Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please!


  • Please log in to reply
12 replies to this topic

#1 guptadogg

guptadogg

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 26 July 2007 - 12:32 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:24 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DesktopEarth\DesktopEarth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1169790124\ee\aolsoftware.exe
c:\program files\common files\aol\1169790124\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1169790124\ee\aolsoftware.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O1 - Hosts: HPE8A03A HP0019BBE8A03A
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hide-The-IP] "C:\Program Files\Hide The IP\HideTheIP.exe" /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - Startup: DesktopEarth AutoStart.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170636113875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8286 bytes

BC AdBot (Login to Remove)

 


m

#2 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 01 August 2007 - 07:01 AM

Hello guptadogg, sorry for the delay. I'm just looking over your log and will get back to you soon.

#3 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 03 August 2007 - 09:21 AM

Hi guptadogg, my name is Rorschach and I'll be helping you with your problems.


Does this entry look familiar to you
O1 - Hosts: HPE8A03A HP0019BBE8A03A
Can you tell me any information about it? Did you do this yourself?

Did you also install the program Hide The IP yourself?



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)




Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
So in your next reply please post the following : the two DSS texts in full, the Blacklight log, the Kaspersky Webscanner report, and answer the questions.

#4 guptadogg

guptadogg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 08 August 2007 - 11:10 AM

Question 1 - No I do not know what this is - O1 - Hosts: HPE8A03A HP0019BBE8A03A

Question 2 - Yes I installed Hide the IP (Proxy Program), but I didn't like it, because it slowed down my internet, so I uninstalled it.

DSS Scan - in the middle of the scan(After backing up the registry hives), the program closes and it says "WINDOWS HAS ENCOUNTERED A PROBLEM AND DSS.EXE NEEDS TO CLOSE"

Blacklight Scan

08/06/07 18:11:34 [Info]: BlackLight Engine 1.0.64 initialized
08/06/07 18:11:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/06/07 18:11:34 [Note]: 7019 4
08/06/07 18:11:34 [Note]: 7005 0
08/06/07 18:11:47 [Note]: 7006 0
08/06/07 18:11:47 [Note]: 7011 1556
08/06/07 18:11:47 [Note]: 7026 0
08/06/07 18:11:47 [Note]: 7026 0
08/06/07 18:11:52 [Note]: FSRAW library version 1.7.1022
08/06/07 18:17:42 [Note]: 2000 1012
08/06/07 18:27:03 [Note]: 7007 0
_______________________________________________________________________________

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 08, 2007 9:04:30 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 353006
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 88483
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:48:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\APP10708.LST Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\simikgupta\MyDB.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\simikgupta\toolbar.lst Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\simikgup00 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\simikgupta Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\simikgupta.abi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\simikgupta.aby Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\Apps.Lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\spool.lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AOL\C_America Online 9.0\IDB\sysnews.lst Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007080620070807\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF9460.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF9B59.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\RECYCLER\S-1-5-21-3924285413-4260955887-1501758719-1003\Dc130.exe Infected: IM-Worm.Win32.Sohanad.aw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C88BD2E3-2953-4D06-99B5-0B5FA83474AC}\RP221\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#5 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 08 August 2007 - 03:56 PM

Hello Guptadogg

We need to put HijackThis in a permanent folder, please do the following :

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.
Exit this folder now and do not run Hijackthis, we will be using it later


It seems Hide the IP is still on your PC, so we need to properly get rid of that. Please go to Start > Control Panel > Add or Remove Programs > Remove Hide The IP



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Next :


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O1 - Hosts: HPE8A03A HP0019BBE8A03A
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Hide-The-IP] "C:\Program Files\Hide The IP\HideTheIP.exe" /startup
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please empty your recycle bin as there is an infection in it. So double click the recycle bin on your desktop and click Empty the recycle bin

Then delete this folder in bold if present

C:\Program Files\Hide The IP


So in your next reply please post the following : the ComboFix log, a new HijackThis log, and tell me how your PC is running now and if you had any problems.

#6 guptadogg

guptadogg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 08 August 2007 - 10:52 PM

ComboFix 07-08-09.3 - "Owner" 2007-08-08 19:26:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-08 19:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 12:03 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-08 12:02 <DIR> d-------- C:\Program Files\WinDirStat
2007-08-08 12:01 39,424 --a------ C:\WINDOWS\zipinst.exe
2007-08-08 12:01 <DIR> d-------- C:\Program Files\Volumouse
2007-08-08 11:55 <DIR> d-------- C:\Program Files\Rainlendar2
2007-08-08 11:55 <DIR> d-------- C:\DOCUME~1\Owner\.rainlendar2
2007-08-08 11:51 618,496 --a------ C:\WINDOWS\system32\Eraser.dll
2007-08-08 11:51 286,720 --a------ C:\WINDOWS\system32\erasext.dll
2007-08-08 11:51 241,664 --a------ C:\WINDOWS\system32\eraserl.exe
2007-08-08 11:50 <DIR> d-------- C:\Program Files\Eraser
2007-08-08 11:45 <DIR> d-------- C:\WINDOWS\system32\skins
2007-08-06 18:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-02 20:03 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-08-01 23:09 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\EbkReader
2007-07-31 12:35 <DIR> d-------- C:\Program Files\TomTom DesktopSuite
2007-07-30 16:51 <DIR> d-------- C:\Program Files\PDF Password Cracker Pro v3.0
2007-07-27 16:26 <DIR> d-------- C:\Program Files\FriendBlasterPro
2007-07-27 15:58 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-07-27 14:12 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-07-27 14:12 <DIR> d-------- C:\Program Files\Badder Adder
2007-07-25 21:06 <DIR> d-------- C:\Deckard
2007-07-25 21:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-25 20:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-25 19:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-25 15:34 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-07-24 16:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Vidalia(2)
2007-07-22 20:20 6,029,312 --a------ C:\DOCUME~1\Owner\ntuser.dat
2007-07-21 22:22 <DIR> d-------- C:\Program Files\A4Proxy
2007-07-21 18:08 <DIR> d-------- C:\Program Files\HarvEX
2007-07-20 22:45 <DIR> d-------- C:\New Folder
2007-07-19 16:43 <DIR> d-------- C:\Program Files\Hide The IP
2007-07-19 16:43 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-07-18 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-18 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-16 22:46 <DIR> d-------- C:\Program Files\DesktopEarth
2007-07-16 18:08 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Ahead
2007-07-16 18:05 <DIR> d-------- C:\Program Files\Nero
2007-07-16 17:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\CyberLink
2007-07-13 17:56 126,264 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\firstlsp.reg.dat
2007-07-13 17:18 <DIR> d-------- C:\Program Files\Prison Tycoon 2
2007-07-12 13:35 796,672 --a------ C:\WINDOWS\GPInstall.exe
2007-07-12 13:35 <DIR> d-------- C:\Program Files\Sweep
2007-07-12 13:35 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-07-12 13:32 11,776 --a------ C:\WINDOWS\system32\TypeItIn28.dll
2007-07-12 13:32 <DIR> d-------- C:\Program Files\TypeItIn
2007-07-11 13:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\4p-r9-68-55-p3-26
2007-07-11 13:50 <DIR> d-------- C:\WINDOWS\Monopoly Here & Now Edition
2007-07-11 13:50 <DIR> C:\Program Files\KaPi_Monopoly
2007-07-10 18:28 164 --a------ C:\install.dat
2007-07-10 17:20 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2007-07-10 17:20 <DIR> d-------- C:\Program Files\Hitman Pro


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 10:11 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-07-31 22:42 --------- d-------- C:\Program Files\AviSynth 2.5
2007-07-31 22:26 --------- d-------- C:\Program Files\VSO
2007-07-31 22:26 --------- d-------- C:\Program Files\GameSpy Arcade
2007-07-31 22:25 87608 --a------ C:\DOCUME~1\Owner\APPLIC~1\inst.exe
2007-07-31 22:25 47360 --a------ C:\DOCUME~1\Owner\APPLIC~1\pcouffin.sys
2007-07-31 22:25 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Vso
2007-07-31 13:04 --------- d-------- C:\Program Files\TomTom HOME
2007-07-25 15:34 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-07-25 15:33 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 15:21 3854 --a------ C:\WINDOWS\mozver.dat
2007-07-20 17:06 --------- d-------- C:\Program Files\dvdSanta
2007-07-18 19:49 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-18 19:04 9669120 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-07-16 18:19 --------- d-------- C:\Program Files\DVD2SVCD
2007-07-16 18:02 --------- d-------- C:\Program Files\Ahead
2007-07-09 16:11 --------- d-------- C:\Program Files\XLink Kai Evolution VII
2007-07-05 20:33 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-03 17:41 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-03 17:40 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-02 20:44 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-07-02 20:33 --------- d-------- C:\Program Files\Total Video Converter
2007-06-28 21:59 --------- d-------- C:\Program Files\Common Files\PocketSoft
2007-06-28 21:59 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Leadertech
2007-06-28 21:56 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-28 21:56 --------- d-------- C:\Program Files\Atari
2007-06-28 21:51 --------- d-------- C:\Program Files\Smart Projects
2007-06-28 21:38 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-28 21:30 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Atari
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-27 17:07 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-06-27 17:06 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-06-27 13:17 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DVD Flick
2007-06-27 13:05 --------- d-------- C:\Program Files\uTorrent
2007-06-26 16:55 359808 --a--c--- C:\WINDOWS\system32\dllcache\TCPIP.SYS
2007-06-26 16:55 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-06-26 16:55 359808 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-24 12:47 --------- d-------- C:\Program Files\Stardock
2007-06-24 11:57 --------- d-------- C:\Program Files\CursorXP
2007-06-23 16:03 3765 --a------ C:\Program Files\dvd2svcd_log.txt
2007-06-23 16:01 --------- d-------- C:\Program Files\Subs
2007-06-23 16:01 --------- d-------- C:\Program Files\Movies
2007-06-23 16:00 --------- d-------- C:\Program Files\QuEnc
2007-06-18 20:47 --------- d-------- C:\Program Files\AusLogics Disk Defrag
2007-06-18 20:30 --------- d-------- C:\Program Files\Microsoft Calculator Plus
2007-06-13 16:57 --------- d-------- C:\Program Files\FileZilla
2007-06-11 17:13 --------- d-------- C:\Program Files\Full Tilt Poker.Net
2007-06-09 12:38 --------- d-------- C:\Program Files\Siber Systems
2007-06-04 18:30 117092 --a------ C:\WINDOWS\hpoins11.dat
2007-05-17 21:05 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-05-17 18:58 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-05-17 18:58 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-05-17 18:57 268288 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-05-17 18:57 2164736 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-05-17 18:51 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-05-17 18:50 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-05-17 18:50 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-05-17 18:50 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-05-17 18:49 479232 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-05-17 18:48 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-05-17 18:41 2922144 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-05-17 18:39 7610368 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-05-17 18:30 972072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-05-17 18:30 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-05-17 18:30 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-05-17 18:30 1512960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-05-17 18:19 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-05-17 18:17 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-05-17 18:16 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-05-17 18:14 46592 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-05-17 18:10 368640 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-05-16 09:18 95864 --a------ C:\WINDOWS\system32\NeroCo.dll
2007-05-16 08:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-02-19 03:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 07:17]
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2006-12-25 17:23]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 00:12]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DesktopEarth AutoStart.lnk - C:\DOCUME~1\Owner\APPLIC~1\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2007-07-16 22:46:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-06-26 14:34 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

R0 INO_FLPY;INO_FLPY;C:\WINDOWS\system32\Drivers\ino_flpy.sys
R2 INO_FLTR;INO_FLTR;\??\C:\WINDOWS\system32\Drivers\ino_fltr.sys
R2 InoRPC;eTrust Antivirus RPC Server;"C:\Program Files\CA\eTrust Antivirus\InoRpc.exe"
R2 InoRT;eTrust Antivirus Realtime Server;"C:\Program Files\CA\eTrust Antivirus\InoRT.exe"
R2 InoTask;eTrust Antivirus Job Server;"C:\Program Files\CA\eTrust Antivirus\InoTask.exe"
R3 HidBth;Microsoft Bluetooth HID Miniport;C:\WINDOWS\system32\DRIVERS\hidbth.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60efe9e-ab57-11db-8a90-001676781861}]
AutoRun\command- autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7b5551e-822c-11db-9996-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd01a85d-d5be-11db-8ad4-000d3aa6b99a}]
AutoRun\command- J:\InstallTomTomHOME.exe


Contents of the 'Scheduled Tasks' folder
2007-07-28 01:48:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-03 03:06:53 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-08-03 03:06:52 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 19:31:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{16DD82C9-DABD-3BFB-3413-A0625FBA2B14}]
"bbghfkmmpjfeombklmffghipacjggfcfbjbg"=hex:6a,61,63,6f,6d,63,68,6a,6c,6f,6f,68,6f,69,6b,66,6b,64,65,6f,00,..
"abmhlipmfkapfmfnjinmafhioaceiaapbl"=hex:6a,61,63,6f,6d,63,68,6a,6c,6f,6f,68,6f,69,6b,66,6b,64,65,6f,00,..
"iaghfkmmpjfeombklm"=hex:61,61,00,00
"hamhlipmfkapfmfn"=hex:61,61,00,00
"iacipcepmjbhjmacff"=hex:61,61,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2C221DE3-2542-81C4-49D7-69562BC54DFD}]
"dbkpbnhaignbalgoohabjkedilbpkacpdamhdeed"=hex:6a,61,6f,6b,6b,66,67,66,6a,69,65,6a,65,67,70,6d,67,62,64,63,00,..
"cbaplemgglplcggoaoddlcgglkmgdbljcgchif"=hex:6a,61,6f,6b,6b,66,67,66,6a,69,65,6a,65,67,70,6d,67,62,64,63,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ACE6A9CB-9266-A287-A492-1896EF8D633E}]
"dbhgkohfnckanhjokbnhkjaoicgekfcdcpghnelm"=hex:6a,61,64,64,6e,6a,62,66,65,61,63,6b,6e,65,6c,6b,61,67,67,6a,00,..
"cbngmdfijkhiekikfkmbolcjkbalppdmioknck"=hex:6a,61,64,64,6e,6a,62,66,65,61,63,6b,6e,65,6c,6b,61,67,67,6a,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAB7D3C6-57A9-FB13-2657-ADA44653233E}]
"cbgmegemnjmgacmokndebeadgabpjhomkjipha"=hex:6a,61,6b,6a,6a,6f,6a,69,6e,6f,6f,6f,70,67,6d,6a,6a,62,69,6d,00,..
"bbmhcbhfcmlmhpmccjocjbfboeafojjmcehd"=hex:6a,61,6b,6a,6a,6f,6a,69,6e,6f,6f,6f,70,67,6d,6a,6a,62,69,6d,00,..
"iagmegemnjmgacmokn"=hex:61,61,00,7f
"hamhcbhfcmlmhpmc"=hex:61,61,00,7f
"iakhiackjdcpgnkjld"=hex:61,61,00,7f

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 19:33:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 19:33

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:26 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DesktopEarth\DesktopEarth.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netpede.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll (file missing)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Startup: DesktopEarth AutoStart.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170636113875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5802 bytes

#7 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 August 2007 - 10:32 AM

Hello Guptadogg


Run HijackThis, click "Do a system scan only" and check these entries in bold

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll (file missing)

Close all windows except for HijackThis and click "Fix checked".



Please run DSS.exe again, and if it works post the two texts it gives. Tell me if it crashes again.




Could you please tell me if you recognise this folder, and if so tell me what it's for.

C:\Documents and Settings\Owner\Application Data\4p-r9-68-55-p3-26



Next :

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60efe9e-ab57-11db-8a90-001676781861}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7b5551e-822c-11db-9996-806d6172696f}]

[-HKEY_CLASSES_ROOT\CLSID\{c60efe9e-ab57-11db-8a90-001676781861}]

[-HKEY_CLASSES_ROOT\CLSID\{d7b5551e-822c-11db-9996-806d6172696f}]

Then double click on the fix.reg file, when it prompts to merge click "Yes".



Please delete these folders and files in bold if present

C:\Program Files\Hide The IP
C:\WINDOWS\GPInstall.exe
C:\Documents and Settings\Owner\Application Data\inst.exe
D:\setup.exe



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

So in your next reply please post the following : the two DSS logs in full if it works, the Kaspersky Webscanner report, and tell me how your PC is running now and if you had any problems.

#8 guptadogg

guptadogg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 13 August 2007 - 01:37 PM

Deckard's System Scanner v20070809.63
Run by Owner on 2007-08-13 at 02:01:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
19: 2007-08-13 09:01:42 UTC - RP229 - Deckard's System Scanner Restore Point
18: 2007-08-10 19:44:10 UTC - RP228 - System Checkpoint
17: 2007-08-09 18:35:53 UTC - RP227 - Removed DesktopEarth
16: 2007-08-09 17:38:47 UTC - RP226 - Removed RollerCoaster Tycoon® 3
15: 2007-08-09 17:36:37 UTC - RP225 - Removed Ad-Aware 2007


-- First Restore Point --
1: 2007-08-01 18:50:36 UTC - RP211 - Shockwave Player


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:51 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HarvEX\HarvEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netpede.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170636113875
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4993 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070808-204258-107 O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
backup-20070808-204258-712 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070808-204258-932 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070813-015728-566 O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
backup-20070813-015728-649 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BootScreen - c:\windows\\systemroot\system32\drivers\vidstub.sys (file missing)
R0 INO_FLPY - c:\windows\system32\drivers\ino_flpy.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 7.X/6.X/4.X>
R2 INO_FLTR - c:\windows\system32\drivers\ino_fltr.sys <Not Verified; Computer Associates; CA eTrust Antivirus/InoculateIT version 7.X/6.X>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 PsSdk30 - c:\windows\system32\drivers\pssdk30.drv (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 InoRPC (eTrust Antivirus RPC Server) - "c:\program files\ca\etrust antivirus\inorpc.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoRT (eTrust Antivirus Realtime Server) - "c:\program files\ca\etrust antivirus\inort.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoTask (eTrust Antivirus Job Server) - "c:\program files\ca\etrust antivirus\inotask.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&29C049B9&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&29C049B9&0
Service: i8042prt

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F13\4&29C049B9&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F13\4&29C049B9&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2007-08-10 18:48:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-10 17:16:16 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2007-07-13 and 2007-08-13 -----------------------------

2007-08-09 11:39:42 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-08-09 10:20:55 0 d-------- C:\Program Files\TuneUp Utilities 2007
2007-08-09 10:20:55 0 d-------- C:\Documents and Settings\Owner\Application Data\TuneUp Software
2007-08-09 10:20:20 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-08-08 12:03:19 0 d--h----- C:\WINDOWS\PIF
2007-08-08 12:02:09 0 d-------- C:\Program Files\WinDirStat
2007-08-08 12:01:04 39424 --a------ C:\WINDOWS\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2007-08-08 12:01:04 0 d-------- C:\Program Files\Volumouse
2007-08-08 11:55:23 0 d-------- C:\Documents and Settings\Owner\.rainlendar2
2007-08-08 11:55:17 0 d-------- C:\Program Files\Rainlendar2
2007-08-08 11:51:00 286720 --a------ C:\WINDOWS\system32\erasext.dll <Not Verified; -; Eraser>
2007-08-08 11:51:00 241664 --a------ C:\WINDOWS\system32\eraserl.exe <Not Verified; -; Eraser>
2007-08-08 11:51:00 618496 --a------ C:\WINDOWS\system32\Eraser.dll <Not Verified; -; Eraser>
2007-08-08 11:50:58 0 d-------- C:\Program Files\Eraser
2007-08-08 11:45:31 0 d-------- C:\WINDOWS\system32\skins
2007-08-06 18:30:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-02 20:03:55 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-08-01 23:09:32 0 d-------- C:\Documents and Settings\Owner\Application Data\EbkReader
2007-07-31 12:35:53 0 d-------- C:\Program Files\TomTom DesktopSuite
2007-07-30 16:51:03 0 d-------- C:\Program Files\PDF Password Cracker Pro v3.0
2007-07-27 16:26:02 0 d-------- C:\Program Files\FriendBlasterPro
2007-07-27 15:58:59 0 d-------- C:\Program Files\PeerGuardian2
2007-07-27 14:12:23 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-07-27 14:12:23 0 d-------- C:\Program Files\Badder Adder
2007-07-25 21:05:23 0 d-------- C:\Program Files\SpywareBlaster
2007-07-25 20:59:35 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-25 19:59:39 0 d-------- C:\Program Files\Lavasoft
2007-07-25 15:34:33 0 d-------- C:\Program Files\Lavasoft(2)
2007-07-24 16:27:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Vidalia(2)
2007-07-22 20:20:55 6029312 --a------ C:\Documents and Settings\Owner\ntuser.dat
2007-07-21 22:22:17 0 d-------- C:\Program Files\A4Proxy
2007-07-21 18:08:20 0 d-------- C:\Program Files\HarvEX
2007-07-20 22:45:47 0 d-------- C:\New Folder
2007-07-19 16:43:34 0 d-------- C:\Program Files\Common Files\Download Manager
2007-07-18 19:51:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-07-18 19:45:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-07-16 22:38:04 0 dr-h----- C:\Documents and Settings\Owner\Recent
2007-07-16 18:08:17 0 d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-07-16 18:05:07 0 d-------- C:\Program Files\Nero
2007-07-16 17:41:56 0 d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-07-13 17:18:33 0 d-------- C:\Program Files\Prison Tycoon 2


-- Find3M Report ---------------------------------------------------------------

2007-08-13 01:58:09 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-08-09 11:00:26 0 d-------- C:\Program Files\Common Files
2007-08-09 11:00:26 0 d-------- C:\Program Files\Common Files\AOL
2007-08-09 10:43:31 0 d-------- C:\Program Files\KeyWallet
2007-08-09 10:43:12 0 d-------- C:\Program Files\Sweep
2007-08-09 10:39:37 0 d-------- C:\Program Files\Atari
2007-08-09 10:38:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Atari
2007-08-09 10:36:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-09 10:35:49 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2007-07-31 22:42:15 0 d-------- C:\Program Files\AviSynth 2.5
2007-07-31 22:26:26 0 d-------- C:\Program Files\GameSpy Arcade
2007-07-31 22:26:00 0 d-------- C:\Program Files\VSO
2007-07-31 22:25:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2007-07-31 22:25:57 47360 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-07-31 22:25:57 55 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.log
2007-07-31 22:25:57 1144 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.inf
2007-07-31 22:25:57 7887 --a------ C:\Documents and Settings\Owner\Application Data\pcouffin.cat
2007-07-31 13:04:18 0 d-------- C:\Program Files\TomTom HOME
2007-07-25 15:34:30 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-07-25 15:21:02 3854 --a------ C:\WINDOWS\mozver.dat
2007-07-20 17:06:10 0 d-------- C:\Program Files\dvdSanta
2007-07-18 19:49:54 0 d-------- C:\Program Files\Common Files\Ahead
2007-07-18 19:04:57 9669120 --a------ C:\WINDOWS\system32\logonuiX.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-16 18:19:13 0 d-------- C:\Program Files\DVD2SVCD
2007-07-16 18:02:58 0 d-------- C:\Program Files\Ahead
2007-07-13 20:33:59 0 d-------- C:\Program Files\Hitman Pro
2007-07-12 23:16:43 0 d-------- C:\Program Files\TypeItIn
2007-07-12 13:35:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2007-07-12 13:35:17 796672 --a------ C:\WINDOWS\GPInstall.exe <Not Verified; Qsc; GP-Install>
2007-07-10 18:28:37 164 --a------ C:\install.dat
2007-07-09 16:11:02 0 d-------- C:\Program Files\XLink Kai Evolution VII
2007-07-05 20:33:04 0 d-------- C:\Program Files\DAEMON Tools
2007-07-02 20:33:39 0 d-------- C:\Program Files\Total Video Converter
2007-06-28 21:59:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2007-06-28 21:56:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-28 21:51:01 0 d-------- C:\Program Files\Smart Projects
2007-06-27 17:07:05 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-06-27 17:06:16 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-06-27 13:17:47 0 d-------- C:\Documents and Settings\Owner\Application Data\DVD Flick
2007-06-27 13:05:03 0 d-------- C:\Program Files\uTorrent
2007-06-24 12:47:42 0 d-------- C:\Program Files\Stardock
2007-06-24 11:57:20 0 d-------- C:\Program Files\CursorXP
2007-06-23 16:03:05 3765 --a------ C:\Program Files\dvd2svcd_log.txt
2007-06-23 16:01:30 0 d-------- C:\Program Files\Subs
2007-06-23 16:01:10 0 d-------- C:\Program Files\Movies
2007-06-23 16:00:59 0 d-------- C:\Program Files\QuEnc
2007-06-18 20:47:38 0 d-------- C:\Program Files\AusLogics Disk Defrag
2007-06-18 20:30:07 0 d-------- C:\Program Files\Microsoft Calculator Plus
2007-06-13 16:57:33 0 d-------- C:\Program Files\FileZilla
2007-06-04 18:30:06 117092 --a------ C:\WINDOWS\hpoins11.dat
2007-05-17 21:05:00 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"CursorXP"="C:\Program Files\CursorXP\CursorXP.exe" [01/19/2005 05:34 PM]
"Eraser"="C:\Program Files\Eraser\eraser.exe" [12/25/2006 05:23 PM]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [07/24/2007 12:12 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 7:56:20 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 06/26/2007 02:34 PM 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60efe9e-ab57-11db-8a90-001676781861}]
AutoRun\command- autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7b5551e-822c-11db-9996-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd01a85d-d5be-11db-8ad4-000d3aa6b99a}]
AutoRun\command- J:\InstallTomTomHOME.exe




-- End of Deckard's System Scanner: finished at 2007-08-13 at 02:06:37 ---------

Deckard's System Scanner v20070809.63
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.66GHz
CPU 1: Intel® Pentium® D CPU 2.66GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 893.8 MiB / 442.05 MiB
Pagefile Memory (total/avail): 2165.63 MiB / 1825.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1963.18 MiB

C: is Fixed (NTFS) - 149.05 GiB total, 115.6 GiB free.
D: is CDROM (Unformatted)
E: is CDROM (No Media)
F: is Removable (FAT32)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\wzdaa1\\MySpaceMp3Gopher.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\wzdaa1\\MySpaceMp3Gopher.exe:*:Enabled:MySpace Mp3 Gopher Application"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AKHIL2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
INOCULAN=C:\PROGRA~1\CA\ETRUST~1
LOGONSERVER=\\AKHIL2
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Ahead\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=AKHIL2
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AusLogics Disk Defrag --> "C:\Program Files\AusLogics Disk Defrag\unins000.exe"
BuddyList Ops 1.0.0.1 --> C:\PROGRA~1\BUDDYL~1\UNWISE.EXE C:\PROGRA~1\BUDDYL~1\INSTALL.LOG
CA eTrust Antivirus --> MsiExec.exe /X{99747F0D-D4F8-4877-9CA0-4AE96D963633}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
CursorXP --> C:\Program Files\CursorXP\CurXPUtil.exe -u
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eBay Spy Tools --> C:\Program Files\eBay Spy Tools\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Eraser 5.82 --> "C:\Program Files\Eraser\unins000.exe"
ESPN Java Check --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://games.espn.go.com/s/flblm/07/livedraft/jws-check.jarjnlp"
EULAlyzer v1.2 --> "C:\Program Files\EULAlyzer\unins000.exe"
FireTune --> C:\WINDOWS\iun6002.exe "C:\Program Files\FireTune\irunin.ini"
FriendBlasterPro --> "C:\Program Files\FriendBlasterPro\unins000.exe"
Full Tilt Poker.Net --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E07B7A31-E160-466D-A003-3BB7B8989D52}\setup.exe" -l0x9 -removeonly
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HarvEX --> C:\Program Files\HarvEX\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Document Viewer 7.0 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
IsoBuster 2.1 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> MsiExec.exe /I{6E93572D-F31E-496F-8B2F-F400B3A2BC4E}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
LogonStudio --> C:\PROGRA~1\WINCUS~1\LOGONS~1\UNWISE.EXE C:\PROGRA~1\WINCUS~1\LOGONS~1\INSTALL.LOG
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Calculator Plus --> MsiExec.exe /I{83073C45-3003-4671-9A86-243AAADD915A}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Monopoly --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{20FA8AEE-E785-4F79-98EB-2067A8F395F4}\setup.exe" -l0x9
Monopoly Here & Now --> "C:\WINDOWS\Monopoly Here & Now Edition\uninstall.exe" "/U:C:\Program Files\KaPi_Monopoly \Uninstall\uninstall.xml"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.6) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Nero 7 Ultra Edition --> MsiExec.exe /X{DB4C031D-B2F8-47F1-A274-59A8F3B61033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Netflix Movie Viewer --> MsiExec.exe /X{178FDCAC-0CC9-433B-8E1C-96251615DCBE}
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PDF Password Cracker Pro v3.0 --> "C:\Program Files\PDF Password Cracker Pro v3.0\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Rainlendar2 (remove only) --> "C:\Program Files\Rainlendar2\uninst.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TomTom HOME --> C:\Program Files\InstallShield Installation Information\{CE325D55-FCAF-4273-BB79-069BB8747270}\setup.exe -runfromtemp -l0x0009 -removeonly -removeonly
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Globe. --> C:\WINDOWS\system32\javaws.exe -uninstall "http://www.virtual-globe.info/webstart/lib/VirtualGlobe.jar"
Volumouse --> C:\WINDOWS\zipinst.exe /uninst "C:\Program Files\Volumouse\uninst1~.nsu"
Who Wants To Be A Millionaire Sports Edition --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\BUENAV~1\WHOWAN~1\DeIsL1.isu
WinDirStat 1.1.2 --> "C:\Program Files\WinDirStat\Uninstall.exe"
WindowBlinds --> C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XLink Kai Evolution 7 --> MsiExec.exe /X{F90592EC-5E58-4EE6-A333-EC05ED57ACF4}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event ID #3403: Warning
Event Submitted/Written: 08/10/2007 10:28:57 PM
Event Source: Userenv
Event Description:
Windows saved user AKHIL2\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Event ID #3369: Warning
Event Submitted/Written: 08/08/2007 07:28:57 PM
Event Source: Userenv
Event Description:
Windows saved user AKHIL2\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Event ID #3361: Error
Event Submitted/Written: 08/06/2007 05:58:11 PM
Event Source: Application Error
Event Description:
Faulting application dss(2).exe, version 3.2.4.9, faulting module dss.dll, version 0.0.0.0, fault address 0x000020c8.
Processing media-specific event for [dss(2).exe!ws!]

Event ID #3357: Warning
Event Submitted/Written: 08/06/2007 05:35:47 PM
Event Source: Userenv
Event Description:
Windows saved user AKHIL2\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Event ID #3356: Error
Event Submitted/Written: 08/06/2007 05:35:02 PM
Event Source: Application Error
Event Description:
Faulting application dss(2).exe, version 3.2.4.9, faulting module dss.dll, version 0.0.0.0, fault address 0x000020c8.
Processing media-specific event for [dss(2).exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event ID #360521: Error
Event Submitted/Written: 08/13/2007 01:37:24 AM
Event Source: DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Event ID #359512: Error
Event Submitted/Written: 08/13/2007 00:18:00 AM
Event Source: Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
i8042prt

Event ID #359412: Error
Event Submitted/Written: 08/11/2007 09:07:38 AM
Event Source: Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
i8042prt

Event ID #359411: Error
Event Submitted/Written: 08/11/2007 09:07:38 AM
Event Source: Print
Event Description:
Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.

Event ID #358660: Error
Event Submitted/Written: 08/11/2007 01:10:01 AM
Event Source: Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
i8042prt



-- End of Deckard's System Scanner: finished at 2007-08-13 at 02:06:37 ---------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 13, 2007 11:36:10 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/08/2007
Kaspersky Anti-Virus database records: 379265
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 72638
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:22:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.rainlendar2\rainlendar2.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Ahead\NeroVision\NeroVisionLog.txt Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\c4i1bz0y.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007080620070813\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007081320070814\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\596 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NVE122.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NVE123.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NVE124.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NVE125.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NVE126.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\NVE127.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD42A.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C88BD2E3-2953-4D06-99B5-0B5FA83474AC}\RP223\A0075334.exe Infected: IM-Worm.Win32.Sohanad.aw skipped
C:\System Volume Information\_restore{C88BD2E3-2953-4D06-99B5-0B5FA83474AC}\RP229\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

____________________________________________

Overall the system hasn't crashed yet since started helping me.

*Kaspersky found a virus in my system restore info*

#9 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 15 August 2007 - 09:37 AM

Hello Guptadogg

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

D:\setup.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

#10 guptadogg

guptadogg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 15 August 2007 - 04:45 PM

I can't seem to find


D:\setup.exe

#11 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 16 August 2007 - 06:59 AM

Hello Guptadogg

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
Do not run it yet!


Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.


Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c60efe9e-ab57-11db-8a90-001676781861}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7b5551e-822c-11db-9996-806d6172696f}]

[-HKEY_CLASSES_ROOT\CLSID\{c60efe9e-ab57-11db-8a90-001676781861}]

[-HKEY_CLASSES_ROOT\CLSID\{d7b5551e-822c-11db-9996-806d6172696f}]

Then double click on the fix.reg file, when it prompts to merge click "Yes".



Now let's run OTMoveIt
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    D:\setup.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


So please post the OTMoveIt results in your next reply and tell me how your PC is running now.

#12 guptadogg

guptadogg
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 17 August 2007 - 07:21 AM

Sorry Rorschach, but I won't be able to post a reply until thurs the 23rd of august, as i am on vacation

Guptadogg

#13 Rorschach

Rorschach

  • Members
  • 523 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 August 2007 - 08:29 AM

No problem Guptadogg, post here when you get back and we can finish this up. Have a great vacation!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users