Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware infected +_+;


  • Please log in to reply

#1
NadaSins

NadaSins

    Member

  • Member
  • PipPip
  • 41 posts
My computer started getting slow and noticed a program installed called, "Outerinfo" deleted it. Computer started running fine then it started lagging again. Geekstogo.com has a Outerinfo removal guide but I'm afraid i'll screw up a step and make it worst.

Please Help, Thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:01, on 2008-03-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\wklqgxu.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [niwoji] C:\Program Files\Kazaa Lite K++\niwoji77798.exe
O4 - HKLM\..\Run: [BM7bbb9987] Rundll32.exe "C:\WINDOWS\system32\wblqqdso.dll",s
O4 - HKLM\..\Run: [7888aa1b] rundll32.exe "C:\WINDOWS\system32\rlpqpxhr.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\wklqgxu.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8569 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I tried to block avg and norton but didn't know how, so i carried on with combofix. then this message showed up:

"roughly 1/100 machines failed to make it through the disinfection process!! Are you sure you want to do this??"

but i ignored it and continued. When my computer restarted, 3 programs auto-started while it said, don't run any programs. well... here's the log report i'll get the other one soon.





ComboFix 08-03-05.3 - Owner 2008-03-06 15:51:46.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\hfzlnugm.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-06 12:57 . 2004-08-03 23:56 388,608 --a------ C:\CF4424.exe
2008-03-05 21:20 . 2008-03-05 21:20 136,627 --a------ C:\WINDOWS\POTA777444.exe
2008-03-05 17:11 . 2008-03-05 17:11 <DIR> d-------- C:\Program Files\nvcoi
2008-03-04 02:00 . 2008-03-04 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 21:09 . 2008-02-22 21:09 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-21 07:23 . 2008-02-21 07:23 <DIR> d-------- C:\WINDOWS\system32\dv6
2008-02-16 22:36 . 2008-02-16 22:36 60,396 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-16 03:52 . 2008-02-16 03:52 <DIR> d-------- C:\Program Files\Ventrilo
2008-02-16 03:52 . 2008-02-16 03:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-02-14 22:53 . 2008-02-17 12:15 <DIR> d-------- C:\Program Files\mIRC
2008-02-14 22:53 . 2008-02-17 12:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2008-02-14 22:16 . 2008-02-14 22:51 <DIR> d-------- C:\Program Files\Miranda IM
2008-02-14 22:16 . 2008-02-14 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Miranda

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 23:44 --------- d-----w C:\Program Files\RegistrySmart
2008-03-06 23:01 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-06 22:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-03-06 22:50 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-06 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-06 21:26 --------- d-----w C:\Program Files\Kazaa Lite K++
2008-03-06 05:21 --------- d-----w C:\Program Files\InterActual
2008-03-04 22:45 --------- d-----w C:\Program Files\Starcraft
2008-03-04 00:12 --------- d-----w C:\Program Files\GRETECH
2008-02-22 15:37 10 ----a-w C:\Program Files\.autoreg
2008-02-21 06:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-02-16 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 02:25 --------- d-----w C:\Program Files\Winamp
2008-01-31 17:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-06-04 06:51 78,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-12-13 02:13 487 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2005-12-13 02:13 168 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-13 02:12 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2004-01-27 22:23 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
1758-04-10 21:37 4,263 --sh--w C:\WINDOWS\windllreg1c.sys
2002-04-05 04:27 32 --sha-w C:\WINDOWS\{2917D895-CC4F-4217-8724-D768C6368C6D}.dat
2002-04-05 06:38 32 --sha-w C:\WINDOWS\{A143BC4A-5820-4FE1-8526-2904338C9DE6}.dat
2004-05-06 17:23 32 --sha-w C:\WINDOWS\{F5550B61-EE77-4607-83A0-87E24799E0FC}.dat
2002-01-02 02:42 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2002-04-05 06:38 32 --sha-w C:\WINDOWS\system32\{280DAFF3-8139-4160-BF20-B5FAB6439F01}.dat
2004-05-06 17:23 32 --sha-w C:\WINDOWS\system32\{60F32918-14D9-4729-9932-2498623DB729}.dat
2002-04-05 04:27 32 --sha-w C:\WINDOWS\system32\{C23D5591-7643-42BA-BB4B-2C1D59900812}.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-10-22 10:13 9438488]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-05 17:11 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-06 14:50 2957824]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 18:20 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-13 14:36 185896]
"niwoji"="C:\Program Files\Kazaa Lite K++\niwoji77798.exe" [2007-08-07 12:30 163840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-05-20 16:54 145920]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-03-02 18:39:22 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Mercora IMRadio.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Mercora IMRadio.lnk
backup=C:\WINDOWS\pss\Mercora IMRadio.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-10 03:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-06 14:50]
S3 vgadrv;vgadrv;C:\WINDOWS\system32\DRIVERS\vgadrv.sys [2006-06-10 01:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2002-04-03 03:12:49 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1010026048.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-03-07 00:00:01 C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job"
- C:\WINDOWS\PCHealth\UploadLB\Binaries\UploadM.exe
"2008-03-06 23:04:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-15 01:41:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 16:02:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-03-06 16:08:02
ComboFix-quarantined-files.txt 2008-03-07 00:07:49
ComboFix2.txt 2008-03-06 21:50:10
.
2008-02-14 12:09:46 --- E O F ---
  • 0

#4
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:44 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [niwoji] C:\Program Files\Kazaa Lite K++\niwoji77798.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8020 bytes
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\CF4424.exe
C:\WINDOWS\POTA777444.exe
C:\Program Files\Kazaa Lite K++\niwoji77798.exe
D:\Info.exe

Folder::
C:\Program Files\nvcoi
C:\WINDOWS\system32\dv6

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#6
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 03/06/2008
The current time is: 22:04:20.57


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\BITTOR~1\BAK

10/31/2006 04:34 PM 43,008 bittorrent.exe
1 File(s) 43,008 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/26/2005 05:01 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 08:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 03:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2004 03:51 PM 118,784 hkcmd.exe
08/20/2004 03:55 PM 155,648 igfxtray.exe
10/16/2002 02:57 PM 81,920 ps2.exe
3 File(s) 356,352 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

09/10/2002 08:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 03:11 PM 54,296 ccApp.exe
12/02/2003 03:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

10/24/2006 11:36 AM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 04:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

09/13/2004 02:49 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SOFTEX\WEBLINK\BAK

02/21/2003 03:09 AM 524,288 WebLink.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/11/2003 02:51 PM 57,344 ybrwicon.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/03/2006 12:33 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 12:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/06/2002 11:23 PM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

06/03/2004 09:05 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\VISUAL~1\VISUAL~1\SBC\BAK

06/11/2003 12:52 AM 380,928 IPClient.exe
06/11/2003 12:52 AM 122,880 IPMon32.exe
2 File(s) 503,808 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

43008 Oct 31 2006 "C:\Program Files\BitTorrent\bak\bittorrent.exe"
77824 Nov 26 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Mar 11 2003 "C:\hp\drivers\video\865\hkcmd.exe"
114688 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
114688 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Mar 11 2003 "C:\hp\drivers\video\865\igfxtray.exe"
155648 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
416256 May 20 2007 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
406016 Oct 24 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
49152 Sep 13 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe"
49152 Sep 13 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
524288 Feb 21 2003 "C:\Program Files\Softex\Weblink\bak\WebLink.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
185896 Jan 13 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 3 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
90112 Oct 6 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
360448 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPClient.exe"
380928 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
122880 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe"


end of report







ComboFix 08-03-05.3 - Owner 2008-03-06 15:51:46.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\hfzlnugm.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-06 12:57 . 2004-08-03 23:56 388,608 --a------ C:\CF4424.exe
2008-03-05 21:20 . 2008-03-05 21:20 136,627 --a------ C:\WINDOWS\POTA777444.exe
2008-03-05 17:11 . 2008-03-05 17:11 <DIR> d-------- C:\Program Files\nvcoi
2008-03-04 02:00 . 2008-03-04 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 21:09 . 2008-02-22 21:09 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-21 07:23 . 2008-02-21 07:23 <DIR> d-------- C:\WINDOWS\system32\dv6
2008-02-16 22:36 . 2008-02-16 22:36 60,396 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-16 03:52 . 2008-02-16 03:52 <DIR> d-------- C:\Program Files\Ventrilo
2008-02-16 03:52 . 2008-02-16 03:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-02-14 22:53 . 2008-02-17 12:15 <DIR> d-------- C:\Program Files\mIRC
2008-02-14 22:53 . 2008-02-17 12:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2008-02-14 22:16 . 2008-02-14 22:51 <DIR> d-------- C:\Program Files\Miranda IM
2008-02-14 22:16 . 2008-02-14 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Miranda

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 23:44 --------- d-----w C:\Program Files\RegistrySmart
2008-03-06 23:01 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-06 22:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-03-06 22:50 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-06 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-06 21:26 --------- d-----w C:\Program Files\Kazaa Lite K++
2008-03-06 05:21 --------- d-----w C:\Program Files\InterActual
2008-03-04 22:45 --------- d-----w C:\Program Files\Starcraft
2008-03-04 00:12 --------- d-----w C:\Program Files\GRETECH
2008-02-22 15:37 10 ----a-w C:\Program Files\.autoreg
2008-02-21 06:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-02-16 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 02:25 --------- d-----w C:\Program Files\Winamp
2008-01-31 17:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-06-04 06:51 78,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-12-13 02:13 487 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2005-12-13 02:13 168 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-13 02:12 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2004-01-27 22:23 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
1758-04-10 21:37 4,263 --sh--w C:\WINDOWS\windllreg1c.sys
2002-04-05 04:27 32 --sha-w C:\WINDOWS\{2917D895-CC4F-4217-8724-D768C6368C6D}.dat
2002-04-05 06:38 32 --sha-w C:\WINDOWS\{A143BC4A-5820-4FE1-8526-2904338C9DE6}.dat
2004-05-06 17:23 32 --sha-w C:\WINDOWS\{F5550B61-EE77-4607-83A0-87E24799E0FC}.dat
2002-01-02 02:42 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2002-04-05 06:38 32 --sha-w C:\WINDOWS\system32\{280DAFF3-8139-4160-BF20-B5FAB6439F01}.dat
2004-05-06 17:23 32 --sha-w C:\WINDOWS\system32\{60F32918-14D9-4729-9932-2498623DB729}.dat
2002-04-05 04:27 32 --sha-w C:\WINDOWS\system32\{C23D5591-7643-42BA-BB4B-2C1D59900812}.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-10-22 10:13 9438488]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-05 17:11 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-06 14:50 2957824]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 18:20 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-13 14:36 185896]
"niwoji"="C:\Program Files\Kazaa Lite K++\niwoji77798.exe" [2007-08-07 12:30 163840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-05-20 16:54 145920]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-03-02 18:39:22 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Mercora IMRadio.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Mercora IMRadio.lnk
backup=C:\WINDOWS\pss\Mercora IMRadio.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-10 03:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-06 14:50]
S3 vgadrv;vgadrv;C:\WINDOWS\system32\DRIVERS\vgadrv.sys [2006-06-10 01:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2002-04-03 03:12:49 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1010026048.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-03-07 00:00:01 C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job"
- C:\WINDOWS\PCHealth\UploadLB\Binaries\UploadM.exe
"2008-03-06 23:04:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-15 01:41:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 16:02:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-03-06 16:08:02
ComboFix-quarantined-files.txt 2008-03-07 00:07:49
ComboFix2.txt 2008-03-06 21:50:10
.
2008-02-14 12:09:46 --- E O F ---
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\PROGRA~1\BITTOR~1\BAK\bittorrent.exe"
    "C:\PROGRA~1\QUICKT~1\BAK\qttask.exe"
    "C:\WINDOWS\SMINST\BAK\RECGUARD.EXE"
    "C:\WINDOWS\SYSTEM\BAK\hpsysdrv.exe"
    "C:\WINDOWS\SYSTEM32\BAK\hkcmd.exe"
    "C:\WINDOWS\SYSTEM32\BAK\igfxtray.exe"
    "C:\WINDOWS\SYSTEM32\BAK\ps2.exe"
    "C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK\CFD.exe"
    "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\ccApp.exe"
    "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\ccRegVfy.exe"
    "C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK\avgcc.exe"
    "C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK\hpgs2wnd.exe"
    "C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK\HPWuSchd2.exe"
    "C:\PROGRA~1\SOFTEX\WEBLINK\BAK\WebLink.exe"
    "C:\PROGRA~1\YAHOO!\BROWSER\BAK\ybrwicon.exe"
    "C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK\realsched.exe"
    "C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK\sgtray.exe"
    "C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK\hpqcmon.exe"
    "C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK\jusched.exe"
    "C:\PROGRA~1\VISUAL~1\VISUAL~1\SBC\BAK\IPClient.exe"
    "C:\PROGRA~1\VISUAL~1\VISUAL~1\SBC\BAK\IPMon32.exe"



  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\CF4424.exe
C:\WINDOWS\POTA777444.exe
D:\Info.exe

Folder::
C:\Program Files\nvcoi
C:\WINDOWS\system32\dv6

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#8
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 03/08/2008
The current time is: 15:01:46.78


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\BITTOR~1\BAK

10/31/2006 04:34 PM 43,008 bittorrent.exe
1 File(s) 43,008 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/26/2005 05:01 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 08:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 03:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2004 03:51 PM 118,784 hkcmd.exe
08/20/2004 03:55 PM 155,648 igfxtray.exe
10/16/2002 02:57 PM 81,920 ps2.exe
3 File(s) 356,352 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

09/10/2002 08:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 03:11 PM 54,296 ccApp.exe
12/02/2003 03:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

10/24/2006 11:36 AM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 04:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

09/13/2004 02:49 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SOFTEX\WEBLINK\BAK

02/21/2003 03:09 AM 524,288 WebLink.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/11/2003 02:51 PM 57,344 ybrwicon.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/03/2006 12:33 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 12:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/06/2002 11:23 PM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

06/03/2004 09:05 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\VISUAL~1\VISUAL~1\SBC\BAK

06/11/2003 12:52 AM 380,928 IPClient.exe
06/11/2003 12:52 AM 122,880 IPMon32.exe
2 File(s) 503,808 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

43008 Oct 31 2006 "C:\Program Files\BitTorrent\bittorrent.exe"
43008 Oct 31 2006 "C:\Program Files\BitTorrent\bak\bittorrent.exe"
77824 Nov 26 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Nov 26 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Mar 11 2003 "C:\hp\drivers\video\865\hkcmd.exe"
114688 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
114688 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Mar 11 2003 "C:\hp\drivers\video\865\igfxtray.exe"
155648 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
406016 Oct 24 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
406016 Oct 24 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
49152 Sep 13 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Sep 13 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
524288 Feb 21 2003 "C:\Program Files\Softex\Weblink\WebLink.exe"
524288 Feb 21 2003 "C:\Program Files\Softex\Weblink\bak\WebLink.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
180269 Aug 3 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 3 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
90112 Oct 6 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
90112 Oct 6 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
360448 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPClient.exe"
380928 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe"
380928 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
122880 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
122880 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe"


end of report
  • 0

#9
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
ComboFix 08-03-05.3 - Owner 2008-03-06 15:51:46.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\hfzlnugm.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-06 12:57 . 2004-08-03 23:56 388,608 --a------ C:\CF4424.exe
2008-03-05 21:20 . 2008-03-05 21:20 136,627 --a------ C:\WINDOWS\POTA777444.exe
2008-03-05 17:11 . 2008-03-05 17:11 <DIR> d-------- C:\Program Files\nvcoi
2008-03-04 02:00 . 2008-03-04 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 21:09 . 2008-02-22 21:09 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-02-21 07:23 . 2008-02-21 07:23 <DIR> d-------- C:\WINDOWS\system32\dv6
2008-02-16 22:36 . 2008-02-16 22:36 60,396 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-16 03:52 . 2008-02-16 03:52 <DIR> d-------- C:\Program Files\Ventrilo
2008-02-16 03:52 . 2008-02-16 03:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-02-14 22:53 . 2008-02-17 12:15 <DIR> d-------- C:\Program Files\mIRC
2008-02-14 22:53 . 2008-02-17 12:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2008-02-14 22:16 . 2008-02-14 22:51 <DIR> d-------- C:\Program Files\Miranda IM
2008-02-14 22:16 . 2008-02-14 22:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Miranda

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 23:44 --------- d-----w C:\Program Files\RegistrySmart
2008-03-06 23:01 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-06 22:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-03-06 22:50 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-06 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-06 21:26 --------- d-----w C:\Program Files\Kazaa Lite K++
2008-03-06 05:21 --------- d-----w C:\Program Files\InterActual
2008-03-04 22:45 --------- d-----w C:\Program Files\Starcraft
2008-03-04 00:12 --------- d-----w C:\Program Files\GRETECH
2008-02-22 15:37 10 ----a-w C:\Program Files\.autoreg
2008-02-21 06:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-02-16 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 02:25 --------- d-----w C:\Program Files\Winamp
2008-01-31 17:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-06-04 06:51 78,256 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-12-13 02:13 487 ---ha-w C:\Documents and Settings\Owner\hpothb07.dat
2005-12-13 02:13 168 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2005-12-13 02:12 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2004-01-27 22:23 3,149 ----a-w C:\Program Files\Common Files\remove_tools.html
1758-04-10 21:37 4,263 --sh--w C:\WINDOWS\windllreg1c.sys
2002-04-05 04:27 32 --sha-w C:\WINDOWS\{2917D895-CC4F-4217-8724-D768C6368C6D}.dat
2002-04-05 06:38 32 --sha-w C:\WINDOWS\{A143BC4A-5820-4FE1-8526-2904338C9DE6}.dat
2004-05-06 17:23 32 --sha-w C:\WINDOWS\{F5550B61-EE77-4607-83A0-87E24799E0FC}.dat
2002-01-02 02:42 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2002-04-05 06:38 32 --sha-w C:\WINDOWS\system32\{280DAFF3-8139-4160-BF20-B5FAB6439F01}.dat
2004-05-06 17:23 32 --sha-w C:\WINDOWS\system32\{60F32918-14D9-4729-9932-2498623DB729}.dat
2002-04-05 04:27 32 --sha-w C:\WINDOWS\system32\{C23D5591-7643-42BA-BB4B-2C1D59900812}.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-10-22 10:13 9438488]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-05 17:11 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-06 14:50 2957824]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 18:20 28672]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-13 14:36 185896]
"niwoji"="C:\Program Files\Kazaa Lite K++\niwoji77798.exe" [2007-08-07 12:30 163840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-05-20 16:54 145920]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-03-02 18:39:22 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-04 18:50:52 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 02:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Mercora IMRadio.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Mercora IMRadio.lnk
backup=C:\WINDOWS\pss\Mercora IMRadio.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2003-12-10 03:52 380928 C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-06 14:50]
S3 vgadrv;vgadrv;C:\WINDOWS\system32\DRIVERS\vgadrv.sys [2006-06-10 01:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2002-04-03 03:12:49 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1010026048.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2008-03-07 00:00:01 C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job"
- C:\WINDOWS\PCHealth\UploadLB\Binaries\UploadM.exe
"2008-03-06 23:04:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-15 01:41:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 16:02:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2008-03-06 16:08:02
ComboFix-quarantined-files.txt 2008-03-07 00:07:49
ComboFix2.txt 2008-03-06 21:50:10
.
2008-02-14 12:09:46 --- E O F ---
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\BitTorrent\bak
    C:\Program Files\QuickTime\bak
    C:\WINDOWS\SMINST\bak
    C:\WINDOWS\system\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\Grisoft\AVG Free\bak
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
    C:\Program Files\Hewlett-Packard\HP Software Update\bak
    C:\Program Files\Softex\Weblink\bak
    C:\Program Files\Yahoo!\browser\bak
    C:\Program Files\Common Files\Real\Update_OB\bak
    C:\Program Files\Common Files\Sonic\Update Manager\bak
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak



  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.



Reboot and do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

Advertisements


#11
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 03/10/2008
The current time is: 0:42:45.93


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\BITTOR~1\BAK

10/31/2006 05:34 PM 43,008 bittorrent.exe
1 File(s) 43,008 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/26/2005 06:01 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 09:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 04:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2004 04:51 PM 118,784 hkcmd.exe
08/20/2004 04:55 PM 155,648 igfxtray.exe
10/16/2002 03:57 PM 81,920 ps2.exe
3 File(s) 356,352 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

09/10/2002 09:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/02/2003 04:11 PM 54,296 ccApp.exe
12/02/2003 04:11 PM 58,392 ccRegVfy.exe
2 File(s) 112,688 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

10/24/2006 12:36 PM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 05:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

09/13/2004 03:49 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SOFTEX\WEBLINK\BAK

02/21/2003 04:09 AM 524,288 WebLink.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/11/2003 03:51 PM 57,344 ybrwicon.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/03/2006 01:33 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 12:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

06/03/2004 10:05 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\VISUAL~1\VISUAL~1\SBC\BAK

06/11/2003 01:52 AM 380,928 IPClient.exe
06/11/2003 01:52 AM 122,880 IPMon32.exe
2 File(s) 503,808 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

43008 Oct 31 2006 "C:\Program Files\BitTorrent\bittorrent.exe"
43008 Oct 31 2006 "C:\Program Files\BitTorrent\bak\bittorrent.exe"
77824 Nov 26 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Nov 26 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Mar 11 2003 "C:\hp\drivers\video\865\hkcmd.exe"
114688 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hkcmd.exe"
114688 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Mar 11 2003 "C:\hp\drivers\video\865\igfxtray.exe"
155648 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\igfxtray.exe"
155648 Mar 11 2003 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
54296 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
58392 Dec 2 2003 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
406016 Oct 24 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
406016 Oct 24 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
49152 Sep 13 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
49152 Sep 13 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
524288 Feb 21 2003 "C:\Program Files\Softex\Weblink\WebLink.exe"
524288 Feb 21 2003 "C:\Program Files\Softex\Weblink\bak\WebLink.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
57344 Jul 11 2003 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
180269 Aug 3 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 3 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\bak\jusched.exe"
360448 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPClient.exe"
380928 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe"
380928 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak\IPClient.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
122880 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
122880 Jun 11 2003 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\bak\IPMon32.exe"


end of report
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you do the DSS step
  • 0

#13
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

Can you do the DSS step



Don't think I installed deckard? install?
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes install it and run it
  • 0

#15
NadaSins

NadaSins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Sorry for the long delay had to do many errands. I believe i recieved 2 log sheets, well i posted them both. thanks.




Deckard's System Scanner v20071014.68
Run by Owner on 2008-03-14 20:24:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2008-03-15 03:25:15 UTC - RP182 - Deckard's System Scanner Restore Point
88: 2008-03-14 11:28:08 UTC - RP181 - System Checkpoint
87: 2008-03-12 10:02:22 UTC - RP180 - Software Distribution Service 3.0
86: 2008-03-11 11:51:16 UTC - RP179 - System Checkpoint
85: 2008-03-10 08:34:13 UTC - RP178 - System Checkpoint


-- First Restore Point --
1: 2008-02-21 15:28:52 UTC - RP94 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:17 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [niwoji] C:\Program Files\Kazaa Lite K++\niwoji77798.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) -
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9BF607E0-4CC1-4099-9A07-362C9E4FB090} (WStarter Control) - http://live.pdbox.co...57/WStarter.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8055 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 vgadrv - c:\windows\system32\drivers\vgadrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 YPCService - c:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi


-- Scheduled Tasks -------------------------------------------------------------

2008-03-14 20:15:00 340 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Upload Library.job
2008-03-10 15:49:44 270 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-11-14 18:41:41 392 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2002-04-02 20:12:49 354 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1010026048.job


-- Files created between 2008-02-14 and 2008-03-14 -----------------------------

2008-03-10 00:33:28 0 drahs---- C:\autorun.inf
2008-03-08 16:01:41 52736 --a------ C:\WINDOWS\system\hpsysdrv.exe <Not Verified; Hewlett-Packard Company; hpsysdrv>
2008-03-06 22:18:50 3491 --a------ C:\Start_.cmd
2008-03-06 22:18:49 0 d-------- C:\327882R2FWJFW
2008-03-06 14:03:53 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-06 14:03:53 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-06 14:03:53 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-06 14:03:53 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-05 22:20:06 136627 --a------ C:\WINDOWS\POTA777444.exe
2008-03-05 18:11:25 0 d-------- C:\Program Files\nvcoi
2008-03-04 03:00:21 0 d-------- C:\Program Files\Trend Micro
2008-02-21 08:23:16 0 d-------- C:\WINDOWS\system32\dv6
2008-02-16 23:36:25 60396 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-16 04:52:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-02-16 04:52:11 0 d-------- C:\Program Files\Ventrilo
2008-02-14 23:53:54 0 d-------- C:\Program Files\mIRC
2008-02-14 23:53:54 0 d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2008-02-14 23:16:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Miranda
2008-02-14 23:16:06 0 d-------- C:\Program Files\Miranda IM


-- Find3M Report ---------------------------------------------------------------

2008-03-14 20:22:58 0 d-------- C:\Program Files\Starcraft
2008-03-10 15:54:41 0 d-------- C:\Program Files\Spyware Terminator
2008-03-10 15:54:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-03-08 16:01:42 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-08 16:01:40 0 d-------- C:\Program Files\QuickTime
2008-03-08 16:01:40 0 d-------- C:\Program Files\BitTorrent
2008-03-06 16:44:28 0 d-------- C:\Program Files\RegistrySmart
2008-03-06 14:26:07 0 d-------- C:\Program Files\Kazaa Lite K++
2008-03-06 14:13:57 0 d-------- C:\Program Files\Common Files
2008-03-05 22:21:21 0 d-------- C:\Program Files\InterActual
2008-03-03 17:12:28 0 d-------- C:\Program Files\GRETECH
2008-02-22 08:37:52 10 --a------ C:\Program Files\.autoreg
2008-02-20 23:58:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2008-02-16 04:49:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 19:25:24 0 d-------- C:\Program Files\Winamp
2008-01-31 10:55:45 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-21 21:04:04 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2007-12-28 21:13:02 32463 --a------ C:\WINDOWS\system32\ForceBindIP-Uninstaller.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [03/06/2008 03:50 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/24/2002 07:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/03/2006 01:33 AM]
"niwoji"="C:\Program Files\Kazaa Lite K++\niwoji77798.exe" [08/07/2007 01:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [10/22/2007 11:13 AM]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [03/05/2008 06:11 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [3/2/2004 7:39:22 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [11/4/2004 7:50:52 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [6/27/2002 2:21:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 03:50 AM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Mercora IMRadio.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Mercora IMRadio.lnk
backup=C:\WINDOWS\pss\Mercora IMRadio.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"wuauserv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Info.exe folder.htt 480 480




-- Hosts -----------------------------------------------------------------------

192.168.1.2 HP0018715EC046


-- End of Deckard's System Scanner: finished at 2008-03-14 20:28:18 ------------








Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 1.80GHz
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 254.52 MiB / 56.48 MiB
Pagefile Memory (total/avail): 625.18 MiB / 367.14 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.81 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 51.45 GiB total, 10.86 GiB free.
D: is Fixed (FAT32) - 4.43 GiB total, 0.67 GiB free.
E: is CDROM (CDFS)
Y: is Network (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600BB-00CAA1 - 55.9 GiB - 2 partitions
\PARTITION0 - Unknown - 4.44 GiB - D:
\PARTITION1 (bootable) - Installable File System - 51.45 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
AntivirusOverride is set.

AV: AVG 7.5.476 v7.5.476 (GRISOFT) Outdated
AV: Norton AntiVirus v2003 (Symantec Corporation) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TONY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\TONY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCToolsDir=C:\Documents and Settings\All Users\Start Menu\Programs\Hewlett-Packard\HP Pavilion PC Tools
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0103
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=TONY
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\SBC Yahoo!\umuninst.exe" /S
--> "C:\WINDOWS\..\Program Files\SBC Yahoo!\Connection Manager\uninst.exe"
--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\PROGRA~1\Yahoo!\browser\unyb.exe
--> C:\PROGRA~1\Yahoo!\Common\unwise.exe /S C:\PROGRA~1\Yahoo!\Common\install.log
--> C:\PROGRA~1\Yahoo!\Common\unybase.exe
--> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
--> C:\PROGRA~1\Yahoo!\PARENT~1\unypc.exe /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {60E971B7-51A0-48CA-8687-C6B8F094A409}
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\yaddbook.dll
--> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ylogin.dll
--> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
--> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YCOMP5~1.DLL,DllCommand ui
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
C-StoreWatch RX Software --> MsiExec.exe /I{EBCF93CB-8037-4AB2-8742-533FB71413C4}
DAO 3.5 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Your Company\DAO 3.5\Uninst.isu"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
EWB Support and Upgrade Utility --> MsiExec.exe /I{81FF9BF7-60D9-4538-8C2B-9F0EC8DDC507}
ForceBindIP --> C:\WINDOWS\system32\ForceBindIP-Uninstaller.exe
Greetings Workshop --> C:\Program Files\Greetings Workshop\SETUP\setup.exe
Hamachi 1.0.1.5 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Deskjet printer preloaded drivers --> MsiExec.exe /X{48BD24F5-13DE-493A-A7CE-28A85113FF0C}
HP Digital Imaging Album Printing 1.0 --> MsiExec.exe /X{47D4AF7B-EDE6-4ADB-8D2F-0BDA25C7321F}
HP Extended Capabilities 4.7 --> C:\Program Files\Hewlett-Packard\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7 --> C:\Program Files\Hewlett-Packard\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc --> MsiExec.exe /X{35E90FA5-2CB4-4039-A8BB-BE1B9DB94E21}
HP Photo and Imaging 1.2 - Photosmart Cameras --> MsiExec.exe /X{4F5FC172-F0E7-4EA5-902F-8D005DF9F000}
HP Photosmart printers preloaded drivers --> MsiExec.exe /X{9E88DAA4-1352-4272-BA3A-897668408400}
HP PSC & OfficeJet 4.7 --> "C:\Program Files\Hewlett-Packard\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
ICCup Launcher --> "C:\Program Files\Starcraft\Launcher\unins000.exe"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Learning and Research Plus Support Files --> MsiExec.exe /I{00000000-3976-4267-9F39-1DC4745090B7}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE130}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSa22.inf, Uninstall
Mirar --> mshta.exe http://remove.getmirar.com/
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Internet Software --> C:\Program Files\MSN\MSNCoreFiles\Setup\msnunin.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nimo Codecs Pack v5.0 (Remove Only) --> "C:\Program Files\NimoCodec Pack\uninstall.exe"
NoDNS --> C:\Program Files\\NoDNS\\UnInstall.exe
nvcoi --> "C:\Program Files\nvcoi\nvcoi.exe" -uninstall
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\Setup.exe" -l0x9
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
Registrar Lite 2.00 --> "C:\Program Files\Registrar Lite\unwise.exe" C:\PROGRA~1\REGIST~2\INSTALL.LOG
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
SBC Yahoo! Applications --> C:\Program Files\SBC Yahoo!\UninstallManager.exe
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Simple Backup for My Pictures --> MsiExec.exe /I{60E971B7-51A0-48CA-8687-C6B8F094A409}
Simple Installer - Multilanguage Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}\setup.exe"
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spyware Terminator --> "C:\Program Files\Spyware Terminator\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Theorica Divx ;-) Codecs (remove only) --> C:\Program Files\Theorica Divx ;-) Codecs\Uninstall.exe
toolkit --> c:\Windows\HPTK\unhptkit.exe
Uniblue SpeedUpMyPC 3 --> "C:\Program Files\Uniblue\SpeedUpMyPC 3\unins000.exe"
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Visual IP InSight(SBC) --> C:\Program Files\InstallShield Installation Information\{097346E0-6A51-11D1-AD16-00A0C95E0503}SBC\setup.exe SBC
Weblink --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FCC384C-18EA-4E25-9281-A06AE006D219}\setup.exe" -l0x9
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Win-Touch.com --> C:\Documents and Settings\Owner\Application Data\WinTouch\WTUninstaller.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
xInsIDE --> "C:\Program Files\xInsIDE\xInsIDE.exe" -uninstall
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type291 / Error
Event Submitted/Written: 03/10/2008 09:31:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application starcraft.exe, version 1.15.2.1, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [starcraft.exe!ws!]

Event Record #/Type290 / Error
Event Submitted/Written: 03/10/2008 07:32:39 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 306249469.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type289 / Error
Event Submitted/Written: 03/10/2008 07:32:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module flash9.ocx, version 9.0.16.0, fault address 0x000624d7.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type267 / Error
Event Submitted/Written: 03/05/2008 10:43:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module vawo777444.dll, version 0.0.0.0, fault address 0x000012ff.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type259 / Error
Event Submitted/Written: 02/29/2008 03:28:23 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.20121, faulting module sstqo.dll, version 0.0.0.0, fault address 0x00058ca7.
Processing media-specific event for [firefox.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type157066 / Error
Event Submitted/Written: 03/12/2008 09:56:09 AM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer ALBERTO
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{36E26930-128C-4F45-A.
The master browser is stopping or an election is being forced.

Event Record #/Type157065 / Warning
Event Submitted/Written: 03/12/2008 09:55:53 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\ALBERTO on the network \Device\NetBT_Tcpip_{36E26930-128C-4F45-A6BB-3BDD6AAD2421}.
The data is the error code.

Event Record #/Type157060 / Warning
Event Submitted/Written: 03/11/2008 01:09:49 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type157050 / Error
Event Submitted/Written: 03/10/2008 11:30:25 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.3 for the Network Card with network address 00E018B4B2CD has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type157042 / Error
Event Submitted/Written: 03/10/2008 06:38:35 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 119 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-03-14 20:28:18 ------------

Edited by NadaSins, 14 March 2008 - 09:33 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP