Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Site 82.98.235.70/433?sid= Trying To Open


  • This topic is locked This topic is locked
12 replies to this topic

#1 aznative77

aznative77

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 12 April 2008 - 12:37 PM

Hello and thank you in advance for any assitance you can provide.

A friend of mine's computer keeps trying to open site 82.98.235.70/443?sid=. Has PCcilin installed but running it does not seem to fix his problem. Below you will find his Deckard, HJT, and Kaspersky logs. Please advise and thank you again.

Mike

----------------Decakard Main ----------------------------------
Deckard's System Scanner v20071014.68
Run by Ray on 2008-04-12 10:19:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ray.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:06 AM, on 4/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\85MBS9YR\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINNT\system32\urqNHWqr.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [l6a9siGCaw] C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205458564060
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931161401
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...psi/Coupons.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O20 - Winlogon Notify: urqNHWqr - C:\WINNT\SYSTEM32\urqNHWqr.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7669 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080313-183508-487 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
backup-20080313-183508-713 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
backup-20080313-183509-546 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
backup-20080313-183509-655 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
backup-20080313-183509-714 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931197994

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BCMNTIO - c:\program files\checkit\diagnostics\bcmntio.sys
R2 MAPMEM - c:\program files\checkit\diagnostics\mapmem.sys
R2 ousbehci (NEC PCI to USB Enhanced Host Controller) - c:\winnt\system32\drivers\ousbehci.sys <Not Verified; OrangeWare Corporation; USB 2.0 Enhanced Host Controller Driver>
R3 ousb2hub (OrangeWare USB 2.0 Root Hub Support) - c:\winnt\system32\drivers\ousb2hub.sys <Not Verified; OrangeWare Corporation; USB 2.0 Hub Driver>

S3 catchme - c:\docume~1\ray\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP12\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP12\0000
Service: HPFECP12

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\LEGACY_NPF\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_NPF\0000
Service:


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 09:13:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 09:12:53 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-04-12 08:05:40 642122 ---h----- C:\WINNT\ShellIconCache
2008-04-11 16:55:25 0 d-------- C:\WINNT\ERUNT
2008-04-11 09:14:47 0 d-------- C:\Documents and Settings\Ray\Application Data\TmpRecentIcons
2008-04-09 23:57:44 0 d-------- C:\Documents and Settings\All Users\Application Data\bovmhcny
2008-04-09 23:56:50 155648 --a------ C:\WINNT\vnbptxlf.dll
2008-04-09 23:56:50 81920 --a------ C:\WINNT\apoxqwfv.exe
2008-04-09 23:54:55 37888 --a------ C:\WINNT\system32\urqNHWqr.dll
2008-03-13 18:58:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4cc.dat
2008-03-12 19:31:24 2652 --a------ C:\WINNT\system32\tmp.reg


-- Find3M Report ---------------------------------------------------------------

2008-03-16 17:41:00 23504 --a------ C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2008-03-12 19:19:38 0 d-------- C:\Program Files\Trend Micro
2008-03-11 13:48:29 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-03-07 12:17:54 98304 --a------ C:\WINNT\fqspogw.exe
2008-03-01 17:52:51 0 d-------- C:\Documents and Settings\Ray\Application Data\Uniblue
2008-03-01 17:52:13 0 d-------- C:\Program Files\Uniblue
2008-02-15 21:42:57 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-13 01:09:36 0 d-------- C:\Documents and Settings\Ray\Application Data\Image Zone Express
2008-01-20 16:56:05 113226 --a------ C:\WINNT\hpoins07.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]
04/09/08 11:54p 37888 --a------ C:\WINNT\system32\urqNHWqr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [09/13/03 09:36p]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe" [03/07/05 09:42p]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05/11/05 11:12p]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [12/28/06 11:52p]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [07/07/06 04:14p]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/07/06 04:15p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/20/08 06:03p]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [8/9/2002 3:36:20 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [11/4/2005 3:04:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"l6a9siGCaw"=C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{63AB48C9-01A8-495C-8194-A715DB8A37A2}"= C:\WINNT\system32\urqNHWqr.dll [04/09/08 11:54p 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNHWqr]
urqNHWqr.dll 04/09/08 11:54p 37888 C:\WINNT\system32\urqNHWqr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-04-12 10:22:24 ------------

---------Deckard Extra-----------------------------------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 510.48 MiB / 162.91 MiB
Pagefile Memory (total/avail): 859.88 MiB / 406.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.75 MiB

C: is Fixed (NTFS) - 18.99 GiB total, 7.7 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST320011A - 19 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.99 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ray\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-PC
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ray
LOGONSERVER=\\HOME-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Program Files\Internet Explorer;;C:\Program Files\Trend Micro\HijackThis;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
USERDOMAIN=HOME-PC
USERNAME=Ray
USERPROFILE=C:\Documents and Settings\Ray
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Ray (admin)


-- Add/Remove Programs ---------------------------------------------------------

Actiontec Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Ad-aware 6 Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINNT\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AtomTime Pro 3.1d --> "C:\Program Files\AtomTime Pro\unins000.exe"
Caere Scan Manager 4.02 --> C:\WINNT\UNSCAN40.EXE -f"C:\Program Files\Common Files\Caere\Scan Manager\DeIsL1.isu"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CheckIt Diagnostics --> C:\PROGRA~1\CheckIt\DIAGNO~1\UNWISE.EXE C:\PROGRA~1\CheckIt\DIAGNO~1\INSTALL.LOG
CLIE Mail Conduit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE4EF1A8-6DB6-469F-98E4-519AEC0ED6E9}\Setup.exe" UNINSTALL
CLIE SCSI Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB6D0A87-77BA-4083-85D1-D07604B3FAD7}\setup.exe" -l0x9 UNINSTALL
CLIE Update Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{607726FC-5C44-4AE6-A3DF-A0CEC3B08F03}\Setup.exe" -l0x9
Data Access Objects (DAO) 3.5 --> C:\Program Files\Common Files\MICROSOFT SHARED\DAO\Remove.EXE C:\WINNT\UNINST.EXE -f"C:\Program Files\Common Files\MICROSOFT SHARED\DAO\DEISL1.ISU"
Data Export --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15EE1439-3B90-4DA6-A4FD-3BF23E830C25}\Setup.exe" -l0x9 UNINSTALL
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Generic SoftK56 Data Fax --> C:\Program Files\CONEXANT\HSF_MODEM_PCI\HXFSETUP.EXE -U -IGENHSF5.INF
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPRFO --> MsiExec.exe /I{AADAC983-FDE9-42FA-8FD9-7BB324155593}
HP Extended Capabilities 5.3 --> C:\Program Files\Hewlett-Packard\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\Hewlett-Packard\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe t /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\Hewlett-Packard\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\Hewlett-Packard\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Image Converter 1.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5EA2077-A5A0-411E-8423-3D08F4602E5E}\Setup.exe"
Intellisync Lite --> C:\WINNT\UNINST.EXE -fC:\PROGRA~1\ISCLIE\DeIsL1.isu -cC:\PROGRA~1\ISCLIE\ILUNINST.DLL
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0007_1954d5\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
MathPlayer --> C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE130}
Microsoft Picture It! Express 9 --> C:\WINNT\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9 --> C:\WINNT\system32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mobile Connection Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA3F32EC-9B99-4C91-B2FD-E74D9999E5B7}\Setup.exe" -l0x9
MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSN Encarta Plus Support Files --> MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Palm Desktop --> MsiExec.exe /X{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}
PC Magazine StartupCop Pro --> "C:\Program Files\PC Magazine Utilities\StartupCop Pro\unins000.exe"
PCDADDIN --> MsiExec.exe /I{65D85050-5610-4A91-A3B1-D5C744291AD4}
PCDHELP --> MsiExec.exe /I{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSetup.exe -U -IPSCRCTR5K.inf
QuickConnect --> C:\Program Files\InstallShield Installation Information\{4998FF95-709A-430A-B104-92A009ABB848}\setup.exe -runfromtemp -l0x0009 -removeonly
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SoftV92 Voice Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200314F1\HXFSETUP.EXE -U -IURSLST5K.inf
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Trend Micro PC-cillin Internet Security 2007 --> C:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type42518 / Warning
Event Submitted/Written: 04/12/2008 08:10:56 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type42517 / Warning
Event Submitted/Written: 04/12/2008 08:10:47 AM / 04/12/2008 08:10:48 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type42514 / Error
Event Submitted/Written: 04/12/2008 08:07:03 AM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).

Event Record #/Type42512 / Warning
Event Submitted/Written: 04/11/2008 06:39:14 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type42511 / Warning
Event Submitted/Written: 04/11/2008 06:39:08 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4152 / Error
Event Submitted/Written: 04/12/2008 08:46:49 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.64 for the Network Card with network address 000475523849 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type4148 / Error
Event Submitted/Written: 04/12/2008 08:09:01 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type4144 / Error
Event Submitted/Written: 04/11/2008 06:37:42 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type4142 / Error
Event Submitted/Written: 04/11/2008 05:38:38 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type4141 / Error
Event Submitted/Written: 04/11/2008 05:15:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1077



-- End of Deckard's System Scanner: finished at 2008-04-12 10:22:24 ------------

--------------HJT------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:06 AM, on 4/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\85MBS9YR\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINNT\system32\urqNHWqr.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [l6a9siGCaw] C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205458564060
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931161401
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...psi/Coupons.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O20 - Winlogon Notify: urqNHWqr - C:\WINNT\SYSTEM32\urqNHWqr.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7669 bytes
--------------------End HJT-----------------------------------------------------------------------------


-----------------Kaspersky----------------------------------------------------------------
Saturday, April 12, 2008 10:17:43 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700176


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINNT
C:\DOCUME~1\Ray\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 12417
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:38:29

Infected Object Name Virus Name Last Action
C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\fqspogw.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cki skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\hpodvd09.log Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_7DADxjGlHggRad1 Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_8FhGzJUe2oFTSbS Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_azpoYyBI8eFazsh Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_n6B2bekal8kpvho Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_UCMEqtd0w1A5mfU Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\~DF7A3C.tmp Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 24 April 2008 - 08:57 PM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 aznative77

aznative77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 26 April 2008 - 03:07 PM

Thank you for the reply and I appreciate your time. Following is the requested Deckard and Kaspersky scans info. Thanks again.

Mike

----------------Decakard Main ----------------------------------
Deckard's System Scanner v20071014.68
Run by Ray on 2008-04-12 10:19:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ray.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:06 AM, on 4/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\85MBS9YR\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - C:\WINNT\system32\urqNHWqr.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [l6a9siGCaw] C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205458564060
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931161401
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...psi/Coupons.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O20 - Winlogon Notify: urqNHWqr - C:\WINNT\SYSTEM32\urqNHWqr.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7669 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080313-183508-487 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
backup-20080313-183508-713 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
backup-20080313-183509-546 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
backup-20080313-183509-655 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
backup-20080313-183509-714 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931197994

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 BCMNTIO - c:\program files\checkit\diagnostics\bcmntio.sys
R2 MAPMEM - c:\program files\checkit\diagnostics\mapmem.sys
R2 ousbehci (NEC PCI to USB Enhanced Host Controller) - c:\winnt\system32\drivers\ousbehci.sys <Not Verified; OrangeWare Corporation; USB 2.0 Enhanced Host Controller Driver>
R3 ousb2hub (OrangeWare USB 2.0 Root Hub Support) - c:\winnt\system32\drivers\ousb2hub.sys <Not Verified; OrangeWare Corporation; USB 2.0 Hub Driver>

S3 catchme - c:\docume~1\ray\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP12\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP12\0000
Service: HPFECP12

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\LEGACY_NPF\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_NPF\0000
Service:


-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 09:13:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 09:12:53 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-04-12 08:05:40 642122 ---h----- C:\WINNT\ShellIconCache
2008-04-11 16:55:25 0 d-------- C:\WINNT\ERUNT
2008-04-11 09:14:47 0 d-------- C:\Documents and Settings\Ray\Application Data\TmpRecentIcons
2008-04-09 23:57:44 0 d-------- C:\Documents and Settings\All Users\Application Data\bovmhcny
2008-04-09 23:56:50 155648 --a------ C:\WINNT\vnbptxlf.dll
2008-04-09 23:56:50 81920 --a------ C:\WINNT\apoxqwfv.exe
2008-04-09 23:54:55 37888 --a------ C:\WINNT\system32\urqNHWqr.dll
2008-03-13 18:58:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4cc.dat
2008-03-12 19:31:24 2652 --a------ C:\WINNT\system32\tmp.reg


-- Find3M Report ---------------------------------------------------------------

2008-03-16 17:41:00 23504 --a------ C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2008-03-12 19:19:38 0 d-------- C:\Program Files\Trend Micro
2008-03-11 13:48:29 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-03-07 12:17:54 98304 --a------ C:\WINNT\fqspogw.exe
2008-03-01 17:52:51 0 d-------- C:\Documents and Settings\Ray\Application Data\Uniblue
2008-03-01 17:52:13 0 d-------- C:\Program Files\Uniblue
2008-02-15 21:42:57 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-13 01:09:36 0 d-------- C:\Documents and Settings\Ray\Application Data\Image Zone Express
2008-01-20 16:56:05 113226 --a------ C:\WINNT\hpoins07.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63AB48C9-01A8-495C-8194-A715DB8A37A2}]
04/09/08 11:54p 37888 --a------ C:\WINNT\system32\urqNHWqr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [09/13/03 09:36p]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe" [03/07/05 09:42p]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05/11/05 11:12p]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [12/28/06 11:52p]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [07/07/06 04:14p]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/07/06 04:15p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/20/08 06:03p]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [8/9/2002 3:36:20 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [11/4/2005 3:04:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"l6a9siGCaw"=C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{63AB48C9-01A8-495C-8194-A715DB8A37A2}"= C:\WINNT\system32\urqNHWqr.dll [04/09/08 11:54p 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNHWqr]
urqNHWqr.dll 04/09/08 11:54p 37888 C:\WINNT\system32\urqNHWqr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-04-12 10:22:24 ------------

---------Deckard Extra-----------------------------------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 510.48 MiB / 162.91 MiB
Pagefile Memory (total/avail): 859.88 MiB / 406.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.75 MiB

C: is Fixed (NTFS) - 18.99 GiB total, 7.7 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST320011A - 19 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.99 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ray\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-PC
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ray
LOGONSERVER=\\HOME-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Program Files\Internet Explorer;;C:\Program Files\Trend Micro\HijackThis;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
USERDOMAIN=HOME-PC
USERNAME=Ray
USERPROFILE=C:\Documents and Settings\Ray
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Ray (admin)


-- Add/Remove Programs ---------------------------------------------------------

Actiontec Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Ad-aware 6 Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINNT\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AtomTime Pro 3.1d --> "C:\Program Files\AtomTime Pro\unins000.exe"
Caere Scan Manager 4.02 --> C:\WINNT\UNSCAN40.EXE -f"C:\Program Files\Common Files\Caere\Scan Manager\DeIsL1.isu"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CheckIt Diagnostics --> C:\PROGRA~1\CheckIt\DIAGNO~1\UNWISE.EXE C:\PROGRA~1\CheckIt\DIAGNO~1\INSTALL.LOG
CLIE Mail Conduit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE4EF1A8-6DB6-469F-98E4-519AEC0ED6E9}\Setup.exe" UNINSTALL
CLIE SCSI Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB6D0A87-77BA-4083-85D1-D07604B3FAD7}\setup.exe" -l0x9 UNINSTALL
CLIE Update Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{607726FC-5C44-4AE6-A3DF-A0CEC3B08F03}\Setup.exe" -l0x9
Data Access Objects (DAO) 3.5 --> C:\Program Files\Common Files\MICROSOFT SHARED\DAO\Remove.EXE C:\WINNT\UNINST.EXE -f"C:\Program Files\Common Files\MICROSOFT SHARED\DAO\DEISL1.ISU"
Data Export --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15EE1439-3B90-4DA6-A4FD-3BF23E830C25}\Setup.exe" -l0x9 UNINSTALL
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Generic SoftK56 Data Fax --> C:\Program Files\CONEXANT\HSF_MODEM_PCI\HXFSETUP.EXE -U -IGENHSF5.INF
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPRFO --> MsiExec.exe /I{AADAC983-FDE9-42FA-8FD9-7BB324155593}
HP Extended Capabilities 5.3 --> C:\Program Files\Hewlett-Packard\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\Hewlett-Packard\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe t /s CeS
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\Hewlett-Packard\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\Hewlett-Packard\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Image Converter 1.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5EA2077-A5A0-411E-8423-3D08F4602E5E}\Setup.exe"
Intellisync Lite --> C:\WINNT\UNINST.EXE -fC:\PROGRA~1\ISCLIE\DeIsL1.isu -cC:\PROGRA~1\ISCLIE\ILUNINST.DLL
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0007_1954d5\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
MathPlayer --> C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE130}
Microsoft Picture It! Express 9 --> C:\WINNT\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9 --> C:\WINNT\system32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mobile Connection Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DA3F32EC-9B99-4C91-B2FD-E74D9999E5B7}\Setup.exe" -l0x9
MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSN Encarta Plus Support Files --> MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Palm Desktop --> MsiExec.exe /X{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}
PC Magazine StartupCop Pro --> "C:\Program Files\PC Magazine Utilities\StartupCop Pro\unins000.exe"
PCDADDIN --> MsiExec.exe /I{65D85050-5610-4A91-A3B1-D5C744291AD4}
PCDHELP --> MsiExec.exe /I{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSetup.exe -U -IPSCRCTR5K.inf
QuickConnect --> C:\Program Files\InstallShield Installation Information\{4998FF95-709A-430A-B104-92A009ABB848}\setup.exe -runfromtemp -l0x0009 -removeonly
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
Shockwave --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SoftV92 Voice Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200314F1\HXFSETUP.EXE -U -IURSLST5K.inf
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Trend Micro PC-cillin Internet Security 2007 --> C:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}


-- Application Event Log -------------------------------------------------------

Event Record #/Type42518 / Warning
Event Submitted/Written: 04/12/2008 08:10:56 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type42517 / Warning
Event Submitted/Written: 04/12/2008 08:10:47 AM / 04/12/2008 08:10:48 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type42514 / Error
Event Submitted/Written: 04/12/2008 08:07:03 AM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).

Event Record #/Type42512 / Warning
Event Submitted/Written: 04/11/2008 06:39:14 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type42511 / Warning
Event Submitted/Written: 04/11/2008 06:39:08 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4152 / Error
Event Submitted/Written: 04/12/2008 08:46:49 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.64 for the Network Card with network address 000475523849 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type4148 / Error
Event Submitted/Written: 04/12/2008 08:09:01 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type4144 / Error
Event Submitted/Written: 04/11/2008 06:37:42 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1083

Event Record #/Type4142 / Error
Event Submitted/Written: 04/11/2008 05:38:38 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type4141 / Error
Event Submitted/Written: 04/11/2008 05:15:28 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1077



-- End of Deckard's System Scanner: finished at 2008-04-12 10:22:24 ------------

-----------------Kaspersky----------------------------------------------------------------
Saturday, April 12, 2008 10:17:43 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700176


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINNT
C:\DOCUME~1\Ray\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 12417
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 00:38:29

Infected Object Name Virus Name Last Action
C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\fqspogw.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cki skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\hpodvd09.log Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_7DADxjGlHggRad1 Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_8FhGzJUe2oFTSbS Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_azpoYyBI8eFazsh Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_n6B2bekal8kpvho Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\me_UCMEqtd0w1A5mfU Object is locked skipped

C:\DOCUME~1\Ray\LOCALS~1\Temp\~DF7A3C.tmp Object is locked skipped

Scan process completed.

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 27 April 2008 - 04:35 PM

Hi :thumbsup:.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 aznative77

aznative77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 27 April 2008 - 06:31 PM

Thank you again. Following are my ComboFix and HiJackThis logs.

Mike

ComboFix 08-04-26.5 - Ray 04/27/2008 15:34:40.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.282 [GMT -7:00]
Running from: C:\Documents and Settings\Ray\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\apoxqwfv.exe
C:\WINNT\system32\dllcache\spoolsv.exe
C:\WINNT\system32\urqNHWqr.dll
C:\WINNT\vnbptxlf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 15:43 . 16,384 C:\WINNT\system32\Perflib_Perfdata_430.dat
2008-04-12 10:19 . 08-04-12 10:19 <DIR> d-------- C:\Deckard
2008-04-12 09:13 . 08-04-12 09:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 09:12 . 08-04-12 09:12 <DIR> d-a------ C:\WINNT\system32\Kaspersky Lab
2008-04-12 08:05 . 08-04-16 06:14 642,304 ---h----- C:\WINNT\ShellIconCache
2008-04-11 16:55 . 08-04-11 16:55 <DIR> d-------- C:\WINNT\ERUNT
2008-04-11 09:14 . 08-04-11 09:14 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\TmpRecentIcons
2008-04-09 23:57 . 08-04-09 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bovmhcny

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 21:02 2,652 ----a-w C:\WINNT\system32\tmp.reg
2008-04-05 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-03-17 00:41 23,504 ----a-w C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2008-03-16 15:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-13 02:19 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 20:48 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-07 19:17 98,304 ----a-w C:\WINNT\fqspogw.exe
2008-03-02 00:52 --------- d-----w C:\Program Files\Uniblue
2008-03-02 00:52 --------- d-----w C:\Documents and Settings\Ray\Application Data\Uniblue
2008-02-19 17:08 236,304 ----a-w C:\WINNT\system32\GDI32.DLL
2008-02-15 18:17 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-02-15 13:24 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
2003-10-10 06:04 429,264 ----a-w C:\Program Files\AdbeRdr60_DLM_enu_full.exe
2003-10-10 06:00 267,472 ----a-w C:\Program Files\NSSetup.exe
2003-06-26 18:59 271 ---h--w C:\Program Files\desktop.ini
2003-06-26 18:59 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Tue 03-11-2008_21.03.54.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-10-18 04:48:14 1,612 -c--a-w C:\WINNT\$NtUninstallKB824141$\spuninst\spuninst.bat
+ 2005-12-21 08:00:00 2,390 ----a-w C:\WINNT\Downloaded Program Files\catalog.dat
+ 2005-12-21 08:00:00 1,957 ----a-w C:\WINNT\Downloaded Program Files\tinfl.dat
+ 2005-12-27 17:43:03 2,072 ----a-w C:\WINNT\Downloaded Program Files\vscanmsx.dat
- 2007-03-06 06:12:21 1,641,936 ------w C:\WINNT\Driver Cache\i386\win32k.sys
+ 2008-03-19 09:26:34 1,644,080 ------w C:\WINNT\Driver Cache\i386\win32k.sys
- 2000-08-31 15:00:00 163,328 ----a-w C:\WINNT\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINNT\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2008-04-11 11:14:18 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-12 00:16:46 4,132,864 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-12 00:16:46 40,960 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-11 11:14:18 163,328 ----a-w C:\WINNT\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-11 23:55:37 4,132,864 ----a-w C:\WINNT\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-11 23:55:37 40,960 ----a-w C:\WINNT\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2000-08-31 15:00:00 73,728 ----a-w C:\WINNT\fdsv.exe
+ 2000-08-31 15:00:00 80,412 ----a-w C:\WINNT\grep.exe
+ 2007-07-28 05:26:15 2,560 ----a-r C:\WINNT\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-06-26 23:43:47 2,560 ----a-r C:\WINNT\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-03-13 04:27:56 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-5464-3428-800000000003}\ARPPRODUCTICON.exe
+ 2003-06-26 22:48:04 2,678 ----a-w C:\WINNT\java\Packages\Data\KIUZPBRT.DAT
+ 2003-06-26 19:15:18 2,232 ----a-w C:\WINNT\java\Packages\Data\MZDVVBJX.DAT
+ 2003-06-26 18:59:35 2,474 ----a-w C:\WINNT\java\Packages\Data\NF39BFLV.DAT
+ 2003-06-26 22:48:01 2,678 ----a-w C:\WINNT\java\Packages\Data\NP317BHJ.DAT
+ 2003-06-26 22:48:00 2,678 ----a-w C:\WINNT\java\Packages\Data\R1NJVP7J.DAT
+ 2003-06-26 22:48:00 2,678 ----a-w C:\WINNT\java\Packages\Data\YPJBHBBR.DAT
+ 2003-06-26 22:48:00 2,678 ----a-w C:\WINNT\java\Packages\Data\ZLV75J13.DAT
+ 2000-08-31 15:00:00 98,816 ----a-w C:\WINNT\sed.exe
+ 2000-08-31 15:00:00 161,792 ----a-w C:\WINNT\swreg.exe
+ 2000-08-31 15:00:00 136,704 ----a-w C:\WINNT\swsc.exe
+ 2000-08-31 15:00:00 212,480 ----a-w C:\WINNT\swxcacls.exe
+ 1999-12-07 12:00:00 2,000 ----a-w C:\WINNT\system\KEYBOARD.DRV
+ 1999-12-07 12:00:00 2,032 ----a-w C:\WINNT\system\MOUSE.DRV
+ 1999-12-07 12:00:00 1,744 ----a-w C:\WINNT\system\SOUND.DRV
+ 1999-12-07 12:00:00 2,176 ----a-w C:\WINNT\system\VGA.DRV
- 2007-12-10 22:46:16 1,018,368 ----a-w C:\WINNT\system32\BROWSEUI.DLL
+ 2008-02-15 21:55:04 1,018,368 ----a-w C:\WINNT\system32\BROWSEUI.DLL
- 2007-12-10 22:46:22 143,360 ----a-w C:\WINNT\system32\CDFVIEW.DLL
+ 2008-02-15 21:55:10 143,360 ----a-w C:\WINNT\system32\CDFVIEW.DLL
- 2007-10-11 05:13:44 1,054,208 ----a-w C:\WINNT\system32\DANIM.DLL
+ 2007-12-07 00:07:12 1,054,208 ----a-w C:\WINNT\system32\DANIM.DLL
- 2007-12-10 22:46:16 1,018,368 -c--a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
+ 2008-02-15 21:55:04 1,018,368 -c--a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
- 2007-12-10 22:46:22 143,360 -c--a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
+ 2008-02-15 21:55:10 143,360 -c--a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
- 2007-10-11 05:13:44 1,054,208 -c--a-w C:\WINNT\system32\dllcache\DANIM.DLL
+ 2007-12-07 00:07:12 1,054,208 -c--a-w C:\WINNT\system32\dllcache\DANIM.DLL
- 2006-07-06 11:45:32 137,488 -c--a-w C:\WINNT\system32\dllcache\dnsapi.dll
+ 2008-02-15 13:24:10 137,488 -c--a-w C:\WINNT\system32\dllcache\dnsapi.dll
- 2006-07-06 11:45:32 96,528 -c----w C:\WINNT\system32\dllcache\dnsrslvr.dll
+ 2008-02-15 13:24:10 96,528 -c----w C:\WINNT\system32\dllcache\dnsrslvr.dll
- 2007-12-10 19:38:42 351,744 -c--a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
+ 2008-02-15 18:16:30 351,744 -c--a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
- 2007-12-10 19:38:38 192,512 -c--a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
+ 2008-02-15 18:16:28 192,512 -c--a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
- 2007-06-26 09:57:10 235,280 -c--a-w C:\WINNT\system32\dllcache\GDI32.DLL
+ 2008-02-19 17:08:58 236,304 -c--a-w C:\WINNT\system32\dllcache\GDI32.DLL
- 2007-12-10 19:38:50 236,032 -c--a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
+ 2008-02-15 18:16:34 236,032 -c--a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
- 2007-12-10 19:38:54 69,632 -c--a-w C:\WINNT\system32\dllcache\INSENG.DLL
+ 2008-02-15 18:16:42 69,632 -c--a-w C:\WINNT\system32\dllcache\INSENG.DLL
- 2006-05-17 18:43:58 465,864 -c--a-w C:\WINNT\system32\dllcache\jscript.dll
+ 2008-01-05 10:05:56 458,752 -c--a-w C:\WINNT\system32\dllcache\jscript.dll
- 2007-12-10 19:39:14 12,288 -c--a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
+ 2008-02-15 18:16:56 12,288 -c--a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
+ 1999-12-07 12:00:00 2,000 -c--a-w C:\WINNT\system32\dllcache\keyboard.drv
+ 1999-12-07 12:00:00 2,032 -c--a-w C:\WINNT\system32\dllcache\mouse.drv
- 2007-12-10 19:38:46 2,705,408 -c--a-w C:\WINNT\system32\dllcache\MSHTML.DLL
+ 2008-02-15 18:16:38 2,705,408 -c--a-w C:\WINNT\system32\dllcache\MSHTML.DLL
- 2007-12-10 22:46:38 132,096 -c--a-w C:\WINNT\system32\dllcache\MSRATING.DLL
+ 2008-02-15 21:55:32 132,096 -c--a-w C:\WINNT\system32\dllcache\MSRATING.DLL
- 2007-12-10 19:38:36 498,176 -c--a-w C:\WINNT\system32\dllcache\MSTIME.DLL
+ 2008-02-15 18:16:28 498,176 -c--a-w C:\WINNT\system32\dllcache\MSTIME.DLL
+ 1999-12-07 12:00:00 2,800 -c--a-w C:\WINNT\system32\dllcache\null.sys
- 2007-12-10 19:38:44 34,816 -c--a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
+ 2008-02-15 18:16:32 34,816 -c--a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
- 2007-12-10 22:46:10 1,340,416 -c--a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
+ 2008-02-15 21:54:54 1,340,416 -c--a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
- 2007-12-10 22:46:02 402,944 -c--a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
+ 2008-02-15 21:54:48 402,944 -c--a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
+ 1999-12-07 12:00:00 1,744 -c--a-w C:\WINNT\system32\dllcache\sound.drv
- 2007-12-10 19:39:14 462,336 -c--a-w C:\WINNT\system32\dllcache\URLMON.DLL
+ 2008-02-15 18:16:54 462,848 -c--a-w C:\WINNT\system32\dllcache\URLMON.DLL
- 2002-02-26 22:58:06 462,906 -c--a-w C:\WINNT\system32\dllcache\vbscript.dll
+ 2008-01-05 10:05:56 401,408 -c--a-w C:\WINNT\system32\dllcache\vbscript.dll
+ 1999-12-07 12:00:00 2,176 -c--a-w C:\WINNT\system32\dllcache\vga.drv
- 2007-03-06 06:12:21 1,641,936 -c----w C:\WINNT\system32\dllcache\win32k.sys
+ 2008-03-19 09:26:34 1,644,080 -c----w C:\WINNT\system32\dllcache\win32k.sys
- 2007-12-10 19:39:18 575,488 -c--a-w C:\WINNT\system32\dllcache\WININET.DLL
+ 2008-02-15 18:17:00 575,488 -c--a-w C:\WINNT\system32\dllcache\WININET.DLL
+ 1999-12-07 12:00:00 2,864 -c--a-w C:\WINNT\system32\dllcache\winsock.dll
+ 1999-12-07 12:00:00 2,112 -c--a-w C:\WINNT\system32\dllcache\winspool.exe
+ 1999-12-07 12:00:00 2,768 -c--a-w C:\WINNT\system32\dllcache\wowdeb.exe
- 2006-07-06 11:45:32 137,488 ----a-w C:\WINNT\system32\dnsapi.dll
+ 2008-02-15 13:24:10 137,488 ----a-w C:\WINNT\system32\dnsapi.dll
+ 1999-09-25 10:35:34 2,896 ----a-w C:\WINNT\system32\drivers\audstub.sys
+ 1999-12-07 12:00:00 2,800 ----a-w C:\WINNT\system32\drivers\null.sys
+ 2001-02-12 22:02:42 2,271 ----a-w C:\WINNT\system32\drivers\wADV01nt.sys
- 2007-12-10 19:38:42 351,744 ----a-w C:\WINNT\system32\DXTMSFT.DLL
+ 2008-02-15 18:16:30 351,744 ----a-w C:\WINNT\system32\DXTMSFT.DLL
- 2007-12-10 19:38:38 192,512 ----a-w C:\WINNT\system32\DXTRANS.DLL
+ 2008-02-15 18:16:28 192,512 ----a-w C:\WINNT\system32\DXTRANS.DLL
- 2008-03-11 20:56:55 250,296 ----a-w C:\WINNT\system32\FNTCACHE.DAT
+ 2008-04-09 10:16:07 250,296 ----a-w C:\WINNT\system32\FNTCACHE.DAT
- 2007-12-10 19:38:50 236,032 ----a-w C:\WINNT\system32\IEPEERS.DLL
+ 2008-02-15 18:16:34 236,032 ----a-w C:\WINNT\system32\IEPEERS.DLL
- 2007-12-10 19:38:54 69,632 ----a-w C:\WINNT\system32\INSENG.DLL
+ 2008-02-15 18:16:42 69,632 ----a-w C:\WINNT\system32\INSENG.DLL
- 2006-05-17 18:43:58 465,864 ----a-w C:\WINNT\system32\jscript.dll
+ 2008-01-05 10:05:56 458,752 ----a-w C:\WINNT\system32\jscript.dll
- 2007-12-10 19:39:14 12,288 ----a-w C:\WINNT\system32\JSPROXY.DLL
+ 2008-02-15 18:16:56 12,288 ----a-w C:\WINNT\system32\JSPROXY.DLL
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 1999-12-07 12:00:00 2,000 ----a-w C:\WINNT\system32\keyboard.drv
+ 2004-05-14 23:53:08 57,344 ----a-w C:\WINNT\system32\lfbmp13n.dll
+ 2004-05-14 23:53:08 401,408 ----a-w C:\WINNT\system32\lfcmp13n.dll
+ 2003-11-04 22:10:40 69,632 ----a-w C:\WINNT\system32\lfgif13n.dll
+ 2004-05-14 23:53:10 299,008 ----a-w C:\WINNT\system32\ltdis13n.dll
+ 2004-01-12 09:09:42 206,336 ----a-w C:\WINNT\system32\ltefx13n.dll
+ 2004-05-14 23:53:10 163,840 ----a-w C:\WINNT\system32\ltfil13n.dll
+ 2004-05-14 23:53:12 450,560 ----a-w C:\WINNT\system32\ltimg13n.dll
+ 2004-05-14 23:53:12 462,848 ----a-w C:\WINNT\system32\ltkrn13n.dll
+ 1999-12-07 12:00:00 2,032 ----a-w C:\WINNT\system32\mouse.drv
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINNT\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINNT\system32\MRT.exe
- 2007-12-10 19:38:46 2,705,408 ----a-w C:\WINNT\system32\MSHTML.DLL
+ 2008-02-15 18:16:38 2,705,408 ----a-w C:\WINNT\system32\MSHTML.DLL
- 2007-12-10 22:46:38 132,096 ----a-w C:\WINNT\system32\MSRATING.DLL
+ 2008-02-15 21:55:32 132,096 ----a-w C:\WINNT\system32\MSRATING.DLL
- 2007-12-10 19:38:36 498,176 ----a-w C:\WINNT\system32\MSTIME.DLL
+ 2008-02-15 18:16:28 498,176 ----a-w C:\WINNT\system32\MSTIME.DLL
+ 1999-12-07 12:00:00 2,656 ----a-w C:\WINNT\system32\netware.drv
- 2008-01-21 02:45:48 61,572 ----a-w C:\WINNT\system32\perfc009.dat
+ 2008-03-16 02:56:30 61,572 ----a-w C:\WINNT\system32\perfc009.dat
- 2008-01-21 02:45:48 395,102 ----a-w C:\WINNT\system32\perfh009.dat
+ 2008-03-16 02:56:30 395,102 ----a-w C:\WINNT\system32\perfh009.dat
- 2007-12-10 19:38:44 34,816 ----a-w C:\WINNT\system32\PNGFILT.DLL
+ 2008-02-15 18:16:32 34,816 ----a-w C:\WINNT\system32\PNGFILT.DLL
- 2007-12-10 22:46:10 1,340,416 ----a-w C:\WINNT\system32\SHDOCVW.DLL
+ 2008-02-15 21:54:54 1,340,416 ----a-w C:\WINNT\system32\SHDOCVW.DLL
- 2007-12-10 22:46:02 402,944 ----a-w C:\WINNT\system32\SHLWAPI.DLL
+ 2008-02-15 21:54:48 402,944 ----a-w C:\WINNT\system32\SHLWAPI.DLL
+ 1999-12-07 12:00:00 1,744 ----a-w C:\WINNT\system32\sound.drv
- 2007-12-06 02:56:54 13,536 ------w C:\WINNT\system32\spmsg.dll
+ 2005-10-13 18:24:56 13,536 ----a-w C:\WINNT\system32\spmsg.dll
- 2007-12-10 19:39:14 462,336 ----a-w C:\WINNT\system32\URLMON.DLL
+ 2008-02-15 18:16:54 462,848 ----a-w C:\WINNT\system32\URLMON.DLL
- 2002-02-26 22:58:06 462,906 ----a-w C:\WINNT\system32\vbscript.dll
+ 2008-01-05 10:05:56 401,408 ----a-w C:\WINNT\system32\vbscript.dll
+ 1999-12-07 12:00:00 2,176 ----a-w C:\WINNT\system32\vga.drv
+ 1999-12-07 12:00:00 2,864 ----a-w C:\WINNT\system32\winsock.dll
+ 1999-12-07 12:00:00 2,112 ----a-w C:\WINNT\system32\winspool.exe
+ 1999-12-07 12:00:00 2,768 ----a-w C:\WINNT\system32\wowdeb.exe
+ 2000-08-31 15:00:00 49,152 ----a-w C:\WINNT\VFind.exe
+ 2000-08-31 15:00:00 68,096 ----a-w C:\WINNT\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [03-09-13 21:36 50688]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe" [05-03-07 21:42 176128]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05-05-11 23:12 49152]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [06-12-28 23:52 3429904]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [06-07-07 16:14 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [06-07-07 16:15 600896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-01-20 18:03 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2002-08-09 15:36:20 299008]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"l6a9siGCaw"= C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNHWqr]
urqNHWqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SonyCLDK;Memory Stick Driver(SonyCLDK);C:\WINNT\system32\DRIVERS\SonyCLDK.sys [01-01-19 20:50 ]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [04-03-05 17:09 ]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [04-03-05 17:09 ]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [02-11-15 15:54 ]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [07-01-04 14:38 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [02-11-15 15:54 ]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [03-06-19 12:05 ]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 15:44:03
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 16:22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 23:20:53
ComboFix2.txt 2008-03-12 04:04:36
ComboFix3.txt 2008-03-11 19:44:12

Pre-Run: 8,271,851,520 bytes free
Post-Run: 8,250,654,720 bytes free

269 --- E O F --- 2008-04-09 10:08:29


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:54 PM, on 4/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [l6a9siGCaw] C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205458564060
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931161401
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...psi/Coupons.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O20 - Winlogon Notify: urqNHWqr - urqNHWqr.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7803 bytes

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 29 April 2008 - 07:59 PM

Hi :thumbsup:.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\fqspogw.exe
C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
Folder::
C:\Documents and Settings\All Users\Application Data\bovmhcny
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"l6a9siGCaw"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqNHWqr]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 aznative77

aznative77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 01 May 2008 - 07:28 PM

Thank you for all of your help. Below is the combofix log and a new HJT log. Is that it? Do I need to do anything else?

Thank you again and I really appreciate your help.

Mike

ComboFix 08-04-26.5 - Ray 04/30/2008 17:59:58.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.217 [GMT -7:00]
Running from: C:\Documents and Settings\Ray\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ray\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
C:\WINNT\fqspogw.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\bovmhcny
C:\Documents and Settings\All Users\Application Data\bovmhcny\lqhaxynq.exe
C:\WINNT\fqspogw.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-30 18:00 . 04/30/08 06:00p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3a0.dat
2008-04-12 10:19 . 04/12/08 10:19a <DIR> d-------- C:\Deckard
2008-04-12 09:13 . 04/12/08 09:13a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 09:12 . 04/12/08 09:12a <DIR> d-a------ C:\WINNT\system32\Kaspersky Lab
2008-04-12 08:05 . 04/16/08 06:14a 642,304 ---h----- C:\WINNT\ShellIconCache
2008-04-11 16:55 . 04/11/08 04:55p <DIR> d-------- C:\WINNT\ERUNT
2008-04-11 09:14 . 04/11/08 09:14a <DIR> d-------- C:\Documents and Settings\Ray\Application Data\TmpRecentIcons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 21:02 2,652 ----a-w C:\WINNT\system32\tmp.reg
2008-04-05 16:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-03-17 00:41 23,504 ----a-w C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2008-03-16 15:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-13 02:19 --------- d-----w C:\Program Files\Trend Micro
2008-03-11 20:48 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-02 00:52 --------- d-----w C:\Program Files\Uniblue
2008-03-02 00:52 --------- d-----w C:\Documents and Settings\Ray\Application Data\Uniblue
2008-02-19 17:08 236,304 ----a-w C:\WINNT\system32\GDI32.DLL
2008-02-15 18:17 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-02-15 13:24 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
2003-10-10 06:04 429,264 ----a-w C:\Program Files\AdbeRdr60_DLM_enu_full.exe
2003-10-10 06:00 267,472 ----a-w C:\Program Files\NSSetup.exe
2003-06-26 18:59 271 ---h--w C:\Program Files\desktop.ini
2003-06-26 18:59 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

02/20/01 01:09p 8192 d36a33c21eeed5a6c1daecb7c80a1909 C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p 8192 C:\WINNT\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p 111376 C:\WINNT\system32\mobsync.exe]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [09/13/03 09:36p 50688]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe" [03/07/05 09:42p 176128]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [05/11/05 11:12p 49152]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [12/28/06 11:52p 3429904]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [07/07/06 04:14p 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/07/06 04:15p 600896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/20/08 06:03p 98304]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 12:05p 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2002-08-09 15:36:20 299008]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SonyCLDK;Memory Stick Driver(SonyCLDK);C:\WINNT\system32\DRIVERS\SonyCLDK.sys [01/19/01 08:50p]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [03/05/04 05:09p]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [03/05/04 05:09p]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [11/15/02 03:54p]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [01/04/07 02:38p]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [10/23/99 05:22a]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [06/19/03 12:05p]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [11/15/02 03:54p]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [06/19/03 12:05p]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:03:51
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 04/30/2008 18:09:10
ComboFix-quarantined-files.txt 2008-05-01 01:08:00
ComboFix2.txt 2008-04-27 23:22:35
ComboFix3.txt 2008-03-12 04:04:36
ComboFix4.txt 2008-03-11 19:44:12

Pre-Run: 8,480,321,536 bytes free
Post-Run: 8,466,059,264 bytes free

100 --- E O F --- 2008-04-09 10:08:29


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:39 PM, on 5/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205458564060
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1187931161401
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...psi/Coupons.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7376 bytes

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 04 May 2008 - 10:38 AM

Hi :thumbsup:.

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad".
This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player).

Next step,

Start HijackThis, close all open windows leaving only HijackThis running. Click in Do a system scan only Place a check against each of the following:

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...psi/Coupons.cab


Click on Fix Checked when finished and exit HijackThis.

Next step,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#9 aznative77

aznative77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 06 May 2008 - 11:31 AM

Thanks again for all of your help. I'll pass this information on to my friend, but think that I'll leave it installed for now. If he changes his mind I will do as you have instucted. Thank you again and again for all of your help. You're the best!

Mike

#10 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 07 May 2008 - 08:50 PM

Awaiting the result of kaspersky online scanner. :thumbsup:
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#11 aznative77

aznative77
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 09 May 2008 - 07:29 AM

KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 5:26:34 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 748843


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 46814
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:33:35

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ray\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\History\History.IE5\MSHist012008050820080509\index.dat Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temp\me_5tYj4BsZJdY9RFZ Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temp\me_bQiWmdmvu3c0H2Z Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temp\me_cIVdX1HUbk5CXoD Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temp\me_i0tfKwjbwRwfOpD Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temp\me_LMh8wpVdJzUI7gg Object is locked skipped

C:\Documents and Settings\Ray\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ray\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ray\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 10 May 2008 - 07:59 AM

Hi,

Your log is clean! Great job!

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do eight steps:

Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into

Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are

currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Step 3: Use an AntiVirus Software
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Step 4: Update your AntiVirus Software
It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Step 5: Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in it is default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Step 6: Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Step 7: Install an Anti Spyware software
It is very important to be safe. Look this list and choose one to install:

Virus, Spyware, and Malware Protection and Removal Resources

Step 8: Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum.

Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#13 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:10:04 PM

Posted 14 May 2008 - 09:04 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users