Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack log [RESOLVED]


  • This topic is locked This topic is locked

#31
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
uninstalling and reinstalling IE may be an idea, but lets also do a complete scan to see where we stand.

firstly, just looking into his fr.bak folder: when booting up have you before been presented with a message to the effect of "your administrator profile was corrupt. A new profile has been created for you."?

also, do you still have the folder C:\Documents and Settings\fr


secondly, there seem to be several DNS addresses that your machine connects through. do you recognise any of them, are they your ISP, or company?

1. Comcast Cable Communications Inc., CMCS, 1800 Bishops Gate Blvd, Mt Laurel, NJ, 08054, US

2. AT&T Internet Services, 2701 N. Central Expwy 2205.15, Richardson, TX, 75080, US

3. and there is one block reserved for special purposes, possibly private use?


and the complete scan.......
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements


#32
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
uninstalling and reinstalling IE may be an idea, but lets also do a complete scan to see where we stand.

firstly, just looking into his fr.bak folder: when booting up have you before been presented with a message to the effect of "your administrator profile was corrupt. A new profile has been created for you."?

NO I do NOT remember seeing that message.

also, do you still have the folder C:\Documents and Settings\fr

I have 2 different subdirectories: fr.bak and friend.bak


secondly, there seem to be several DNS addresses that your machine connects through. do you recognise any of them, are they your ISP, or company?

1. Comcast Cable Communications Inc., CMCS, 1800 Bishops Gate Blvd, Mt Laurel, NJ, 08054, US

2. AT&T Internet Services, 2701 N. Central Expwy 2205.15, Richardson, TX, 75080, US

3. and there is one block reserved for special purposes, possibly private use?

Currently I use Comcast cable as my primary connection. A few years ago used AT&T. Not sure about the third one.

I will work on that scan and post when complete. Thanks again.
  • 0

#33
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config

The instruction about would not work for the same reason that I posted about a day ago. The file dss.exe actually resides is in the directory c:\Documents and Settings\fr.bak\desktop\dss.exe. Can you tell me the proper syntax with this info ? Also I assume to leave in the quote marks - exactly how you post it, right ?

Thanks
Jeff
  • 0

#34
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

The instruction about would not work for the same reason that I posted about a day ago. The file dss.exe actually resides is in the directory c:\Documents and Settings\fr.bak\desktop\dss.exe. Can you tell me the proper syntax with this info ? Also I assume to leave in the quote marks - exactly how you post it, right ?

my mistake.

also, do you have this folder C:\Documents and Settings\fr\?

ok, lets cut around this. delete the current dss you have and then:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

if that does not produce the 2 logs, then again try this - it should work now:

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

and yes, leave the quote marks in

andrewuk
  • 0

#35
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Andrew:

Here is scan # 1

Deckard's System Scanner v20071014.68
Run by friend on 2008-03-31 19:15:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.



-- HijackThis (run as friend.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15, on 2008-03-31
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINNT\system32\RaConfig2500.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Documents and Settings\friend\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\friend.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINNT\system32\RaConfig2500.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

--
End of file - 7660 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080327-175437-810 O3 - Toolbar: (no name) - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)
backup-20080327-175441-838 O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
backup-20080327-175444-814 O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Smapint - c:\winnt\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\winnt\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\winnt\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\winnt\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\winnt\system32\drivers\tsmapip.sys
R2 EGATHDRV (IBM Access Support) - c:\winnt\system32\egathdrv.sys
R2 LBeepKE - c:\winnt\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 NAL (Nal Service ) - c:\winnt\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>
S3 sdthook - c:\winnt\system32\drivers\sdthook.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TpKmpSVC (IBM KCU Service) - c:\winnt\system32\tpkmpsvc.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_2483&SUBSYS_02201014&REV_02\3&61AAA01&0&FB
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_2483&SUBSYS_02201014&REV_02\3&61AAA01&0&FB
Service:


-- Process Modules -------------------------------------------------------------

C:\WINNT\system32\WINLOGON.EXE (pid 160)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>
2005-06-16 22:23:08 24576 --a------ C:\WINNT\system32\tphklock.dll

C:\WINNT\explorer.exe (pid 1508)
2006-09-01 10:30:30 44544 --a------ C:\Program Files\Logitech\SetPoint\lgscroll.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2006-12-20 12:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2001-07-03 09:17:06 24576 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnfps.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 21:39:36 334 --a------ C:\WINNT\Tasks\McQcTask.job
2008-01-26 12:01:36 412 --a------ C:\WINNT\Tasks\Auto-scheduled task of Free Registry Fix.job
2005-11-29 00:43:58 300 --a------ C:\WINNT\Tasks\BMMTask.job


-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 19:09:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4a8.dat
2008-03-30 20:01:51 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4e8.dat
2008-03-30 20:01:29 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_608.dat
2008-03-30 16:42:06 0 d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-30 16:42:05 249856 --a------ C:\WINNT\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-03-30 16:42:05 51716 --a------ C:\WINNT\system32\pdf995mon.dll
2008-03-30 16:24:00 0 d-------- C:\Documents and Settings\friend\Application Data\TaxCut
2008-03-30 16:20:47 0 d-a------ C:\Program Files\TaxCut07
2008-03-30 16:20:47 0 d-a------ C:\Program Files\PDF995
2008-03-30 16:18:43 0 d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-03-28 21:45:55 0 d-------- C:\Documents and Settings\friend\Application Data\Logitech
2008-03-28 21:29:52 3712 --a------ C:\WINNT\system32\drivers\LBeepKE.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 69632 --a------ C:\WINNT\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 110592 --a------ C:\WINNT\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 131072 --a------ C:\WINNT\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 155648 --a------ C:\WINNT\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:47 0 d-a------ C:\Program Files\Common Files\Logitech
2008-03-28 21:29:30 0 d-a------ C:\Program Files\Logitech
2008-03-28 19:16:02 0 d-a------ C:\Program Files\Panda Security
2008-03-27 22:10:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 22:09:43 0 d-a------ C:\Program Files\SUPERAntiSpyware
2008-03-27 22:09:43 0 d-------- C:\Documents and Settings\friend\Application Data\SUPERAntiSpyware.com
2008-03-27 22:08:44 0 d-a------ C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 21:45:17 0 d---s---- C:\Documents and Settings\friend\UserData
2008-03-27 19:26:03 0 d-------- C:\Documents and Settings\friend\Application Data\Malwarebytes
2008-03-27 19:25:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-27 19:25:51 0 d-a------ C:\Program Files\Malwarebytes' Anti-Malware
2008-03-27 19:14:23 0 d-------- C:\Documents and Settings\friend\Application Data\Adobe
2008-03-27 19:11:42 0 d-------- C:\Documents and Settings\friend\Application Data\Mozilla
2008-03-27 17:56:44 0 d-------- C:\Documents and Settings\friend\Application Data\Google
2008-03-27 17:52:00 0 d-------- C:\Documents and Settings\friend\Application Data\Share-to-Web Upload Folder
2008-03-27 17:50:18 0 d-------- C:\Documents and Settings\friend\Application Data\Identities
2008-03-27 17:47:57 0 dr------- C:\Documents and Settings\friend\Favorites
2008-03-27 17:47:57 0 d-------- C:\Documents and Settings\friend\Desktop
2008-03-27 17:47:57 0 d---s---- C:\Documents and Settings\friend\Cookies
2008-03-27 17:47:57 0 d--h----- C:\Documents and Settings\friend\Application Data
2008-03-27 17:47:57 0 d-------- C:\Documents and Settings\friend\Application Data\Macromedia
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\Templates
2008-03-27 17:47:56 0 d-------- C:\Documents and Settings\friend\Start Menu
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\SendTo
2008-03-27 17:47:56 0 dr-h----- C:\Documents and Settings\friend\Recent
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\PrintHood
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\NetHood
2008-03-27 17:47:56 0 d-------- C:\Documents and Settings\friend\My Documents
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\Local Settings
2008-03-27 17:47:55 618496 --ah----- C:\Documents and Settings\friend\NTUSER.DAT
2008-03-27 17:46:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5bc.dat
2008-03-26 22:41:28 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-03-26 22:41:28 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-26 22:41:28 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-26 22:41:28 82432 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-26 22:41:28 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-03-26 22:41:27 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-26 22:41:27 53248 --a------ C:\WINNT\system32\Process.exe
2008-03-26 20:54:45 2396 --a------ C:\WINNT\system32\tmp.reg
2008-03-26 18:13:30 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_500.dat
2008-03-26 18:13:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2008-03-26 18:12:55 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat
2008-03-25 20:13:30 68096 --a------ C:\WINNT\system32\zip.exe
2008-03-25 20:13:30 98816 --a------ C:\WINNT\system32\sed.exe
2008-03-25 20:13:30 80412 --a------ C:\WINNT\system32\grep.exe
2008-03-25 20:13:30 73728 --a------ C:\WINNT\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-24 20:02:08 2359 --a------ C:\WINNT\mozver.dat
2008-03-23 21:20:22 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Printer Info Cache
2008-03-23 11:55:17 0 d-a------ C:\Program Files\Hewlett-Packard
2008-03-23 10:00:05 0 d-a------ C:\Program Files\CCleaner
2008-03-22 16:38:42 3840 --a------ C:\WINNT\system32\drivers\BANTExt.sys
2008-03-22 16:38:42 0 d-a------ C:\Program Files\Belarc
2008-03-20 21:27:46 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Image Zone Express
2008-03-17 22:20:46 0 d-a------ C:\Program Files\Trend Micro
2008-03-14 21:08:29 0 --a------ C:\WINNT\nsreg.dat
2008-03-14 21:08:25 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Mozilla
2008-03-09 10:16:34 0 d-------- C:\WINNT\system32\Windows Media
2008-03-09 10:13:17 0 d--h---c- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-03-09 10:13:04 0 d-------- C:\WINNT\msiinst.tmp
2008-03-09 09:46:20 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Lavasoft
2008-03-08 13:17:01 0 d-------- C:\monitor
2008-03-08 13:11:00 0 d--h----- C:\WINNT\PIF
2008-03-08 09:14:53 0 d-------- C:\Documents and Settings\fr.bak\Application Data\McAfee
2008-03-08 08:52:19 0 d-------- C:\WINNT\system32\BITS
2008-03-07 22:00:15 0 d-------- C:\WINNT\system32\SoftwareDistribution
2008-03-07 21:42:30 143360 --a------ C:\WINNT\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-03-07 21:39:23 0 d-a------ C:\Program Files\McAfee.com
2008-03-07 21:39:22 0 d-a------ C:\Program Files\Common Files\McAfee
2008-03-07 21:39:16 0 d-a------ C:\Program Files\McAfee
2008-03-07 21:32:08 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-06 21:26:28 0 d-------- C:\WINNT\SoftwareDistribution
2008-03-06 18:55:08 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-03-28 21:29:30 0 d-ah----- C:\Program Files\InstallShield Installation Information
2008-03-27 22:08:44 0 d-a------ C:\Program Files\Common Files
2008-03-11 22:16:58 0 d-a------ C:\Program Files\RegistryFix
2008-03-11 22:16:19 0 d-a------ C:\Program Files\Free Registry Fix
2008-03-07 21:58:51 0 d-ah----- C:\Program Files\WindowsUpdate
2008-02-13 22:01:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_410.dat
2008-01-17 10:59:28 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d0.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [05-07-13 03:55 C:\WINNT\system32\tp4serv.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [02-10-23 10:15 ]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [05-08-29 14:15 ]
"TP4EX"="tp4ex.exe" [05-08-24 01:10 C:\WINNT\system32\TP4EX.exe]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [05-04-20 01:38 ]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [05-09-01 02:21 ]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [02-04-24 20:37 ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [01-07-03 09:11 ]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [06-07-19 12:03 ]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-02-29 16:03 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-28 21:39:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]
RaConfig2500.lnk - C:\WINNT\system32\RaConfig2500.exe [2005-12-10 11:14:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-12-31 10:12:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 05-07-05 23:45 28672 C:\WINNT\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 05-06-16 22:23 24576 C:\WINNT\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-03-31 19:16:45 ------------
  • 0

#36
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Andrew: Scan # 2



Deckard's System Scanner v20071014.68
Run by friend on 2008-03-31 19:15:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.



-- HijackThis (run as friend.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15, on 2008-03-31
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINNT\system32\RaConfig2500.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Documents and Settings\friend\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\friend.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINNT\system32\RaConfig2500.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

--
End of file - 7660 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080327-175437-810 O3 - Toolbar: (no name) - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - (no file)
backup-20080327-175441-838 O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
backup-20080327-175444-814 O22 - SharedTaskScheduler: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Smapint - c:\winnt\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\winnt\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\winnt\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\winnt\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\winnt\system32\drivers\tsmapip.sys
R2 EGATHDRV (IBM Access Support) - c:\winnt\system32\egathdrv.sys
R2 LBeepKE - c:\winnt\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 NAL (Nal Service ) - c:\winnt\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>
S3 sdthook - c:\winnt\system32\drivers\sdthook.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 TpKmpSVC (IBM KCU Service) - c:\winnt\system32\tpkmpsvc.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_2483&SUBSYS_02201014&REV_02\3&61AAA01&0&FB
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_2483&SUBSYS_02201014&REV_02\3&61AAA01&0&FB
Service:


-- Process Modules -------------------------------------------------------------

C:\WINNT\system32\WINLOGON.EXE (pid 160)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>
2005-06-16 22:23:08 24576 --a------ C:\WINNT\system32\tphklock.dll

C:\WINNT\explorer.exe (pid 1508)
2006-09-01 10:30:30 44544 --a------ C:\Program Files\Logitech\SetPoint\lgscroll.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2006-12-20 12:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2001-07-03 09:17:06 24576 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnfps.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-03-07 21:39:36 334 --a------ C:\WINNT\Tasks\McQcTask.job
2008-01-26 12:01:36 412 --a------ C:\WINNT\Tasks\Auto-scheduled task of Free Registry Fix.job
2005-11-29 00:43:58 300 --a------ C:\WINNT\Tasks\BMMTask.job


-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 19:09:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4a8.dat
2008-03-30 20:01:51 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4e8.dat
2008-03-30 20:01:29 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_608.dat
2008-03-30 16:42:06 0 d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-03-30 16:42:05 249856 --a------ C:\WINNT\system32\pdfmona.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-03-30 16:42:05 51716 --a------ C:\WINNT\system32\pdf995mon.dll
2008-03-30 16:24:00 0 d-------- C:\Documents and Settings\friend\Application Data\TaxCut
2008-03-30 16:20:47 0 d-a------ C:\Program Files\TaxCut07
2008-03-30 16:20:47 0 d-a------ C:\Program Files\PDF995
2008-03-30 16:18:43 0 d-------- C:\Documents and Settings\All Users\Application Data\TaxCut
2008-03-28 21:45:55 0 d-------- C:\Documents and Settings\friend\Application Data\Logitech
2008-03-28 21:29:52 3712 --a------ C:\WINNT\system32\drivers\LBeepKE.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 69632 --a------ C:\WINNT\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 110592 --a------ C:\WINNT\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 131072 --a------ C:\WINNT\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 155648 --a------ C:\WINNT\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:47 0 d-a------ C:\Program Files\Common Files\Logitech
2008-03-28 21:29:30 0 d-a------ C:\Program Files\Logitech
2008-03-28 19:16:02 0 d-a------ C:\Program Files\Panda Security
2008-03-27 22:10:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 22:09:43 0 d-a------ C:\Program Files\SUPERAntiSpyware
2008-03-27 22:09:43 0 d-------- C:\Documents and Settings\friend\Application Data\SUPERAntiSpyware.com
2008-03-27 22:08:44 0 d-a------ C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 21:45:17 0 d---s---- C:\Documents and Settings\friend\UserData
2008-03-27 19:26:03 0 d-------- C:\Documents and Settings\friend\Application Data\Malwarebytes
2008-03-27 19:25:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-27 19:25:51 0 d-a------ C:\Program Files\Malwarebytes' Anti-Malware
2008-03-27 19:14:23 0 d-------- C:\Documents and Settings\friend\Application Data\Adobe
2008-03-27 19:11:42 0 d-------- C:\Documents and Settings\friend\Application Data\Mozilla
2008-03-27 17:56:44 0 d-------- C:\Documents and Settings\friend\Application Data\Google
2008-03-27 17:52:00 0 d-------- C:\Documents and Settings\friend\Application Data\Share-to-Web Upload Folder
2008-03-27 17:50:18 0 d-------- C:\Documents and Settings\friend\Application Data\Identities
2008-03-27 17:47:57 0 dr------- C:\Documents and Settings\friend\Favorites
2008-03-27 17:47:57 0 d-------- C:\Documents and Settings\friend\Desktop
2008-03-27 17:47:57 0 d---s---- C:\Documents and Settings\friend\Cookies
2008-03-27 17:47:57 0 d--h----- C:\Documents and Settings\friend\Application Data
2008-03-27 17:47:57 0 d-------- C:\Documents and Settings\friend\Application Data\Macromedia
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\Templates
2008-03-27 17:47:56 0 d-------- C:\Documents and Settings\friend\Start Menu
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\SendTo
2008-03-27 17:47:56 0 dr-h----- C:\Documents and Settings\friend\Recent
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\PrintHood
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\NetHood
2008-03-27 17:47:56 0 d-------- C:\Documents and Settings\friend\My Documents
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\Local Settings
2008-03-27 17:47:55 618496 --ah----- C:\Documents and Settings\friend\NTUSER.DAT
2008-03-27 17:46:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5bc.dat
2008-03-26 22:41:28 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-03-26 22:41:28 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-26 22:41:28 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-26 22:41:28 82432 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-26 22:41:28 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-03-26 22:41:27 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-26 22:41:27 53248 --a------ C:\WINNT\system32\Process.exe
2008-03-26 20:54:45 2396 --a------ C:\WINNT\system32\tmp.reg
2008-03-26 18:13:30 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_500.dat
2008-03-26 18:13:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2008-03-26 18:12:55 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat
2008-03-25 20:13:30 68096 --a------ C:\WINNT\system32\zip.exe
2008-03-25 20:13:30 98816 --a------ C:\WINNT\system32\sed.exe
2008-03-25 20:13:30 80412 --a------ C:\WINNT\system32\grep.exe
2008-03-25 20:13:30 73728 --a------ C:\WINNT\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-24 20:02:08 2359 --a------ C:\WINNT\mozver.dat
2008-03-23 21:20:22 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Printer Info Cache
2008-03-23 11:55:17 0 d-a------ C:\Program Files\Hewlett-Packard
2008-03-23 10:00:05 0 d-a------ C:\Program Files\CCleaner
2008-03-22 16:38:42 3840 --a------ C:\WINNT\system32\drivers\BANTExt.sys
2008-03-22 16:38:42 0 d-a------ C:\Program Files\Belarc
2008-03-20 21:27:46 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Image Zone Express
2008-03-17 22:20:46 0 d-a------ C:\Program Files\Trend Micro
2008-03-14 21:08:29 0 --a------ C:\WINNT\nsreg.dat
2008-03-14 21:08:25 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Mozilla
2008-03-09 10:16:34 0 d-------- C:\WINNT\system32\Windows Media
2008-03-09 10:13:17 0 d--h---c- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-03-09 10:13:04 0 d-------- C:\WINNT\msiinst.tmp
2008-03-09 09:46:20 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Lavasoft
2008-03-08 13:17:01 0 d-------- C:\monitor
2008-03-08 13:11:00 0 d--h----- C:\WINNT\PIF
2008-03-08 09:14:53 0 d-------- C:\Documents and Settings\fr.bak\Application Data\McAfee
2008-03-08 08:52:19 0 d-------- C:\WINNT\system32\BITS
2008-03-07 22:00:15 0 d-------- C:\WINNT\system32\SoftwareDistribution
2008-03-07 21:42:30 143360 --a------ C:\WINNT\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-03-07 21:39:23 0 d-a------ C:\Program Files\McAfee.com
2008-03-07 21:39:22 0 d-a------ C:\Program Files\Common Files\McAfee
2008-03-07 21:39:16 0 d-a------ C:\Program Files\McAfee
2008-03-07 21:32:08 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-06 21:26:28 0 d-------- C:\WINNT\SoftwareDistribution
2008-03-06 18:55:08 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-03-28 21:29:30 0 d-ah----- C:\Program Files\InstallShield Installation Information
2008-03-27 22:08:44 0 d-a------ C:\Program Files\Common Files
2008-03-11 22:16:58 0 d-a------ C:\Program Files\RegistryFix
2008-03-11 22:16:19 0 d-a------ C:\Program Files\Free Registry Fix
2008-03-07 21:58:51 0 d-ah----- C:\Program Files\WindowsUpdate
2008-02-13 22:01:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_410.dat
2008-01-17 10:59:28 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d0.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [05-07-13 03:55 C:\WINNT\system32\tp4serv.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [02-10-23 10:15 ]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [05-08-29 14:15 ]
"TP4EX"="tp4ex.exe" [05-08-24 01:10 C:\WINNT\system32\TP4EX.exe]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [05-04-20 01:38 ]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [05-09-01 02:21 ]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [02-04-24 20:37 ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [01-07-03 09:11 ]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [06-07-19 12:03 ]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-02-29 16:03 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-28 21:39:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]
RaConfig2500.lnk - C:\WINNT\system32\RaConfig2500.exe [2005-12-10 11:14:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-12-31 10:12:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 05-07-05 23:45 28672 C:\WINNT\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 05-06-16 22:23 24576 C:\WINNT\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-03-31 19:16:45 ------------



Will watch for further instructions. Thanks.
  • 0

#37
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Andrew:

What's happening ? I am able to operate on a limited basis still, so that's a good thing, seems like there's a few issues still there - do you agree ?

Thanks
jeff
  • 0

#38
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

What's happening ? I am able to operate on a limited basis still, so that's a good thing, seems like there's a few issues still there - do you agree ?

i was ill yesterday and my diary is a bit full today though i hope to be able to go through your logs this evening.

on the DSS scans, it was the extra.txt that i was also after, as well as the main.txt which you have posted. if you dont have the extra.txt on your dexktop then could you rerun DSS using the following instructions.

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back only the extra txt

andrewuk
  • 0

#39
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® III Mobile CPU 1133MHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 510.92 MiB / 282.34 MiB
Pagefile Memory (total/avail): 861.53 MiB / 565.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1952.1 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 20.07 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N030ATCS04-0 - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.95 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\friend\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRIEND-C3TMSH2S
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\friend
LOGONSERVER=\\FRIEND-C3TMSH2S
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\System32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\friend\LOCALS~1\Temp
TMP=C:\DOCUME~1\friend\LOCALS~1\Temp
USERDOMAIN=FRIEND-C3TMSH2S
USERNAME=friend
USERPROFILE=C:\Documents and Settings\friend
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

friend (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINNT\ST5UNST.EXE -n "C:\Program Files\LJ2006\ST5UNST.000"
--> C:\WINNT\ST5UNST.EXE -n "C:\Program Files\LJ2006\ST5UNST.001"
--> C:\WINNT\ST5UNST.EXE -n "C:\Program Files\LJ2006\ST5UNST.002"
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Access ThinkPad --> MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
ComcastSUPPORT --> "C:\Program Files\support.com\bin\tgfix.exe" /rm /nq
DirectX 9 Hotfix - KB839643 --> C:\WINNT\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp officejet 7100 series --> MsiExec.exe /X{EE43210C-266E-4101-8FBC-04378D5E9D42}
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Share-to-Web --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" --MAIN -l9
HVAC-Calc (Vista Compatible) --> C:\PROGRA~1\HVAC-C~1\UNWISE.EXE C:\PROGRA~1\HVAC-C~1\INSTALL.LOG
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINNT\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\Unbmm.isu" -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}
KhalSetup --> MsiExec.exe /I{EE7B9A8D-19F0-450D-8E94-3E391E6044CD}
LJ2006 --> C:\WINNT\ST5UNST.EXE -n "C:\Program Files\LJ2006\ST5UNST.LOG"
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Lucent Win Modem --> C:\WINNT\System32\ltremove.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Panda TotalScan --> C:\Program Files\Panda Security\TotalScan\ascuninst.exe
Pdf995 (installed by TaxCut) --> C:\Program Files\pdf995\setup.exe uninstall
PdfEdit995 (installed by TaxCut) --> C:\Program Files\pdf995\res\utilities\thinsetup.exe - uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RT2500 Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAA66A0D-E610-40B8-9D51-C1854285773A}\Setup.exe" -l0x9
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Software Installer --> _tpiu000.exe /U
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SuperSavage and Utilities --> C:\PROGRA~1\S3\SupSavge\s3setvga.exe -s -fC:\PROGRA~1\S3\SupSavge\SupSavge.uns
TaxCut Deluxe 2005 --> C:\PROGRA~1\TaxCut05\Program\removetc.exe
TaxCut Michigan 2007 --> MsiExec.exe /X{80D8662E-1EAD-4036-844B-0374F39E4C81}
TaxCut Premium + State 2007 --> MsiExec.exe /X{663E217E-FC26-4249-9E8E-F190CD63E737}
TaxCut Premium 2006 --> C:\PROGRA~1\TaxCut06\Program\removetc.exe
ThinkPad Configuration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\setup.exe" -l0x9 -AddRemove
ThinkPad EasyEject Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\setup.exe" -l0x9 -AddRemove
ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\setup.exe" -l0x9 anything
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Presentation Director --> C:\WINNT\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
ThinkPad TrackPoint Driver --> C:\WINNT\System32\tp4unins.exe
TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\setup.exe"
Windows 2000 Service Pack 4 --> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Media Player 7.1 --> C:\Program Files\Windows Media Player\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6203 / Warning
Event Submitted/Written: 04/02/2008 09:12:19 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type6202 / Error
Event Submitted/Written: 04/02/2008 09:12:00 PM
Event ID/Source: 2002 / PerfNet
Event Description:
Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type6201 / Error
Event Submitted/Written: 04/02/2008 09:12:00 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type6194 / Error
Event Submitted/Written: 04/01/2008 07:04:30 PM
Event ID/Source: 2002 / PerfNet
Event Description:
Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type6193 / Error
Event Submitted/Written: 04/01/2008 07:04:30 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2994 / Error
Event Submitted/Written: 04/02/2008 09:10:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type2990 / Error
Event Submitted/Written: 04/02/2008 09:10:16 PM
Event ID/Source: 12291 / SAM
Event Description:
SAM failed to start the TCP/IP or SPX/IPX listening thread

Event Record #/Type2986 / Error
Event Submitted/Written: 04/01/2008 07:03:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type2982 / Error
Event Submitted/Written: 04/01/2008 07:02:43 PM
Event ID/Source: 12291 / SAM
Event Description:
SAM failed to start the TCP/IP or SPX/IPX listening thread

Event Record #/Type2980 / Error
Event Submitted/Written: 04/01/2008 06:14:45 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-04-02 21:32:54 ------------
  • 0

#40
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
well, i dont see anything more malware related in those logs. lets just give it one more scan before we wrap up the malware part:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

andrewuk
  • 0

Advertisements


#41
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Andrew:

Will post that report tonite. This scan took probably 6 hrs, found 1 virus which was corrected but I had to start over (don't have that name). When I thought I was done, saved the log, but it kept running, so I let it go while I went to work. Anyways it should be done tonite if it isn't, I'll stop it and send along that log you asked for. There were 5 to 7 issues and a couple related to combo fix it that you sent to me I believe. This one is a secondary issue, I have another drive thru USB connection that I use now and then. Some files were copied from C: - mostly data files in case it crashes. Anyways that one could be infected, wondered if I should scan that one and if so - what order of the tools that you sent me ? I don't want to have a problem with both of them, so perhaps this should wait, or do you recommend I go forward now ? Again I will follow up tonite and post that log which you have asked for in last post of C: drive.

Thanks
Jeff
  • 0

#42
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Andrew:

Here's the result of the Dr Web report. Before the system shutdown, there was another virus that was fixed but I was unable to printout what that was. With regard to my external E drive - please let me know if you want to address this now - or later.

Thanks
Jeff


C.bat;C:\ComboFix;Probably BATCH.Virus;Incurable.Deleted.;
FIND3M.bat;C:\ComboFix;Probably SCRIPT.Virus;Incurable.Deleted.;
psexec.cfexe;C:\ComboFix;Program.PsExec.171;Incurable.Deleted.;
Process.exe;C:\Documents and Settings\fr.bak\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;
restart.exe;C:\Documents and Settings\fr.bak\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Deleted.;
tgupdate.exe;C:\Program Files\support.com\bin;Probably DLOADER.Trojan;Incurable.Deleted.;
Process.exe;C:\WINNT\system32;Tool.Prockill;Incurable.Deleted.;
  • 0

#43
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Jerris2

from a malware point of view, you logs are clean.

the last scan only found the fix tools we used (which are not viruses, but are often picked up by antivirus programs).

so, lets wrap up the malware part of the fix here.

i am assuming though you are still having problems with your machine. could you give me a full description of those problems once you have gone through the steps in this post.

as for your external drive - it depends what you current problems are.

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

====STEP 2====
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

Instructions with screenshots to help is http://www.f-secure..../sfc_dis1.shtml

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405


====STEP 3====
====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#44
jerris2

jerris2

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Andrew:

I think an issue might be that I don' t have XP and the restore functions, I am running 2000. Having those things tools on my desktop - does that remain a problem ? As far as the external drive not having any problems currently, but probably should at least run a virus scan, perhaps other tools ? Hate to have an infection from that source reinfect my C drive. Please advise. Will watch for further instructions.

Thanks
Jeff
  • 0

#45
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

those things tools on my desktop - does that remain a problem ?

no, but it is best to clear them away.

As far as the external drive not having any problems currently

lets to a malwarebytes full scan and a kaspersky online scan on it:

====STEP 1====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", select the drives to scan and then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 2====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select Folders......
    • and select your external hard drive
    • and then click scan
  • This will start and scan your hard drive
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

andrewuk
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP