Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis Log – Internet connection TOTALLY stalled! [RESOLVED]

Started by tcwc , Aug 03 2008 06:45 PM

  • This topic is locked This topic is locked

#1
tcwc
Posted 03 August 2008 - 06:45 PM

tcwc

    Member

  • Member
  • PipPip
  • 35 posts
HijackThis Log – Internet connection TOTALLY stalled!!!

Please kindly help:
This is an old computer that has Window 98 ….. one day it STOPPED to connect to the internet. All other programs and files are working fine, but just the Internet connection.

The other computers that are connected to the same network/router/modem are working find.

Please kindly advise.
Many Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:40 PM, on 8/3/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\KAVSVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\DIT.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\KAV.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\WINDOWS\DITEXP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwse...b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwse...b/x1.cgi?656387 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwse...b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwse...b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bellsouth.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.payfortra....net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.payfortra....net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.payfortra....net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.martfinder.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.c...earch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.coolwwwse...a/x1.cgi?656387 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://fau.proxy.fcla.edu:8888
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mot.com
R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\SYSTEM\DNSRELAY.DLL
O1 - Hosts: 1123694712 auto.search.msn.com
O1 - Hosts: 64.135.204.60 www.0190-dialer.com
O1 - Hosts: 64.135.204.60 mtreexxx.net
O1 - Hosts: 64.135.204.60 www.mtreexxx.net
O1 - Hosts: 64.135.204.60 network.nocreditcard.com
O1 - Hosts: 64.135.204.60 www.online-dialer.com
O1 - Hosts: 64.135.204.60 www.sex-explorer.com
O1 - Hosts: 64.135.204.60 sex-explorer.com
O1 - Hosts: 64.135.204.60 www.worldsex.com
O1 - Hosts: 64.135.204.60 www.al4a.com
O1 - Hosts: 64.135.204.60 www.thumbnail-post.com
O1 - Hosts: 64.135.204.60 www.madthumbs.com
O1 - Hosts: 64.135.204.60 www.thumbzilla.com
O1 - Hosts: 64.135.204.60 www.sexocean
O1 - Hosts: 64.135.204.60 www.sublimedirectory
O1 - Hosts: 64.135.204.60 www.thehun.com
O1 - Hosts: 64.135.204.60 thehun.net
O1 - Hosts: 64.135.204.60 www.thehun.net
O1 - Hosts: 64.135.204.60 www.exitforcash.com
O1 - Hosts: 64.135.204.60 exit.xitcash.com
O1 - Hosts: 64.135.204.60 top.darkcollection.com
O1 - Hosts: 64.135.204.60 top.wild-nymphets.com
O1 - Hosts: 64.135.204.60 lol.to
O1 - Hosts: 64.135.204.60 www.cybernymphets.com
O1 - Hosts: 64.135.204.60 www21.smutserver.com
O1 - Hosts: 64.135.204.60 www13.smutserver.com
O1 - Hosts: 64.135.204.60 www.x-x-x-hosting.com
O1 - Hosts: 64.135.204.60 www22.smutserver.com
O1 - Hosts: 64.135.204.60 www2.smutserver.com
O1 - Hosts: 64.135.204.60 www9.kinghost.com
O1 - Hosts: 64.135.204.60 www.amateursgonebad.com
O1 - Hosts: 64.135.204.60 www6.kinghost.com
O1 - Hosts: 64.135.204.60 www8.kinghost.com
O1 - Hosts: 64.135.204.60 www7.kinghost.com
O1 - Hosts: 64.135.204.60 www.xfreehosting.com
O1 - Hosts: 64.135.204.60 www.kinghost.com
O1 - Hosts: 64.135.204.60 www.smuthosts.com
O1 - Hosts: 64.135.204.60 www.smutserver.com
O1 - Hosts: 64.135.204.60 www.xxxvideohost.com
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\KEN\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"
O4 - .DEFAULT Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe (User 'Default user')
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: >>> HENTAI MOVIES <<< - java script:{document.location='http://www.archivehentai.com/ah/25/getpassword.html';}
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {9F77A997-F0F3-11d1-9195-00C04FC990DC} -
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} -
O19 - User stylesheet: C:\WINDOWS\default.css (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)

--
End of file - 9011 bytes
  • 0

Advertisements

#2
Ltangelic
Posted 03 August 2008 - 08:13 PM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey tcwc,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. :)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT
  • 0

#3
Ltangelic
Posted 06 August 2008 - 08:24 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey tcwc,

Sorry for taking so long to respond, I had some personal issues to handle and have been really busy.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Edited by Ltangelic, 06 August 2008 - 08:25 AM.

  • 0

#4
tcwc
Posted 07 August 2008 - 07:40 AM

tcwc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi LT,
Hope all are well with you now.

I recently removed the Windows 98 and installed a Windows XP with its IExplorer, and the internet connection is now working.

However, the computer seems to run weirdly. It does not seem the 98 has removed completely .... all my old Program Files are still there, but do not shown on XP Add/Remove command. When download from Internet .... the Explorer STALLED sometime (ie .... when installing McAfee ... it just could not be done).

Anyway, here are the logs u requested with the latest HijackThis.
Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:50 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ??
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)

--
End of file - 2335 bytes

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Deckard's System Scanner v20071014.68
Run by Terry on 2008-08-07 09:07:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-08-07 16:07:49 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-08-07 03:56:06 UTC - RP5 - Software Distribution Service 3.0
4: 2008-08-07 00:54:04 UTC - RP4 - Software Distribution Service 3.0
3: 2008-08-06 06:00:42 UTC - RP3 - Software Distribution Service 3.0
2: 2008-08-06 05:52:47 UTC - RP2 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-08-06 03:38:27 UTC - RP1 - ?????


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 320 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-07 09:08:40
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\EWXXDNCO\dss[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ??
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe


--
End of file - 2524 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 McNASvc (McAfee Network Agent) - "c:\progra~1\common~1\mcafee\mna\mcnasvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI ???????
Device ID: PCI\VEN_1057&DEV_5600&SUBSYS_03001436&REV_00\2&EBB567F&0&58
Manufacturer:
Name: PCI ???????
PNP Device ID: PCI\VEN_1057&DEV_5600&SUBSYS_03001436&REV_00\2&EBB567F&0&58
Service:


-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 09:03:10 0 dr-h----- C:\Documents and Settings\Terry\Recent
2008-08-06 23:29:12 0 d--hs---- C:\FOUND.002
2008-08-06 23:25:44 0 d-------- C:\Program Files\McAfee.com
2008-08-06 23:25:35 0 d-------- C:\Program Files\Common Files\McAfee
2008-08-06 23:25:16 0 d-------- C:\Program Files\McAfee
2008-08-06 22:56:13 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-06 22:24:06 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 18:14:05 0 d-------- C:\WINDOWS\system32\appmgmt
2008-08-06 17:55:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-08-06 17:47:40 0 d---s---- C:\Documents and Settings\Terry\UserData
2008-08-06 17:42:51 0 d---s---- C:\Documents and Settings\Ethan C\UserData
2008-08-05 22:53:01 0 d-------- C:\WINDOWS\system32\PreInstall
2008-08-05 22:52:58 0 d--h----- C:\WINDOWS\$hf_mig$
2008-08-05 22:48:14 0 d-------- C:\Documents and Settings\Ethan C\Application Data\Mozilla
2008-08-05 22:44:49 0 d-------- C:\Documents and Settings\Ethan C\Application Data\Macromedia
2008-08-05 22:44:49 0 d-------- C:\Documents and Settings\Ethan C\Application Data\Adobe
2008-08-05 21:26:53 0 d-------- C:\Documents and Settings\Terry\Application Data\Macromedia
2008-08-05 21:26:53 0 d-------- C:\Documents and Settings\Terry\Application Data\Adobe
2008-08-05 21:21:42 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-05 21:21:36 0 d-------- C:\Documents and Settings\Terry\Application Data\Mozilla
2008-08-05 21:15:20 0 d-------- C:\Documents and Settings\Ethan C\Application Data\Identities
2008-08-05 21:15:12 0 d-------- C:\Documents and Settings\Ethan C\Desktop
2008-08-05 21:15:05 0 d-------- C:\Documents and Settings\Ethan C\??
2008-08-05 21:15:05 0 d--h----- C:\Documents and Settings\Ethan C\Templates
2008-08-05 21:15:05 0 dr-h----- C:\Documents and Settings\Ethan C\SendTo
2008-08-05 21:15:05 0 dr-h----- C:\Documents and Settings\Ethan C\Recent
2008-08-05 21:15:05 0 d--h----- C:\Documents and Settings\Ethan C\PrintHood
2008-08-05 21:15:05 0 d--h----- C:\Documents and Settings\Ethan C\NetHood
2008-08-05 21:15:05 0 dr------- C:\Documents and Settings\Ethan C\My Documents
2008-08-05 21:15:05 0 dr------- C:\Documents and Settings\Ethan C\Favorites
2008-08-05 21:15:05 0 d---s---- C:\Documents and Settings\Ethan C\Cookies
2008-08-05 21:15:05 0 dr-h----- C:\Documents and Settings\Ethan C\Application Data
2008-08-05 21:15:05 0 d---s---- C:\Documents and Settings\Ethan C\Application Data\Microsoft
2008-08-05 21:15:05 0 dr------- C:\Documents and Settings\Ethan C\???????
2008-08-05 21:15:04 786432 --ah----- C:\Documents and Settings\Ethan C\NTUSER.DAT
2008-08-05 21:15:04 0 d--h----- C:\Documents and Settings\Ethan C\Local Settings
2008-08-05 20:37:49 0 d-------- C:\Documents and Settings\Terry\Application Data\Identities
2008-08-05 20:37:28 0 d-------- C:\Documents and Settings\Terry\Desktop
2008-08-05 20:37:19 0 d-------- C:\Documents and Settings\Terry\??
2008-08-05 20:37:19 0 dr-h----- C:\Documents and Settings\Terry\SendTo
2008-08-05 20:37:19 0 d--h----- C:\Documents and Settings\Terry\PrintHood
2008-08-05 20:37:19 0 d--h----- C:\Documents and Settings\Terry\NetHood
2008-08-05 20:37:19 0 dr------- C:\Documents and Settings\Terry\My Documents
2008-08-05 20:37:19 0 dr------- C:\Documents and Settings\Terry\Favorites
2008-08-05 20:37:19 0 d---s---- C:\Documents and Settings\Terry\Cookies
2008-08-05 20:37:19 0 dr-h----- C:\Documents and Settings\Terry\Application Data
2008-08-05 20:37:19 0 dr------- C:\Documents and Settings\Terry\???????
2008-08-05 20:37:18 0 d--h----- C:\Documents and Settings\Terry\Templates
2008-08-05 20:37:17 0 d--h----- C:\Documents and Settings\Terry\Local Settings
2008-08-05 20:37:16 1048576 --ah----- C:\Documents and Settings\Terry\NTUSER.DAT
2008-08-05 20:35:52 0 d--hs---- C:\FOUND.001
2008-08-05 20:30:24 0 d--hs---- C:\FOUND.000
2008-08-05 20:24:03 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-08-05 20:10:57 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-08-05 20:10:56 0 d--hs---- C:\System Volume Information
2008-08-05 20:10:46 0 d-------- C:\WINDOWS\Prefetch
2008-08-05 20:10:45 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-08-05 20:10:43 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-08-05 20:10:43 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-08-05 20:10:43 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-08-05 20:10:43 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-08-05 20:10:43 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-08-05 20:10:26 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-08-05 20:10:26 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-08-05 20:10:26 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-08-05 20:10:26 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-08-05 20:10:26 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-08-05 19:56:03 0 d-------- C:\WINDOWS\system32\xircom
2008-08-05 19:54:47 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-08-05 19:51:24 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-08-05 19:49:28 0 d-------- C:\WINDOWS\system32\DirectX
2008-08-05 19:49:00 0 d-------- C:\Program Files\Common Files\MSSoap
2008-08-05 19:48:56 0 d-------- C:\WINDOWS\system32\Macromed
2008-08-05 19:48:56 0 d-------- C:\WINDOWS\srchasst
2008-08-05 19:48:48 0 d-------- C:\Program Files\Movie Maker
2008-08-05 19:48:42 0 d-------- C:\WINDOWS\system32\Restore
2008-08-05 19:46:18 21456 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-08-05 19:45:38 0 d-------- C:\WINDOWS\Registration
2008-08-05 19:45:07 0 d-------- C:\Program Files\Messenger
2008-08-05 19:45:03 0 d-------- C:\Program Files\MSN Gaming Zone
2008-08-05 19:44:38 0 d-------- C:\Program Files\Windows NT
2008-08-05 19:44:36 0 d-------- C:\WINDOWS\system32\MsDtc
2008-08-05 19:44:35 0 d-------- C:\WINDOWS\system32\Com
2008-08-05 19:26:03 0 d-------- C:\Program Files\Common Files\ODBC
2008-08-05 19:25:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-08-05 19:21:45 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-08-05 19:21:45 0 d-------- C:\Documents and Settings\All Users\??
2008-08-05 19:21:45 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-08-05 19:21:45 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-08-05 19:21:45 0 dr------- C:\Documents and Settings\All Users\Documents
2008-08-05 19:21:45 0 dr------- C:\Documents and Settings\All Users\???????
2008-08-05 19:21:44 0 d-------- C:\Documents and Settings\Default User\??
2008-08-05 19:21:44 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-08-05 19:21:44 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-08-05 19:21:44 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-08-05 19:21:44 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-08-05 19:21:44 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-08-05 19:21:44 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-08-05 19:21:44 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-08-05 19:21:44 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-08-05 19:21:44 0 dr------- C:\Documents and Settings\Default User\???????
2008-08-05 19:21:19 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-08-05 19:21:19 0 d-------- C:\WINDOWS\system32\CatRoot
2008-08-05 19:21:12 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-08-05 19:21:12 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-08-05 19:21:11 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-08-05 19:21:11 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-08-05 19:20:49 0 d-------- C:\Documents and Settings
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\WinSxS
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\wins
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\wbem
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\usmt
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\spool
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\ShellExt
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\Setup
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\ras
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\oobe
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\npp
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\mui
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\inetsrv
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\IME
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\icsxml
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\ias
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\export
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-08-05 19:02:13 0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\dhcp
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\config
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\3076
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\2052
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1054
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1042
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1041
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1037
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1033
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1031
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1028
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\system32\1025
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\security
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\Resources
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\repair
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\Provisioning
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\PeerNet
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\pchealth
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\mui
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\ime
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\ehome
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\Driver Cache
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\Debug
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\Connection Wizard
2008-08-05 19:02:13 0 d-------- C:\WINDOWS\addins
2008-08-05 18:55:35 451 --a------ C:\AUTOEXEC.BAT
2008-08-05 18:51:25 127924 --a------ C:\WINDOWS\system32\prfh0404.dat
2008-08-05 18:51:25 39976 --a------ C:\WINDOWS\system32\prfc0404.dat
2008-08-05 18:41:53 0 d-------- C:\WINDOWS\setup
2008-08-05 18:40:25 0 d--h----- C:\WINDOWS\Recent
2008-08-05 15:21:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-04 18:14:26 5166 ---hs---- C:\SUHDLOG.DAT
2008-08-03 12:18:26 0 d-------- C:\Program Files\CCleaner
2008-08-03 12:11:00 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-08-05 19:21:46 62 --ahs---- C:\Documents and Settings\Terry\Application Data\desktop.ini
2008-08-04 18:21:06 11079 ---h----- C:\Program Files\folder.htt
2008-08-04 18:21:06 266 ---hs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/12/2004 12:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/12/2004 12:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/12/2004 12:00 PM]
"Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 12:00 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""




-- End of Deckard's System Scanner: finished at 2008-08-07 09:22:01 ------------


&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Chinese

CPU 0: Intel Pentium III ???
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 319.49 MiB / 168.02 MiB
Pagefile Memory (total/avail): 774.8 MiB / 642.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.72 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 8.09 GiB total, 3.08 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 90871U2 - 8.1 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 8.1 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Terry\Application Data
BLASTER=A220 I7 D1 T2
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ETHAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Terry
LOGONSERVER=\\ETHAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0703
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SNDSCAPE=C:\WINDOWS
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Terry\LOCALS~1\Temp
TMP=C:\DOCUME~1\Terry\LOCALS~1\Temp
USERDOMAIN=ETHAN
USERNAME=Terry
USERPROFILE=C:\Documents and Settings\Terry
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Terry (admin)
Ethan C


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Windows XP ¦w₯ώ©Κ§σ·s (KB901190) --> "C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB950749) --> "C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB950759) --> "C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Windows XP ¦w₯ώ©Κ§σ·s (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Windows XP §σ·s (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP §σ·s (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type62 / Error
Event Submitted/Written: 08/07/2008 08:54:28 AM
Event ID/Source: 1000 / Application Error
Event Description:
??????? install.exe,?? 2.1.106.0,????? compat.dll,?? 2.1.106.0,???? 0x0002cdf9?
??? [install.exe!ws!] ?????????

Event Record #/Type61 / Error
Event Submitted/Written: 08/07/2008 08:47:38 AM
Event ID/Source: 1000 / Application Error
Event Description:
??????? install.exe,?? 2.1.106.0,????? compat.dll,?? 2.1.106.0,???? 0x0002cdf9?
??? [install.exe!ws!] ?????????

Event Record #/Type40 / Error
Event Submitted/Written: 08/05/2008 08:31:55 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
Windows ?????,???????????????????? Windows ???

Event Record #/Type20 / Warning
Event Submitted/Written: 08/05/2008 07:53:27 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
??? Rsop Planning Mode Provider ?? WMI ???? root\RSOP ???,???? HostingModel ??,???? LocalSystem ???????????????????????????????????????,?????????????????????????,????????? HostingModel ?????????????????????

Event Record #/Type19 / Warning
Event Submitted/Written: 08/05/2008 07:53:27 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
??? Rsop Planning Mode Provider ?? WMI ???? root\RSOP ???,???? HostingModel ??,???? LocalSystem ???????????????????????????????????????,?????????????????????????,????????? HostingModel ?????????????????????



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type193 / Error
Event Submitted/Written: 08/07/2008 08:24:54 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
McAfee Network Agent ??????,????????:
%%3

Event Record #/Type189 / Warning
Event Submitted/Written: 08/06/2008 11:41:34 PM
Event ID/Source: 20 / Print
Event Description:
?????? Windows NT x86 Version-3 ???????? Brother MFC-8220???:- UNIDRV.DLL, UNIDRVUI.DLL, BRMF8220.GPD, UNIDRV.HLP, UNIRES.DLL, STDNAMES.GPD, BRMZRD03.DLL, BRMZUI03.DLL, BRHBP03.GPD, BRMZ03.INI, BRMFCRES.DLL, BRMZ03.HLP?

Event Record #/Type186 / Error
Event Submitted/Written: 08/06/2008 11:31:32 PM
Event ID/Source: 1003 / System Error
Event Description:
??? 1000000a,parameter1 0000001c,parameter2 00000002,parameter3 00000001,parameter4 8053cee9?

Event Record #/Type176 / Error
Event Submitted/Written: 08/06/2008 11:31:27 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
McAfee Network Agent ??????,????????:
%%3

Event Record #/Type96 / Error
Event Submitted/Written: 08/05/2008 10:17:07 PM
Event ID/Source: 8032 / BROWSER
Event Description:
???????????? \Device\NetBT_Tcpip_{886B7B1C-9917-42CC-8801-350344180DDB} ??????????
??????????



-- End of Deckard's System Scanner: finished at 2008-08-07 09:22:01 ------------
  • 0

#5
Ltangelic
Posted 08 August 2008 - 09:54 PM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey tcwc,

I'm doing great. I'll be posting a fix for you tonight. :)
  • 0

#6
Ltangelic
Posted 09 August 2008 - 09:09 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey tcwc,

From your logs, you seem to be running DSS from a temporary location (C:\Documents and Settings\Terry\Local Settings\Temporary Internet Files\Content.IE5\EWXXDNCO\dss[1].exe
), please move it to a permanent location (like desktop) as it creates important backups.

Seems like the installation of XP fixed lots of infections. But there are still infections we must deal with, let's run some tools to do just that. :)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Run OTMoveIt2

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000
purity
emptytemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

2) Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

3) Run Kaspersky Webscanner

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Next reply (please include):

Fresh HijackThis log
OTMoveIt2 log
MBAM scan log
Kaspersky scan log
  • 0

#7
tcwc
Posted 10 August 2008 - 03:23 PM

tcwc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
All are done as per your advises except the Kaspersky because it said my lic. has expired when download. I may have an old version when I have the Windows 98, but it should be deleted. Please kindly advise how to run Kaspersky. Thks.

Any here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:18 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ??
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)

--
End of file - 2458 bytes


Explorer killed successfully
C:\FOUND.002 moved successfully.
C:\FOUND.001 moved successfully.
C:\FOUND.000 moved successfully.
< purity >
< emptytemp >
File delete failed. C:\WINDOWS\temp\mcmsc_eqIUNqq1XSNbCN4 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08102008_151525

Files moved on Reboot...
File C:\WINDOWS\temp\mcmsc_eqIUNqq1XSNbCN4 not found!

Malwarebytes' Anti-Malware 1.24
Database version: 1038
Windows 5.1.2600 Service Pack 2

4:57:03 PM 8/10/2008
mbam-log-8-10-2008 (16-57-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 58638
Time elapsed: 22 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
Ltangelic
Posted 10 August 2008 - 09:32 PM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey,

Please try scanning using this link: http://www.kaspersky...n=1218216395732

Edited by Ltangelic, 10 August 2008 - 09:33 PM.

  • 0

#9
tcwc
Posted 12 August 2008 - 03:39 PM

tcwc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
here is the Kaspersky report. thanks.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 12, 2008 19:34:02
Records in database: 1086664
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 31383
Threat name: 1
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 03:05:00


File name / Threat name / Threats count
C:\User Download\fg10.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 5

The selected area was scanned.
  • 0

#10
Ltangelic
Posted 14 August 2008 - 06:27 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey tcwc,

A few more steps and we can close this. :)

1) Run OTMoveIt2
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\User Download\fg10.exe
purity
emptytemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

2) Run DirLook

Please download DirLook by jpshortstuff from here.
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    C:\User Download
  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders.

Next reply (please include):

OTMoveit2 log
dl_log.txt
  • 0

#11
tcwc
Posted 15 August 2008 - 02:31 AM

tcwc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Sorry, the computer crashed again.
When I go to IExplorer, the cursor was gone ... meaning I cannot copy/paste, enter text on any web pages.

Anyway, I reformated the whole C drive (deleted everything), and installed the Window XP from scratch. I been testing it, did MS Windows updates, and so far is ok.

It boots up a little slow (seems like it has a lot of stuffs to boot when start up + running on the background), and on the Performace in Windows Task Manager always show 100% CPU Usage. Otherwise, the Internet connection & Explorer are fine.

This computer should exceeded the min requirements for XP because it is a Pentium3, 450MHz, 320MB Ram, 8GB (5+GB still availabe now).

Here is the latest HJT log, Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:35 AM, on 8/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1218765607176
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 3504 bytes
  • 0

#12
Ltangelic
Posted 15 August 2008 - 09:10 PM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey tcwc,

We are almost done!

From your log, you are using Windows XP SP1. The latest and most secure version is Windows XP SP2. It is CRUCIAL that you update to SP2 so as to patch the security vulnerabilities in SP1 as it is very likely that you will get infected again without it!

Please upgrade to SP2 NOW! You can download it here.

Please tell me how the update with SP2 went, as an unsuccessful update may indicate that there are other malware on the computer.

Your logs are clean! :)

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

It is critical to have only ONE firewall and anti virus to protect your system and to keep them updated.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

Please post back telling me if your computer is still having problems.
  • 0

#13
Rorschach112
Posted 18 August 2008 - 06:30 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP