Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google search links redirected

Started by awan111 , Jan 15 2008 12:26 AM

  • Please log in to reply

#1
awan111
Posted 15 January 2008 - 12:26 AM

awan111

    Member

  • Member
  • PipPip
  • 10 posts
Hello My Friend ,
My google search results in internet explorer are redirected to
http://89.149.227.10...2...46f4001&r=1
If i open the link in new window it will work.
I have scanned the system with spybot search and destroy but it did not fix it.

Here is a Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:01 AM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\rconsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\YM1B45.EXE
C:\Documents and Settings\narshad\Start Menu\Programs\Scanning Tools\HiJackth.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://navigator.network.int
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://navigator.network.int
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sauer-danfoss.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sauer-Danfoss Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://amsadc01.netw.../wpad_sauer.dat
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70AF82A5-494D-4C50-87FF-EB6C51CF5235} - c:\windows\system32\dsauthh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {972E4C00-AC7B-400C-94E7-2AAE07791035} - C:\WINDOWS\system32\dssech.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [r390p5drn] C:\WINDOWS\system32\r390p5drn.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [r390p5drn] C:\WINDOWS\system32\r390p5drn.exe
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://navigator.network.int
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cat.webex.co...bex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://amsiis01.netw...OpType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = network.int
O17 - HKLM\Software\..\Telephony: DomainName = network.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = network.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = network.int
O20 - Winlogon Notify: etxiwovc - C:\WINDOWS\SYSTEM32\dsauthh.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Console (RCONSVC) - Unknown owner - C:\WINDOWS\System32\rconsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O24 - Desktop Component 0: (no name) - http://www.cricinfo....800/73878.1.jpg

--
End of file - 8276 bytes


here is also uninstall manager list
Ad-Aware SE Personal
Adobe Shockwave Player
Avanquest update
CCS64 V3.4
Citrix Secure Access Client
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HyperLoad - Golf Course
Java™ 6 Update 3
Lotus NotesSQL Driver
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2003 Web Components
Microsoft Office Live Meeting 2005
Microsoft Office Live Meeting 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Minitab 15 English
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (2.0.0.11)
MSXML 6.0 Parser
RCA Pearl (Model TH11, TC11 Series) Firmware Update Utility
SAP Interactive Excel
SopCast 1.1.2
SopCore 1.1.2
SoundCapture
Spybot - Search & Destroy
SQLXML4
True Sword 4
TVUPlayer 2.3.2.52
UGS Teamcenter Visualization 2005 SR1
UnRAR for Windows
VideoLAN VLC media player 0.8.6d
WeatherBug
WebEx
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
Windows Live OneCare safety scanner


I will appreciate your help. Thanks a lot in anticipation.
  • 0

Advertisements

#2
koko_crunch
Posted 15 January 2008 - 02:19 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello awan111 and Welcome to Geeks to Go!

Please be patient while I check your log for sings of infection.
I will post back as soon as able.
  • 0

#3
koko_crunch
Posted 15 January 2008 - 02:34 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello,

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

* Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Please post complete contents.
  • 0

#4
awan111
Posted 15 January 2008 - 11:55 PM

awan111

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for your response my friend.
here is result of bak scan




Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 01/15/2008
The current time is: 23:47:20.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\CLEARA~1\BAK

11/26/2006 04:30 AM 212 index.bat
1 File(s) 212 bytes

Directory of C:\PROGRA~1\PAL\SCRIPTS.BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/06/2006 09:06 AM 77,824 hkcmd.exe
06/06/2006 09:10 AM 118,784 igfxpers.exe
06/06/2006 09:09 AM 94,208 igfxtray.exe
3 File(s) 290,816 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

05/20/2005 08:11 AM 925,696 smax4pnp.exe
1 File(s) 925,696 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/11/2007 05:16 PM 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

03/20/2006 04:34 PM 213,936 ISUSPM.exe
1 File(s) 213,936 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/22/2006 07:32 PM 185,896 realsched.exe
1 File(s) 185,896 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

212 Nov 26 2006 "C:\Program Files\ClearAllHistory\bak\index.bat"
126976 Sep 30 2004 "C:\Drivers\Video\hkcmd.exe"
77824 Sep 20 2005 "C:\Drivers\DC7600\Video\hkcmd.exe"
126976 Dec 21 2004 "C:\Drivers\nc4200\Video\hkcmd.exe"
77824 Jun 6 2006 "C:\Drivers\NC6400\Video\hkcmd.exe"
77824 Jun 6 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Sep 20 2005 "C:\Drivers\DC7600\Video\igfxpers.exe"
118784 Jun 6 2006 "C:\Drivers\NC6400\Video\igfxpers.exe"
118784 Jun 6 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
155648 Sep 30 2004 "C:\Drivers\Video\igfxtray.exe"
94208 Sep 20 2005 "C:\Drivers\DC7600\Video\igfxtray.exe"
155648 Dec 21 2004 "C:\Drivers\nc4200\Video\igfxtray.exe"
94208 Jun 6 2006 "C:\Drivers\NC6400\Video\igfxtray.exe"
94208 Jun 6 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
925696 May 20 2005 "C:\Drivers\NC6400\Audio\SMax4PNP.exe"
925696 May 20 2005 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
4670968 Jun 11 2007 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
213936 Mar 20 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
185896 Nov 22 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report
  • 0

#5
koko_crunch
Posted 16 January 2008 - 12:32 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Looks good.

Next,

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Then

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Post back with:
- Panda Log
- DSS log
  • 0

#6
awan111
Posted 16 January 2008 - 08:04 PM

awan111

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here are the scans

Activescan Log


Incident Status Location

Virus:Trj/Downloader.RDL Disinfected Operating system
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\narshad\Application Data\Mozilla\Firefox\Profiles\2vjfg34k.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\narshad\Application Data\Mozilla\Firefox\Profiles\2vjfg34k.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\narshad\Application Data\Mozilla\Firefox\Profiles\2vjfg34k.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\narshad\Application Data\Mozilla\Firefox\Profiles\2vjfg34k.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\narshad\Application Data\Mozilla\Firefox\Profiles\2vjfg34k.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\narshad\Application Data\Mozilla\Firefox\Profiles\2vjfg34k.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\narshad\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@go[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@tribalfusion[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\narshad\Cookies\narshad@zedo[2].txt
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Program Files\True Sword 4\backuped\2\QdrModule11 .exe
Virus:Trj/Downloader.RSD Disinfected C:\Program Files\WinBudget\bin\crap.1199945787.old
Virus:Trj/Downloader.RSD Disinfected C:\Program Files\WinBudget\bin\matrix.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Temp\Cookies\narshad@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Temp\Cookies\narshad@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Temp\Cookies\narshad@doubleclick[1].txt
Adware:Adware/Adband Not disinfected C:\Temp\D20.tmp
Virus:Trj/Downloader.RUZ Disinfected C:\Temp\ismtpa8.exe
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Temp\TMP31.tmp
Adware:Adware/InternetSpeedMonitor Not disinfected C:\Temp\TMP34.tmp
Virus:Trj/Downloader.RTN Disinfected C:\Temp\tmpDF.tmp
Virus:Trj/Downloader.RDL Disinfected C:\WINDOWS\system32\AppCert\wnl32.dll




Deckard Scans
==============================================================================
main.txt
==============================================================================
Deckard's System Scanner v20071014.68
Run by narshad on 2008-01-16 19:31:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...failed; access is denied.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as narshad.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:39 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\rconsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\TEMP\XHB5B6.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\r390p5drn.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\narshad\Desktop\dss.exe
C:\DOCUME~1\narshad\STARTM~1\Programs\SCANNI~1\narshad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://navigator.network.int
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://navigator.network.int
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sauer-danfoss.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sauer-Danfoss Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://amsadc01.netw.../wpad_sauer.dat
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70AF82A5-494D-4C50-87FF-EB6C51CF5235} - c:\windows\system32\dsauthh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {972E4C00-AC7B-400C-94E7-2AAE07791035} - C:\WINDOWS\system32\dssech.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [r390p5drn] C:\WINDOWS\system32\r390p5drn.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [r390p5drn] C:\WINDOWS\system32\r390p5drn.exe
O4 - Global Startup: NMPSystray.lnk = C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://navigator.network.int
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cat.webex.co...bex/ieatgpc.cab
O16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://amsiis01.netw...OpType=PrintCab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = network.int
O17 - HKLM\Software\..\Telephony: DomainName = network.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = network.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = network.int
O20 - Winlogon Notify: etxiwovc - C:\WINDOWS\SYSTEM32\dsauthh.dll
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Console (RCONSVC) - Unknown owner - C:\WINDOWS\System32\rconsvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O24 - Desktop Component 0: (no name) - http://www.cricinfo....800/73878.1.jpg

--
End of file - 7742 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE "%1"
.txt - ImageView.Document.txt - DefaultIcon - C:\PROGRA~1\UGS\TCVIS2~1\Products\PROFES~1\VisView.exe,0
.txt - ImageView.Document.txt - shell\open\command - C:\PROGRA~1\UGS\TCVIS2~1\Products\PROFES~1\VisView.exe /dde
.vbs - VBSFile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 aac (Adaptec RAID Miniport Driver) - c:\windows\system32\drivers\aac.sys <Not Verified; Adaptec, Inc.; Adaptec RAID Controller>
R0 aar81xx - c:\windows\system32\drivers\aar81xx.sys <Not Verified; Adaptec, Inc.; Adaptec HostRAID for Serial ATA>
R0 etrurwkx - c:\windows\system32\drivers\xvdwhdmg.dat
R0 hpdskflt (HP Disk Filter Driver) - c:\windows\system32\drivers\hpdskflt.sys <Not Verified; Hewlett-Packard Corporation; Hewlett-Packard Corporation Mobile Data Protection System>
R2 iPassP (iPass Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\ipassp.sys <Not Verified; Meetinghouse Data Communications; iPass Client 3.4.9.0>
R2 TM_CFW (Common Firewall Driver) - c:\program files\trend micro\officescan client\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 Accelerometer - c:\windows\system32\drivers\accelerometer.sys <Not Verified; Hewlett-Packard Corporation; Hewlett-Packard Corporation Mobile Data Protection System>
R3 HBtnKey - c:\windows\system32\drivers\cpqbttn.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>

S3 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HPQuick Launch Buttons>
S3 eabusb - c:\windows\system32\drivers\eabusb.sys <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>
S3 idisw2km - c:\windows\system32\drivers\idisw2km.sys (file missing)
S3 kbstuff (SMS Virtual Keyboard) - c:\windows\system32\drivers\kbstuff5.sys (file missing)
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 WPC11 (Instant Wireless Network PC Card V3.0 Driver) - c:\windows\system32\drivers\lswlnds.sys <Not Verified; The Linksys Group, Inc.; Instant Wireless Network PC Card>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 iPCAgent - c:\program files\ipass\ipassconnect\ipcagent.exe <Not Verified; iPass, Inc.; iPCAgent Module>
R2 Multi-user Cleanup Service - "c:\program files\lotus\notes\ntmulti.exe" <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 NICSer_WPC11 - c:\program files\linksys\wireless network pc card\nicserv.exe
R2 ntrtscan (OfficeScanNT RealTime Scan) - "c:\program files\trend micro\officescan client\ntrtscan.exe" <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan>
R2 OfcPfwSvc (OfficeScanNT Personal Firewall) - "c:\program files\trend micro\officescan client\ofcpfwsvc.exe" <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan>
R2 RCONSVC (Remote Console) - c:\windows\system32\rconsvc.exe
R2 tmlisten (OfficeScanNT Listener) - "c:\program files\trend micro\officescan client\tmlisten.exe" <Not Verified; Trend Micro Inc.; Trend Micro OfficeScan>

S3 iPassConnectEngine - c:\program files\ipass\ipassconnect\ipassconnectengine.exe <Not Verified; iPass; iPassConnectEngine Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-16 18:12:47 434 --a------ C:\WINDOWS\Tasks\At1.job


-- Files created between 2007-12-16 and 2008-01-16 -----------------------------

6137-61-37 13:76:09 0 d-------- H:\Thrust Washer
6137-61-37 13:76:09 0 d-------- H:\Test Stand
6137-61-37 13:76:09 0 d-------- H:\Standard Work
6137-61-37 13:76:09 0 d-------- H:\SCR
6137-61-37 13:76:09 0 d-------- H:\Projects
6137-61-37 13:76:09 0 d-------- H:\Personal
6137-61-37 13:76:09 0 d-------- H:\Paint Pack
6137-61-37 13:76:09 0 d-------- H:\MSSQLRS
6137-61-37 13:76:09 0 d-------- H:\H1
6137-61-37 13:76:09 0 d-------- H:\Global Standards
6137-61-37 13:76:09 0 d-------- H:\GageRnR
6137-61-37 13:76:09 0 d-------- H:\Deckard
6137-61-37 13:76:09 0 d-------- H:\Customers and Suppliers
6137-61-37 13:76:09 0 d-------- H:\CQAR
6137-61-37 13:76:09 0 d-------- H:\Controls
6137-61-37 13:76:09 0 d-------- H:\Cat Shaft Retaining Ring 06-12-07
6137-61-37 13:76:09 0 d-------- H:\Capability Template
6137-61-37 13:76:09 0 d-------- H:\4T
2008-01-16 18:28:30 83 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2008-01-16 18:28:30 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2008-01-16 18:18:47 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-16 18:18:39 0 d-------- C:\WINDOWS\LastGood
2008-01-14 22:31:58 0 d-------- C:\Documents and Settings\narshad\Application Data\True Sword
2008-01-14 22:31:42 0 d-------- C:\Program Files\True Sword 4
2008-01-14 22:24:57 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-01-14 22:24:57 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-01-14 22:24:42 42240 --a------ C:\WINDOWS\system32\vtdlewls.dat
2008-01-14 22:24:42 741632 --a------ C:\WINDOWS\system32\vqsinkrp.dat
2008-01-14 22:24:42 35072 --a------ C:\WINDOWS\system32\lgryhgon.dat
2008-01-14 22:24:42 36608 --a------ C:\WINDOWS\system32\godxfogs.dat
2008-01-14 22:07:41 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-14 22:07:38 0 d-------- C:\Documents and Settings\narshad\Application Data\Mozilla
2008-01-13 22:18:14 120576 --a------ C:\WINDOWS\system32\meqzulkp.dat
2008-01-13 22:10:11 83968 --a------ C:\WINDOWS\system32\dsauthh.dll
2008-01-10 11:50:27 0 d-------- C:\Documents and Settings\narshad\Tracing
2008-01-10 00:16:26 0 d-------- C:\Program Files\WinBudget
2008-01-10 00:11:53 16384 --a------ C:\WINDOWS\system32\r390p5drn.exe
2008-01-10 00:11:40 0 d-------- C:\WINDOWS\system32\AppCert
2008-01-10 00:11:34 19584 --a------ C:\WINDOWS\system32\drivers\xvdwhdmg.dat
2008-01-10 00:11:20 83968 --a------ C:\WINDOWS\system32\dssech.dll
2008-01-09 23:16:53 0 d-------- C:\Program Files\UnRar for Windows
2008-01-03 01:53:36 0 d-------- C:\Documents and Settings\narshad\Application Data\vlc
2008-01-03 01:48:20 0 d-------- C:\Program Files\VideoLAN
2008-01-02 14:04:30 0 d-------- C:\Program Files\DIFX
2008-01-02 14:03:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-01-02 00:03:20 0 d-------- C:\Program Files\AWS
2008-01-02 00:03:20 0 d-------- C:\Documents and Settings\narshad\Application Data\WeatherBug
2008-01-01 18:48:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 16:10:58 0 d-------- C:\Documents and Settings\All Users\Application Data\live 64 math does
2007-12-31 00:06:56 0 d-------- C:\Documents and Settings\narshad\Application Data\DAEMON Tools
2007-12-31 00:06:51 0 d-------- C:\Program Files\DAEMON Tools Lite
2007-12-31 00:01:45 715248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-30 23:46:40 0 d-------- C:\Documents and Settings\narshad\Application Data\InterVideo
2007-12-30 17:46:54 0 d-------- C:\Program Files\uTorrent
2007-12-30 17:46:44 0 d-------- C:\Documents and Settings\narshad\Application Data\uTorrent
2007-12-29 01:35:17 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-12-28 19:27:58 0 d-------- C:\Program Files\Windows Live Safety Center
2007-12-28 17:53:49 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2007-12-28 17:29:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2007-12-28 17:26:13 0 d-------- C:\Program Files\Common Files\iS3
2007-12-28 17:26:12 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-12-25 14:37:33 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-25 14:37:31 0 d-------- C:\Program Files\Common Files\Motorola Shared
2007-12-25 14:36:49 5936 --a------ C:\Documents and Settings\narshad\mqdmwhnt.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2007-12-25 14:36:49 79328 --a------ C:\Documents and Settings\narshad\mqdmserd.sys <Not Verified; MCCI; Motorola USB Diag>
2007-12-25 14:36:49 92064 --a------ C:\Documents and Settings\narshad\mqdmmdm.sys <Not Verified; MCCI; Motorola USB Modem>
2007-12-25 14:36:49 9232 --a------ C:\Documents and Settings\narshad\mqdmmdfl.sys <Not Verified; MCCI; Motorola USB Modem Filter>
2007-12-25 14:36:49 4048 --a------ C:\Documents and Settings\narshad\mqdmcr.sys <Not Verified; MCCI; Motorola USB DIAG>
2007-12-25 14:36:49 6208 --a------ C:\Documents and Settings\narshad\mqdmcmnt.sys <Not Verified; MCCI; Motorola USB DIAG>
2007-12-25 14:36:49 66656 --a------ C:\Documents and Settings\narshad\mqdmbus.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2007-12-25 14:36:49 6947 --a------ C:\Documents and Settings\narshad\1198615009-(null)
2007-12-25 14:19:30 0 d-------- C:\Documents and Settings\narshad\Application Data\InstallShield
2007-12-25 14:17:51 0 d-------- C:\Program Files\Avanquest update
2007-12-25 14:17:05 22768 --a------ C:\Documents and Settings\narshad\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2007-12-25 14:16:32 0 d-------- C:\Program Files\Motorola Phone Tools
2007-12-25 14:16:31 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-22 22:13:32 0 d-------- C:\Program Files\MagicSofts
2007-12-22 21:57:35 26636 --a------ C:\WINDOWS\system32\igfxpers .exe
2007-12-22 21:57:33 26636 --a------ C:\WINDOWS\system32\hkcmd .exe
2007-12-22 21:57:32 26636 --a------ C:\WINDOWS\system32\igfxtray .exe
2007-12-22 21:35:25 0 d-------- C:\Program Files\QdrDrive
2007-12-21 12:07:58 0 d-------- C:\Program Files\Zada Solutions


-- Find3M Report ---------------------------------------------------------------

2008-01-15 09:20:44 0 d-------- C:\Program Files\Google
2008-01-10 23:43:24 0 d-------- C:\Program Files\NET6
2007-12-31 02:17:51 0 d-------- C:\Documents and Settings\narshad\Application Data\DivX
2007-12-29 00:13:35 0 d-------- C:\Program Files\Java
2007-12-28 17:32:09 0 d-------- C:\Program Files\ClearAllHistory
2007-12-28 17:26:13 0 d-------- C:\Program Files\Common Files
2007-12-28 17:20:32 0 d-------- C:\Program Files\Win64
2007-12-28 17:19:44 0 d-------- C:\Program Files\Yahoo! Games
2007-12-27 18:56:15 0 d-------- C:\Documents and Settings\narshad\Application Data\SopCast
2007-12-25 14:17:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-23 23:24:33 0 d-------- C:\Program Files\DivX
2007-12-11 16:34:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 16:33:14 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-11 16:33:14 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-11 16:33:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-11 16:33:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-11 16:33:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-11 16:33:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-11 16:32:28 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-02 02:09:16 0 d-------- C:\Program Files\Microsoft Silverlight
2007-11-17 12:24:24 0 d-------- C:\Documents and Settings\narshad\Application Data\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70AF82A5-494D-4C50-87FF-EB6C51CF5235}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{972E4C00-AC7B-400C-94E7-2AAE07791035}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [01/30/2006 12:00 AM C:\WINDOWS\AGRSMMSG.exe]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/03/2004 10:56 PM]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [09/01/2006 05:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"r390p5drn"="C:\WINDOWS\system32\r390p5drn.exe" [09/01/2006 05:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [08/29/2007 10:55 AM]
"r390p5drn"="C:\WINDOWS\system32\r390p5drn.exe" [09/01/2006 05:53 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NMPSystray.lnk - C:\Program Files\Cassetica\Cassetica NotesMedic Pro\NMPSystray.exe [10/18/2006 1:49:19 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispAppearancePage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"NoVisualStyleChoice"=1 (0x1)
"NoColorChoice"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Intellimenus"=1 (0x1)
"NoInstrumentation"=1 (0x1)
"NoTaskGrouping"=1 (0x1)
"NoAutoTrayNotify"=1 (0x1)
"NoSimpleStartMenu"=1 (0x1)
"NoSMBalloonTip"=1 (0x1)
"DisablePersonalDirChange"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoActiveDesktop"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoThemesTab"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\etxiwovc]
dsauthh.dll 08/23/2001 06:00 AM 83968 C:\WINDOWS\system32\dsauthh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geebc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Wireless Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Instant Wireless Configuration Utility.lnk
backup=C:\WINDOWS\pss\Instant Wireless Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=C:\WINDOWS\pss\Program Neighborhood Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LidPolicy]
C:\Program Files\Hewlett-Packard\LidSwitch Policy\pwrschem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fjohcyfe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##amsfil02#operations]
1\Command- .\RECYCLER\Lcass.exe
2\Command- .\RECYCLER\Lcass.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\Lcass.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##amsfil02.network.int#netapps]
1\Command- .\RECYCLER\Lcass.exe
2\Command- .\RECYCLER\Lcass.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\Lcass.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##amsfil02.network.int#operations]
1\Command- .\RECYCLER\Lcass.exe
2\Command- .\RECYCLER\Lcass.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\Lcass.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f295f5c-0892-11dc-a1cb-444553544200}]

*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

7841 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-16 19:47:44 ------------

================================================================================
=======
extra.txt
================================================================================
=======

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1015.36 MiB / 468.24 MiB
Pagefile Memory (total/avail): 2441.47 MiB / 2066.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.07 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 56.77 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
H: is Network (*NT5CSC)
K: is Network (Unformatted)
M: is Network (*NT5CSC)
N: is Network (Unformatted)
P: is Network (Unformatted)
T: is Network (*NT5CSC)

\\.\PHYSICALDRIVE0 - HTS541080G9SA00 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Trend Micro OfficeScan Enterprise Client Firewall v7.3 (TrendFirewall)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"="C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"="C:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\narshad\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMSLT02625
ComSpec=C:\WINDOWS\system32\cmd.exe
devmgr_show_nonpresent_devices=1
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\
HOMESHARE=\\amsfil01\narshad$
lib=C:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\AMSADC01
MINITAB_LICENSE_FILE=27003@AMSAPP05
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared;n:\orant\bin;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\Temp
TMP=C:\Temp
USERDNSDOMAIN=NETWORK.INT
USERDOMAIN=NETWORK
USERNAME=narshad
USERPROFILE=C:\Documents and Settings\narshad
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

bpbuss (admin)
amcneeley (admin)
narshad (admin)
Administrator (admin)
ASauerAdmin (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
Citrix Secure Access Client --> C:\Program Files\NET6\net6vpn.exe -U
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Documents and Settings\narshad\Desktop\HijackThis.exe" /uninstall
HyperLoad - Golf Course --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CDF4815-1334-4AF3-B780-1F6526011C5A}\setup.exe" -l0x9 -uninst -removeonly
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Lotus NotesSQL Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6DB5258-547E-4DF4-B370-628739A3B4B9}\setup.exe" -l0x9 AnyText
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{5E8858EC-6B09-4939-99F2-5678073A0327}
Microsoft Office Live Meeting 2007 --> MsiExec.exe /I{63BEF36D-1782-4506-ABA6-6672B54641E0}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Minitab 15 English --> MsiExec.exe /I{0FAED7DC-4206-4F84-9A46-0ED6D5B623B8}
Motorola Driver Installation --> MsiExec.exe /I{3324A5DC-C7F6-430A-ACC8-F251CD8F4FC7}
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser --> MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
RCA Pearl (Model TH11, TC11 Series) Firmware Update Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D48DDA6-D5D4-4858-A4F1-4952293E0201}\setup.exe" -l0x9 -remove
SAP Interactive Excel --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Common Files\SAP\SAPActXl.isu"
SopCast 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SopCore 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SoundCapture --> C:\PROGRA~1\MAGICS~1\SC\UNWISE.EXE C:\PROGRA~1\MAGICS~1\SC\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQLXML4 --> MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
TVUPlayer 2.3.2.52 --> C:\Program Files\TVUPlayer\uninst.exe
UGS Teamcenter Visualization 2005 SR1 --> MsiExec.exe /I{F16C6F9E-5974-4759-87B5-D84B4DEED99B}
UnRAR for Windows --> C:\Program Files\UnRar for Windows\Uninstal.exe
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WeatherBug --> MsiExec.exe /X{70DECFBF-9119-4434-B2D3-A3C283D15E45}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0) --> rundll32.exe C:\PROGRA~1\DIFX\7AA84A78695B31A503D9537A76801D74E0FD14BD\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\RoundTable_F29D632BDCC1844B9B7688A0A4B4DA9E716B76FF\RoundTable.inf
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT


-- Application Event Log -------------------------------------------------------

Event Record #/Type18879 / Error
Event Submitted/Written: 01/16/2008 06:13:48 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type18878 / Error
Event Submitted/Written: 01/16/2008 06:13:06 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type18876 / Error
Event Submitted/Written: 01/16/2008 06:12:47 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type18875 / Warning
Event Submitted/Written: 01/16/2008 05:25:10 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type18871 / Warning
Event Submitted/Written: 01/16/2008 08:30:00 AM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{6295DF2D-35EE-11D1-8707-00C04FD93327}. CoGetObject returned HRESULT 8000401A.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4269 / Error
Event Submitted/Written: 01/16/2008 06:58:10 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.

Event Record #/Type4268 / Warning
Event Submitted/Written: 01/16/2008 06:58:10 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 60 minutes.

Event Record #/Type4267 / Warning
Event Submitted/Written: 01/16/2008 06:28:56 PM
Event ID/Source: 11195 / DnsApi
Event Description:
The system failed to update and remove host (A) resource records (RRs)
for network adapter
with settings:


Adapter Name : {00A4832E-1CBA-4ADE-B09F-870C189AD50A}

Host Name : AMSLT02625

Primary Domain Suffix : network.int

DNS server list :

10.10.10.3, 10.10.10.7

Sent update to server : <?>

IP Address(es) :

10.10.114.6


The request to remove these records failed because the DNS server refused
the update request. The cause of this might be that either (a) this
computer is not allowed to update the DNS domain name specified by these
settings, or (b) because the DNS server authorized to perform updates for
the zone that contains these RRs does not support the DNS dynamic update
protocol.

Event Record #/Type4266 / Warning
Event Submitted/Written: 01/16/2008 06:28:56 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {65CEB19A-FB90-408F-84DB-7A5AC44B1787}

Host Name : AMSLT02625

Primary Domain Suffix : network.int

DNS server list :

69.5.139.3, 69.5.136.253

Sent update to server : <?>

IP Address(es) :

192.168.1.101


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (b) because the DNS server authoritative for this name
  • 0

#7
koko_crunch
Posted 17 January 2008 - 11:28 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
=================================
This FIX was REVISED: Please refer to the last post.
=================================


Hello,

Sorry for the delay. :)
Based on the DSS log, I would say your system is badly infected.
Please stick with me until we get you cleaned up, ok.

Let's begin.

Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in Safe Mode.

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.

---------------
Step 2.
---------------
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Post back with:

- NEW DSS LOG.
- New FindAWF scan log

Edited by koko_crunch, 22 January 2008 - 03:44 PM.

  • 0

#8
awan111
Posted 17 January 2008 - 10:33 PM

awan111

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi My friend,
just a clarification needed
you want me to copy the file paths to clipboard ( CTRL + C )and the run the dss scan. Dont have to paste these files just copy to cliboard right?
I want to make sure if i understand right.

Secondly , I cannot log in the safe mode with my username and password.
This computer is a part of a domain and my work laptop. I am trying to clean it when i bring it home.

Can you tell me how to log in as administrator in the safe mode.
  • 0

#9
koko_crunch
Posted 20 January 2008 - 05:19 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts

you want me to copy the file paths to clipboard ( CTRL + C )and the run the dss scan. Dont have to paste these files just copy to cliboard right?
I want to make sure if i understand right.



Yes need not paste to any location.

Secondly , I cannot log in the safe mode with my username and password.
This computer is a part of a domain and my work laptop. I am trying to clean it when i bring it home.

Can you tell me how to log in as administrator in the safe mode.


I don't see why you can't. Your account has admin rights. Try rebooting in Safe Mode using your own account. You need not use the default ADMINISTRATOR account.

Also, please note that this fix requires us to reset domains and protocols. It is a good idea to ask your IT department about the setting so we can restore them later.
  • 0

#10
koko_crunch
Posted 22 January 2008 - 03:41 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hey awan111.

I have revised the previous fix posted. Just so that you are aware, I'm going to post it again.

---------------
Step 1.
---------------
Boot in Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in Safe Mode.

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

---------------
Step 2.
---------------
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Post back with:

- NEW DSS LOG.
- New FindAWF scan log

Edited by koko_crunch, 22 January 2008 - 04:25 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP