2007 00:43 C:\WINDOWS\system32\nwiz.exe]
    "EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 04:00]
    "AlcxMonitor"="ALCXMNTR.EXE" [07/09/2004 14:47 C:\WINDOWS\ALCXMNTR.EXE]
    "gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [15/11/2005 13:12]
    "MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [07/04/2003 19:09]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
    "CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [08/09/2007 02:32]
    "0Spam.com Express"="C:\Program Files\0Spam.com Express\Express.exe" [22/02/2005 22:33]
    "TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [28/11/2005 15:02]
    "Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [28/11/2005 15:02]
    "VTTimer"="VTTimer.exe" []
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/01/2005 00:46]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [10/12/2005 15:57]
    "SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [16/10/2005 02:15]
    "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [08/09/2007 02:32]
    "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [07/09/2006 18:19]
    "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
    "PS2"="C:\WINDOWS\system32\ps2.exe" [16/10/2002 17:57]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29/06/2007 00:43]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [09/01/2004 02:34]
    "Active Desktop Calendar"="C:\Program Files\Active Desktop Calendar\ADC.exe" []
    "1Click Clocksync"="C:\Program Files\1Click Clocksync\clocksync.exe" [07/04/2005 20:08]
    "PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [18/09/2005 18:40]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
    "Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [27/10/2005 19:00]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
    "0Spam.com Express"=C:\Program Files\0Spam.com Express\Express.exe /silent

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [23/09/2005 14:36:42]
    Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [30/05/2005 00:07:04]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
    DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [04/01/2008 17:03:16]
    HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [09/06/2004 15:27:34]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 13:19:24]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 02:01:04]
    Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe [23/09/2004 17:18:46]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 relog_ap

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @=&quot;Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @=&quot;Volume shadow copy"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
    backup=C:\WINDOWS\pss\ORB.lnkCommon Startup
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ORB.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
    C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBS4\plugin\bin\PCHButton.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVEDESK]
    "C:\Program Files\AveDesk\AveDesk.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc]
    RunDLL32.exe P0620Pin.dll,RunDLL32EP 513

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
    "C:\Program Files\Desktop Sidebar\dsidebar.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




    -- End of Deckard's System Scanner: finished at 2008-06-21 18:13:35


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Nearly done now

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner and click Accept

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives
        Scan Mail Bases


        [*]Click OK
        [*]Now under select a target to scan:
          Select
        My Computer

        [*]This will program will start and scan your system.
        [*]The scan will take a while so be patient and let it run.
        [*]Once the scan is complete it will display if your system has been infected.
        • Now click on the Save as Text button:
        [*]Save the file to your desktop.
        [*]Copy and paste that information in your next post.


      • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


        Wow, that was thorough! Nearly 14 hours!

        KASPERSKY ONLINE SCANNER REPORT
        Sunday, June 22, 2008 11:18:47 AM
        Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
        Kaspersky Online Scanner version: 5.0.98.0
        Kaspersky Anti-Virus database last update: 21/06/2008
        Kaspersky Anti-Virus database records: 880049

        Scan Settings:
        Scan using the following antivirus database: extended
        Scan Archives: true
        Scan Mail Bases: true

        Scan Target - My Computer:
        C:\
        D:\
        E:\
        F:\
        G:\
        H:\
        I:\
        J:\
        K:\
        L:\
        M:\
        N:\
        O:\
        P:\
        Q:\

        Scan Statistics:
        Total number of scanned objects: 126197
        Number of viruses found: 19
        Number of infected objects: 59
        Number of suspicious objects: 12
        Duration of the scan process: 13:59:17

        Infected Object Name / Virus Name / Last Action
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\Downloader.exe Infected: Trojan-Downloader.Win32.Small.wxl skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp/data0002/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp/data0002 Infected: Trojan-Downloader.Win32.VB.ql skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsi31C.tmp NSIS: infected - 3 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsy31E.tmp/stream/data0001 Infected: Trojan-Downloader.Win32.VB.ql skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsy31E.tmp/stream Infected: Trojan-Downloader.Win32.VB.ql skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\nsy31E.tmp NSIS: infected - 2 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\snpp.exe/data0006 Infected: Trojan-Downloader.Win32.VB.eyc skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\snpp.exe NSIS: infected - 1 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\Deckard\System Scanner\20080621153503\backup\DOCUME~1\Owner\LOCALS~1\Temp\syswcc32.exe RarSFX: infected - 5 skipped
        C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
        C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf.zip ZIP: suspicious - 1 skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/accesss.exe Suspicious: Password-protected-EXE skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip ZIP: suspicious - 1 skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/win32e.exe Suspicious: Password-protected-EXE skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip/win64.exe Suspicious: Password-protected-EXE skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip ZIP: suspicious - 1 skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip/systeem.exe Suspicious: Password-protected-EXE skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip ZIP: suspicious - 1 skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip/x.exe Suspicious: Password-protected-EXE skipped
        C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip ZIP: suspicious - 1 skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\cert8.db Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\flashgot.log Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\formhistory.dat Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\history.dat Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\key3.db Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\parent.lock Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\search.sqlite Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\urlclassifier2.sqlite Object is locked skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-1b8286eb/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-1b8286eb ZIP: infected - 1 skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\3a99d727-5c8ce34d/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.t skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\39\3a99d727-5c8ce34d ZIP: infected - 1 skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\2dc5607f-6bcfe15b/Mein.class Infected: Trojan.Java.Binny.a skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\2dc5607f-6bcfe15b/Beyond.class Infected: Trojan.Java.Binny.a skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\63\2dc5607f-6bcfe15b ZIP: infected - 2 skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77e05f0b-245207d8.zip/Mein.class Infected: Trojan.Java.Binny.a skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77e05f0b-245207d8.zip/Beyond.class Infected: Trojan.Java.Binny.a skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-77e05f0b-245207d8.zip ZIP: infected - 2 skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-6d374422.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.t skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-6d374422.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5d9993d4.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
        C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5d9993d4.zip ZIP: infected - 1 skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galin <mpgalvin@eircom.net>][Date Wed, 01 Dec 2004 21:27:47 +0000]/Please/[From "Services PayPal" <services@paypal.com>][Date Sun, 19 Dec 2004 06:13:41 -0300]/html Infected: Trojan-Spy.HTML.Paylap.bg skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galin <mpgalvin@eircom.net>][Date Wed, 01 Dec 2004 21:27:47 +0000]/Please Infected: Trojan-Spy.HTML.Paylap.bg skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 21:52:23 +0100]/UNNAMED/[From Michael Galvin <mpgalvin@eircom.net>][Date Fri, 27 May 2005 20:56:14 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Tue, 10 Jan 2006 17:32:37 +0000]/Message Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 21:52:23 +0100]/UNNAMED/[From Michael Galvin <mpgalvin@eircom.net>][Date Fri, 27 May 2005 20:56:14 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 21:52:23 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent/[From Michael Galvin <mpgalvin@eircom.net>][Date Thu, 26 May 2005 20:24:33 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
        C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\pxmbuniq.default\Mail\Local Folders\Sent MailBerkeleymboxx: infected - 6 skipped
        C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_001_ Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_002_ Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_003_ Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6m53c5tx.default\Cache\_CACHE_MAP_ Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temp\~DF320F.tmp Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temp\~DF5950.tmp Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temp\~DF5970.tmp Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temp\~DF5E6E.tmp Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temp\~DF68B7.tmp Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temp\~DF8FF4.tmp Object is locked skipped
        C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
        C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
        C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
        C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
        C:\Documents and Settings\Owner\runUpdater.html Infected: Trojan-Downloader.Win32.Small.xhc skipped
        C:\Downloads\o-txp473.zip/start.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
        C:\Downloads\o-txp473.zip ZIP: infected - 1 skipped
        C:\Program Files\Apache Group\Apache\logs\access.log Object is locked skipped
        C:\Program Files\Apache Group\Apache\logs\error.log Object is locked skipped
        C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
        C:\Program Files\PeerGuardian2\history.db Object is locked skipped
        C:\sdfix\SDFix\backups\backups.zip/backups/msupdte.exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
        C:\sdfix\SDFix\backups\backups.zip/backups/netrax061083.exe Infected: Trojan-Downloader.Win32.VB.eyc skipped
        C:\sdfix\SDFix\backups\backups.zip ZIP: infected - 2 skipped
        C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
        C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
        C:\System Volume Information\catalog.wci\00010008.ci Object is locked skipped
        C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
        C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
        C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
        C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
        C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
        C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\A0102393.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\A0102395.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\A0102401.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1262\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103720.exe Infected: Trojan-Downloader.Win32.VB.eyc skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103745.exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103766.exe Infected: Trojan-Downloader.Win32.Agent.ucq skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\A0103769.exe Infected: Trojan-Downloader.Win32.VB.eyc skipped
        C:\System Volume Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP1265\change.log Object is locked skipped
        C:\WINDOWS\3d.exe Infected: Trojan.Win32.Small.tp skipped
        C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
        C:\WINDOWS\SchedLgU.Txt Object is locked skipped
        C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
        C:\WINDOWS\Sti_Trace.log Object is locked skipped
        C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
        C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
        C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
        C:\WINDOWS\system32\config\default Object is locked skipped
        C:\WINDOWS\system32\config\default.LOG Object is locked skipped
        C:\WINDOWS\system32\config\SAM Object is locked skipped
        C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
        C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
        C:\WINDOWS\system32\config\SECURITY Object is locked skipped
        C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
        C:\WINDOWS\system32\config\software Object is locked skipped
        C:\WINDOWS\system32\config\software.LOG Object is locked skipped
        C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
        C:\WINDOWS\system32\config\system Object is locked skipped
        C:\WINDOWS\system32\config\system.LOG Object is locked skipped
        C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
        C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
        C:\WINDOWS\system32\drivers\sptd6589.sys Object is locked skipped
        C:\WINDOWS\system32\h323log.txt Object is locked skipped
        C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
        C:\WINDOWS\system32\ntsd32.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaBack.c skipped
        C:\WINDOWS\system32\ntsd32.exe/data0003 Infected: Trojan-Clicker.Win32.VB.dn skipped
        C:\WINDOWS\system32\ntsd32.exe/data0004 Infected: Trojan.Win32.VB.rh skipped
        C:\WINDOWS\system32\ntsd32.exe NSIS: infected - 3 skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
        C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
        C:\WINDOWS\wiadebug.log Object is locked skipped
        C:\WINDOWS\wiaservc.log Object is locked skipped
        C:\WINDOWS\WindowsUpdate.log Object is locked skipped
        C:\_OTMoveIt\MovedFiles\06212008_174319\Documents and Settings\Owner\Application Data\Microsoft\dtsc\21315.exe Infected: Trojan-Downloader.Win32.Agent.shg skipped
        C:\_OTMoveIt\MovedFiles\06212008_174319\Documents and Settings\Owner\runUpdater.exe Infected: Trojan-Downloader.Win32.Small.xhc skipped
        N:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

        Scan process completed.


      • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


        Hello

        Please download the OTMoveIt2 by OldTimer.
        • Save it to your desktop.
        • Please double-click OTMoveIt2.exe to run it.
        • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
          [kill explorer]
          C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe
          C:\Documents and Settings\Owner\runUpdater.html 
          C:\Downloads\o-txp473.zip
          C:\WINDOWS\3d.exe 
          C:\WINDOWS\system32\ntsd32.exe
          purity 
          EmptyTemp
          [start explorer]
          
        • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
        • Click the red Moveit! button.
        • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
        • Close OTMoveIt2
        If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



        Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.

        @echo off
        dir "C:\Downloads">C:\peek.txt
        start C:\peek.txt
        del peek.bat
        


        Click on 'File' then 'Save As'
        In the Save in drop down box select Desktop
        In the File name box type in peek.bat
        In the Save as type drop down box select All Files
        Close Notepad.

        Now, find peek.bat on your Desktop and Double click it
        A window will open and close, do not be concerned this is normal.


        Post the resulting notepad file that appears


      • Advertisement
      • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


        contents of downloads (I've removed a few files that are not for er... "public consumption")

        Volume in drive C is HP_PAVILION
        Volume Serial Number is E82B-BB1C

        Directory of C:\Downloads
        12/05/2008  22:49    <DIR>          .
        12/05/2008  22:49    <DIR>          ..
        23/07/2005  18:22         1,735,201 0SpamExpress.exe
        12/07/2007  23:41            40,554 1031972133banana.zip
        18/03/2002  14:12         2,322,614 147512_MTPatch1_3.exe
        06/08/2007  17:09        48,968,752 162.18_forceware_winxp_32bit_english_whql.exe
        21/07/2007  13:40         5,466,408 20060824_moonshell14finalbeta.zip
        21/11/2003  22:52         4,002,597 2jpeg.zip
        26/10/2001  23:49         2,116,414 a32-18.exe
        13/04/2006  19:42               721 Abexo Free Registry Cleaner.lnk
        31/08/2002  12:50            12,250 access_to_mysql.txt
        03/06/2005  00:09         2,180,996 adc.exe
        06/06/2002  21:50         1,264,844 addressbook.nt.tar.gz
        06/04/2008  11:09         1,968,049 atrain.zip
        29/12/2004  23:10         2,010,000 AveDesk11.exe
        23/04/2005  10:19         3,487,352 BlindWrite_5.2.13.147.rar
        24/03/2004  20:03           711,637 calipers.zip
        07/01/2008  19:09         1,524,079 CDCheckSetup.exe
        28/05/2005  21:26    <DIR>          CDRWin_5_05_001
        23/09/2005  20:11           601,088 ClocksyncSetup.exe
        22/01/2000  13:29           138,155 Coasterworld.zip
        06/04/2008  11:03           126,438 confmeps.zip
        01/03/2005  00:20         3,240,960 converter.exe
        09/09/2007  10:26           499,862 cpu-z-141.zip
        10/05/2000  22:50           294,888 crystocx.zip
        13/02/2005  19:36         1,101,824 CuteWriter.exe
        05/02/2005  18:02         1,283,346 cvrtmate.exe
        06/02/2005  17:26         3,362,502 cxp_free.exe
        04/11/2004  15:36           504,320 daemon347.exe
        05/05/2006  08:52         1,449,368 daemon403-x86.exe
        22/10/2001  23:55           173,216 datepick.zip
        19/08/2000  23:00            38,366 dbman.zip
        13/02/2005  18:18         2,915,699 DeepBurner1.exe
        03/01/2001  20:49         1,042,944 demotivationalposters.pps
        14/03/2005  02:58       169,747,698 DEMO_IM_UK_PC.zip
        01/12/2007  00:37         1,761,029 dixmlsetup.exe
        06/04/2008  14:48         1,258,638 DOSBox0.72-win32-installer.exe
        03/11/2004  20:28    <DIR>          dvd
        14/10/2001  14:57           871,409 EasyPegSetup.exe
        17/05/2005  08:38         4,424,776 EZAntivirus.exe
        05/02/2005  00:42         1,340,406 fdminst.exe
        07/01/2008  14:21           886,808 freeundelete.exe
        26/02/2000  09:40         1,698,304 f_x86t32.exe
        04/01/2004  23:09         3,394,522 httrack-3.30.exe
        19/06/2005  10:37           497,371 Ifoedit0971.zip
        10/01/2002  01:03         1,707,856 instmsi.exe
        26/03/2005  18:59       732,942,336 KNOPPIX_V3.7-2004-12-08-EN.iso
        30/11/2001  21:34         2,060,617 litsetup_v20.zip
        13/01/2006  19:37    <DIR>          Lucasarts Games
        17/12/2004  20:42         6,552,939 mame089b.zip
        26/03/2005  19:01         1,450,805 mbtagger-setup-0.10.5.exe
        21/09/2002  12:55         5,527,594 MDBBrowserEditor.EXE
        02/06/2007  21:06           701,251 MDBPlus.zip
        02/06/2007  21:10           199,074 MdbToMySQL.zip
        04/02/2005  22:38         2,357,023 mp3workshop.exe
        25/09/2003  23:40            91,853 multiDesk.zip
        10/09/2000  20:43           632,862 netloadSetup.exe
        29/05/2005  23:32         8,332,416 objectdock_freeware.exe
        05/02/2006  00:19    <DIR>          OpenOfficeorg 2.0 Installation Files
        12/05/2008  22:42         3,529,095 openttd-0.6.0-win32.exe
        22/06/2007  18:50           893,224 optimize-setup-2003.exe
        01/12/2002  12:03           747,508 OWASPGuideV1[1].1.1.pdf
        07/08/2003  23:20         4,967,687 phedinst.exe
        20/12/2005  22:08           962,174 powermax.exe
        18/02/2006  20:33           145,330 pppclientinstall.exe
        07/03/2004  14:44         2,855,552 ppview97.exe
        09/01/2005  18:35         1,951,432 ppviewer.exe
        09/01/2002  23:28            31,957 protect2035b2.zip
        19/09/2001  21:37           511,440 q290108.exe
        07/07/2005  21:10           800,136 regclean.exe
        15/04/2006  16:29           358,545 RegSeeker.zip
        02/03/2005  23:57         1,020,686 renameit-3.32-install.exe
        10/10/2000  23:27             7,583 search.zip
        17/12/2003  23:37           598,122 SetupDD3.zip
        17/01/2008  23:29         3,003,113 Setup_MagicISO.exe
        01/01/2005  21:46    <DIR>          silkscreen
        22/06/2000  21:16           355,024 SITEX10.EXE
        12/03/2006  15:43             4,634 tcnytrn4.zip
        26/01/2006  19:05         1,312,220 tedv060.zip
        30/04/2006  08:43           860,160 tedv065setup.exe
        02/05/2004  12:49         6,059,520 TortoiseSVN-1.0.3-UNICODE_svn-1.0.1.msi
        24/03/2004  19:29        20,993,973 trueimage7[1].0_s_en.exe
        25/01/2007  21:51    <DIR>          TTZips
        11/02/2005  21:38           150,192 TweakUiPowertoySetup.exe
        07/01/2008  14:42           870,952 undelete_plus_setup.exe
        22/12/2004  00:41         7,071,334 vlc-0.8.1-win32.exe
        29/10/2007  10:42         9,679,815 vlc-0.8.6c-win32.exe
        07/01/2005  23:58    <DIR>          vsStyles
        12/06/2005  22:25    <DIR>          WinAVI Video Converter 6.3
        16/04/2005  23:41         1,126,824 WinRAR v3.42.zip
        13/08/1999  19:50           943,835 winzip70.exe
        18/08/2002  17:49         1,803,848 winzip81.exe
                      94 File(s)  1,187,205,640 bytes
                      12 Dir(s)  51,939,319,808 bytes free
        

        moveit log

        Explorer killed successfully
        < C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe >
        C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I3IB2H23\Updater[1].exe moved successfully.
        C:\Documents and Settings\Owner\runUpdater.html moved successfully.
        C:\Downloads\o-txp473.zip moved successfully.
        C:\WINDOWS\3d.exe moved successfully.
        C:\WINDOWS\system32\ntsd32.exe moved successfully.
        < purity >
        < EmptyTemp >
        File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1656.tmp scheduled to be deleted on reboot.
        File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF969B.tmp scheduled to be deleted on reboot.
        File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFC281.tmp scheduled to be deleted on reboot.
        File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5F4.tmp scheduled to be deleted on reboot.
        File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF729.tmp scheduled to be deleted on reboot.
        Temp folders emptied.
        IE temp folders emptied.
        Explorer started successfully

        OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_153441

        Files moved on Reboot...
        C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1656.tmp moved successfully.
        C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF969B.tmp moved successfully.
        C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFC281.tmp moved successfully.
        C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE5F4.tmp moved successfully.
        C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFF729.tmp moved successfully.


      • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


        No problem
        • Make sure you have an Internet Connection.
        • Double-click OTMoveIt2.exe to run it.
        • Click on the CleanUp! button
        • A list of tool components used in the Cleanup of malware will be downloaded.
        • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
        • Click Yes to beging the Cleanup process and remove these components, including this application.
        • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



        Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
        http://www.adobe.com/products/acrobat/readstep2.html



        You now need to update your Java and remove your older versions.

        Please follow these steps to remove older version Java components.

        * Click Start > Control Panel.
        * Click Add/Remove Programs.
        * Check any item with Java Runtime Environment (JRE) in the name.
        * Click the Remove or Change/Remove button.

        Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
        here




        Now we need to create a new System Restore point.

        Click Start Menu > Run > type (or copy and paste)

        %SystemRoot%\System32\restore\rstrui.exe

        Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

        Next goto Start Menu > Run > type

        cleanmgr

        Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

        To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.




        Below I have included a number of recommendations for how to protect your computer against malware infections.

        * Keep Windows updated by regularly checking their website at :
        http://windowsupdate.microsoft.com/
        This will ensure your computer has always the latest security updates available installed on your computer.

        * To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

        SpywareBlaster protects against bad ActiveX
        IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
        Have a look at this tutorial for IE-Spyad here

        * SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

        Make Internet Explorer more secure
        • Click Start > Run
        • Type Inetcpl.cpl & click OK
        • Click on the Security tab
        • Click Reset all zones to default level
        • Make sure the Internet Zone is selected & Click Custom level
        • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
        • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

        * MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

        * Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
        secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
        blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
        Here

        * Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
        Here

        Thank you for your patience, and performing all of the procedures requested.


      • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


        Thanks a million for all your help, very much appreciated. I'm off to download some pr0n now from a russian mafia site ;)

        I don't use IE at all - I had trouble even finding it on this PC to run the KAV (didn't appear to work on FF) - any of your recommendations necessary on FF aswell?


      • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


        Yes those recommendations are for FF as well


      Advertisement