Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This Explorer.exe Overrun Error


  • This topic is locked This topic is locked
4 replies to this topic

#1 Scazza

Scazza

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 30 April 2008 - 09:52 AM

Hi People,

have read on this forum about people having it when they open an IE browser it also tries to open another page starting the a 89 address, I have also got this so i ran the Hijack this as everyone else seems to have done and here is the output, any recommendations welcome.

Deckard's System Scanner v20071014.68
Run by mscarrow on 2008-05-01 07:55:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
118: 2008-05-01 06:55:11 UTC - RP118 - Deckard's System Scanner Restore Point
117: 2008-04-30 16:19:54 UTC - RP117 - System Checkpoint
116: 2008-04-29 15:56:55 UTC - RP116 - System Checkpoint
115: 2008-04-28 15:25:10 UTC - RP115 - System Checkpoint
114: 2008-04-25 08:41:41 UTC - RP114 - Installed VMware Server


-- First Restore Point --
1: 2008-04-19 03:13:00 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mscarrow.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:56:44, on 01/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Fontwise 2 Client\fwcwchdg.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\Fontwise 2 Client\fw_client.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Documents and Settings\mscarrow\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mscarrow.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.cambridge.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.cambridge.org
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79E77489-4DA7-4A14-BAA4-F4EB49EE2B85} - C:\WINDOWS\system32\pmnmmJdA.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE} - C:\WINDOWS\system32\geBtQkjJ.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: pl15w2sp.dll
O10 - Unknown file in Winsock LSP: pl15w2sp.dll
O10 - Unknown file in Winsock LSP: pl15w2sp.dll
O10 - Unknown file in Winsock LSP: pl15w2sp.dll
O10 - Unknown file in Winsock LSP: pl15w2sp.dll
O10 - Unknown file in Winsock LSP: pl15w2sp.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.cambridge.org
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://camplace.cup.cam.ac.uk/qp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200926651078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200926784812
O16 - DPF: {B996510E-30C9-4083-ADB9-9FD3760D689D} (APC InfraStruXure Manager Client Control) - http://131.111.154.170/ApcIsxInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.cambridge.org
O17 - HKLM\Software\..\Telephony: DomainName = ad.cambridge.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{719BBF66-CD13-40D1-BA4E-529BF775048A}: NameServer = 131.111.154.92
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.cambridge.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cup.cam.ac.uk,cambridge.org,internal
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cup.cam.ac.uk,cambridge.org,internal
O20 - Winlogon Notify: geBtQkjJ - geBtQkjJ.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: IntelŪ Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDeskŪ Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Fontwise Client Watchdog (FwClientWatchdog) - Monotype Imaging Ltd - C:\Program Files\Fontwise 2 Client\fwcwchdg.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: IntelŪ Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: LANDeskŪ Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: IntelŪ Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 11314 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware bridge driver (32-bit)>
R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware network application interface driver (32-bit)>
R2 VMparport (VMware VMparport) - c:\windows\system32\drivers\vmparport.sys <Not Verified; VMware, Inc.; VMware parallel port driver>
R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware kernel driver>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 OMCI - c:\windows\system32\drivers\omci.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 CBA8 (LANDeskŪ Management Agent) - "c:\program files\landesk\shared files\residentagent.exe" <Not Verified; LANDesk Software, Ltd.; LANDeskŪ Management Agent>
R2 FwClientWatchdog (Fontwise Client Watchdog) - c:\program files\fontwise 2 client\fwcwchdg.exe <Not Verified; Monotype Imaging Ltd; Fontwise>
R2 Intel Alert Handler - c:\windows\system32\ams_ii\hndlrsvc.exe <Not Verified; LANDesk Software Ltd.; Intel Alert Management System 2>
R2 Intel Local Scheduler Service - "c:\program files\landesk\ldclient\localsch.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; LANDesk Software Ltd.; Intel Common Base Agent>
R2 Intel Targeted Multicast (LANDesk Targeted Multicast) - c:\program files\landesk\ldclient\tmcsvc.exe <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 ISSUSER (LANDesk Remote Control Service) - c:\progra~1\landesk\ldclient\issuser.exe /service <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 Softmon (LANDeskŪ Software Monitoring Service) - "c:\program files\landesk\ldclient\softmon.exe" <Not Verified; LANDesk Software, Ltd.; LANDesk Software>
R2 VMAuthdService (VMware Authorization Service) - "c:\program files\vmware\vmware server\vmware-authd.exe" <Not Verified; VMware, Inc.; VMware Server>
R2 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Server>
R2 vmserverdWin32 (VMware Registration Service) - c:\program files\vmware\vmware server\vmserverdwin32.exe <Not Verified; VMware, Inc.; VMware Server>
R2 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Server>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 HP Port Resolver - c:\windows\system32\spool\drivers\w32x86\3\hpbpro.exe <Not Verified; Hewlett-Packard Company; PortResolver Module>
S3 HP Status Server - c:\windows\system32\spool\drivers\w32x86\3\hpboid.exe <Not Verified; Hewlett-Packard Company; HP Status Server>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-29 13:19:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 07:54:18 0 d-------- H:\Deckard
2008-05-01 07:48:24 2731 --a------ C:\WINDOWS\system32\iqhooqsx.dll
2008-05-01 07:45:26 2731 --a------ C:\WINDOWS\system32\jwjgtanp.dll
2008-04-30 15:39:04 0 d-------- C:\Program Files\Trend Micro
2008-04-30 08:48:16 2731 --a------ C:\WINDOWS\system32\ahepsqpy.dll
2008-04-30 08:45:16 2731 --a------ C:\WINDOWS\system32\lktorymy.dll
2008-04-30 07:43:19 0 d-------- C:\Program Files\iPod
2008-04-30 07:39:51 0 d-------- C:\Program Files\Safari
2008-04-25 14:56:32 0 d-------- C:\Program Files\Virtual Earth 3D
2008-04-25 09:47:45 0 d-------- H:\My Virtual Machines
2008-04-25 09:42:58 106496 --a------ C:\WINDOWS\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Server>
2008-04-25 09:42:55 135168 --a------ C:\WINDOWS\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Server>
2008-04-25 09:42:55 15616 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware network application interface driver (32-bit)>
2008-04-25 09:42:52 364631 --a------ C:\WINDOWS\system32\vnetlib.dll <Not Verified; VMware, Inc.; VMware Server>
2008-04-25 09:42:07 0 d-------- C:\Program Files\Common Files\VMware
2008-04-25 09:41:54 0 d-------- C:\Program Files\VMware
2008-04-25 09:28:03 0 d-------- C:\Documents and Settings\mscarrow\Application Data\VMware
2008-04-25 09:21:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-25 09:14:31 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-04-22 12:03:48 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-22 12:03:26 0 d-------- C:\Program Files\Real
2008-04-22 12:03:23 0 d-------- C:\Program Files\Common Files\Real
2008-04-22 12:03:22 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Real
2008-04-21 08:26:13 0 d-------- H:\PcSetup
2008-04-21 08:26:13 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-21 08:26:13 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Vso
2008-04-21 08:26:13 47360 --a------ C:\Documents and Settings\mscarrow\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-21 08:26:10 626688 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-04-21 08:26:10 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-04-21 08:26:10 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-04-21 08:26:10 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-04-21 08:26:10 65602 --a------ C:\WINDOWS\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-04-21 08:26:08 0 d-------- C:\Program Files\VSO
2008-04-19 04:12:50 190165 --ahs---- C:\WINDOWS\system32\AdJmmnmp.ini2
2008-04-19 04:12:49 274432 --a------ C:\WINDOWS\system32\pmnmmJdA.dll
2008-04-18 15:25:26 0 d-------- C:\Program Files\Apex
2008-04-18 10:09:27 0 d-------- C:\Documents and Settings\mscarrow\Application Data\FinalBurner Video DVD
2008-04-18 08:45:48 0 d-------- C:\Documents and Settings\mscarrow\Application Data\gtk-2.0
2008-04-18 08:44:26 0 d-------- C:\Documents and Settings\mscarrow\avidemux
2008-04-17 09:02:03 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Video DVD Maker FREE
2008-04-17 08:54:16 0 d-------- H:\CDBurnerXP Projects
2008-04-17 08:37:57 57344 --a------ C:\WINDOWS\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2008-04-17 08:37:07 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2008-04-17 08:05:52 0 d-------- C:\Documents and Settings\mscarrow\Application Data\WinRAR
2008-04-17 07:52:22 0 d-------- C:\Program Files\Easy MPEG AVI DIVX WMV RM to DVD
2008-04-10 09:01:36 0 d-------- C:\Program Files\SpliceCom
2008-04-03 12:28:42 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-30 15:03:55 668 --a------ C:\Documents and Settings\mscarrow\Application Data\vso_ts_preview.xml
2008-04-30 07:43:37 0 d-------- C:\Program Files\iTunes
2008-04-30 07:42:23 0 d-------- C:\Program Files\QuickTime
2008-04-28 10:47:37 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Sametime
2008-04-25 09:42:07 0 d-------- C:\Program Files\Common Files
2008-04-25 08:00:29 0 d-------- C:\Program Files\Apple Software Update
2008-04-23 10:56:56 0 d-------- C:\Program Files\Roxio
2008-04-23 10:56:56 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-23 10:55:51 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-21 08:26:17 34 --a------ C:\Documents and Settings\mscarrow\Application Data\pcouffin.log
2008-04-21 08:26:14 7887 --a------ C:\Documents and Settings\mscarrow\Application Data\pcouffin.cat
2008-04-21 08:26:13 1144 --a------ C:\Documents and Settings\mscarrow\Application Data\pcouffin.inf
2008-04-18 10:23:09 0 d-------- C:\Program Files\Bonjour
2008-04-16 09:44:07 0 d-------- C:\Program Files\Paint.NET
2008-04-03 12:30:08 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Adobe
2008-03-28 16:12:13 0 d-------- C:\Program Files\Easy-IP
2008-03-25 11:00:11 0 d-------- C:\Program Files\Avanquest update
2008-03-25 11:00:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 10:59:29 0 d-------- C:\Program Files\Sony Ericsson
2008-03-25 10:59:21 0 d-------- C:\Documents and Settings\mscarrow\Application Data\InstallShield
2008-03-19 14:17:34 0 d-------- C:\Documents and Settings\mscarrow\Application Data\APC
2008-03-17 13:56:56 0 d-------- C:\Program Files\WinSCP
2008-03-17 10:46:21 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Polycom
2008-03-17 10:45:16 0 d-------- C:\Program Files\Polycom
2008-03-07 12:01:13 0 d-------- C:\Documents and Settings\mscarrow\Application Data\Help
2008-02-15 15:19:12 1244927 --a------ C:\WINDOWS\FramePkg.exe <Not Verified; Network Associates, Inc.; McAfee Common Framework>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79E77489-4DA7-4A14-BAA4-F4EB49EE2B85}]
19/04/2008 04:12 274432 --a------ C:\WINDOWS\system32\pmnmmJdA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE}]
C:\WINDOWS\system32\geBtQkjJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05/06/2007 22:23]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05/06/2007 22:23]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05/06/2007 22:22]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [01/08/2007 15:52]
"atchk"="" []
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [16/10/2007 21:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [17/11/2006 14:39]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [08/06/2007 19:40]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [28/08/2007 13:55]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" []
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 22:22]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 11:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [17/12/2002 12:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [22/04/2008 12:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 11:00]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [20/02/2008 17:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE}"= C:\WINDOWS\system32\geBtQkjJ.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQkjJ]
geBtQkjJ.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnmmJdA

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2133147896-499326638-6498272-7066\Scripts\Logon\0\0]
"Script"=Cambridge.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2133147896-499326638-6498272-7066\Scripts\Logon\1\0]
"Script"=Cambridge.bat




-- End of Deckard's System Scanner: finished at 2008-05-01 07:59:43 ------------

Edited by Scazza, 01 May 2008 - 02:26 AM.


BC AdBot (Login to Remove)

 


#2 Scazza

Scazza
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 01 May 2008 - 02:27 AM

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU E6750 @ 2.66GHz
CPU 1: Intel® Core™2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 2004.54 MiB / 1322.04 MiB
Pagefile Memory (total/avail): 3896.98 MiB / 3434.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.34 MiB

C: is Fixed (NTFS) - 149.01 GiB total, 113.53 GiB free.
D: is CDROM (No Media)
H: is Network (NTFS)
J: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD1600AAJS-75PSA0 - 149.01 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.01 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Fontwise 2 Client\\Fw_Client.exe"="C:\\Program Files\\Fontwise 2 Client\\Fw_Client.exe:*:Enabled:Monotype Fontwise 2 Client"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\\WINDOWS\\system32\\cba\\pds.exe"="C:\\WINDOWS\\system32\\cba\\pds.exe:*:Enabled:LANDesk Ping Discovery Service"
"C:\\WINDOWS\\system32\\msgsys.exe"="C:\\WINDOWS\\system32\\msgsys.exe:*:Enabled:LANDesk Message Service"
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"="C:\\Program Files\\LANDesk\\LDClient\\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\PCS50\\PCS.exe"="C:\\Program Files\\PCS50\\PCS.exe:*:Enabled:PCS50 Application"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Klever\\Nothings\\PumpKIN.exe"="C:\\Program Files\\Klever\\Nothings\\PumpKIN.exe:*:Enabled:PumpKIN, tftp client/daemon"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Polycom\\PVX\\vvsys.exe"="C:\\Program Files\\Polycom\\PVX\\vvsys.exe:*:Enabled:vvsys Application"
"C:\\Program Files\\SpliceCom\\PCS60\\PCS60.exe"="C:\\Program Files\\SpliceCom\\PCS60\\PCS60.exe:*:Enabled:PCS50 Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk® Management Agent"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Fontwise 2 Client\\Fw_Client.exe"="C:\\Program Files\\Fontwise 2 Client\\Fw_Client.exe:*:Enabled:Monotype Fontwise 2 Client"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk® Management Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mscarrow\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IT10
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\
HOMESHARE=\\userhome\i-z\mscarrow
JAVA_PLUGIN_WEBCONTROL_ENABLE=true
LDMS_LOCAL_DIR=C:\Program Files\LANDesk\LDClient\Data
LOGONSERVER=\\AD-WEST
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mscarrow\LOCALS~1\Temp
TMP=C:\DOCUME~1\mscarrow\LOCALS~1\Temp
USERDNSDOMAIN=AD.CAMBRIDGE.ORG
USERDOMAIN=CAMBRIDGE
USERNAME=mscarrow
USERPROFILE=C:\Documents and Settings\mscarrow
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

pmittonadmin (admin)
mscarrow (admin)
mscarrowadmin (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /I{09715083-BF10-4834-9E28-B5D8820513CA}
--> MsiExec.exe /I{1E049668-AD90-4008-B213-E20CED2324DD}
--> MsiExec.exe /I{35103A8A-E9D8-40FA-AEC7-4D138952DB30}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adonis Management Console --> "C:\Program Files\BlueCat Networks\Adonis\UninstallerData\Uninstall Adonis.exe"
APC InfraStruXure Manager Client v4.6.1 --> MsiExec.exe /X{B8B32FF5-6B7E-4E47-B855-8BED5BEB1705}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe -runfromtemp -l0x0009 -removeonly
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Check Point SmartConsole R61 HFA 01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3AB2AB4A-EED8-40C9-B80D-7C7D9702FD94}\setup.exe" -l0x9 installed
ConvertXtoDVD 3.0.0.9 --> "C:\Program Files\VSO\ConvertX\3\unins000.exe"
Crystal Reports ActiveX --> MsiExec.exe /X{30BC1771-1B2E-4145-9B5E-75707AA2B879}
CUP Fonts --> MsiExec.exe /I{C746F048-CF6C-44AB-BE6E-D59942EA9DFC}
CUP House Truetype Fonts --> MsiExec.exe /X{71D53108-E5F5-4B21-9C4D-42D429412170}
CUP Templates --> MsiExec.exe /I{2B66CBB1-D9FE-4846-859B-ABEC3F0ABB7F}
Dell Resource CD --> MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EPICenter 6.0 Client Application --> C:\Program Files\Extreme Networks\EPICenter 6.0\_uninst\uninstaller.exe
Fontwise 2.2.8 Client --> "C:\Program Files\Fontwise 2 Client\unins000.exe"
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IBM Lotus Sametime Connect 7.5 --> MsiExec.exe /I{4AA455FB-BFEE-473C-AA0E-4FDA505F6FB7}
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
IntelŪ Active Management Technology --> C:\WINDOWS\system32\mesoludlg.exe -uninstall
IntelŪ Management Engine Interface --> C:\WINDOWS\system32\heciudlg.exe -uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Klever PumpKIN 2.7.2 --> RunDll32 setupapi.dll,InstallHinfSection Uninstall 132 C:\PROGRA~1\Klever\Nothings\PumpKIN.INF
LANDesk Advance Agent --> MsiExec.exe /I{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}
LANDesk® Software --> MsiExec.exe /X{4A56058A-04E0-4DEE-8E1E-94E98621F650}
Lotus Notes 7.0.2 --> MsiExec.exe /I{A0E54EC6-EA51-4088-A6EE-BEF1D1D128AB}
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Paint.NET v3.30 --> MsiExec.exe /X{FF09A6A1-4DE5-467D-AA26-EF18C0EA4DAB}
PCS50 1.0 --> "C:\Program Files\PCS50\unins000.exe"
PCS60 --> MsiExec.exe /I{DDD72880-FD2A-43C5-882F-DA3DFA011105}
PDFCreator --> MsiExec.exe /I{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}
Polycom PVX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{8D341F5E-7FA5-4A6A-8A6F-8DD22ABD3F71} /l1033
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x9 -cluninstall
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Sony Ericsson PC Suite 3.204.00 --> C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
StuffIt Expander --> MsiExec.exe /X{57DC8980-73DA-481E-AFD4-5E2D44B7F1AD}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Virtual Earth 3D (Beta) --> MsiExec.exe /I{39CE3C17-846D-4D9B-8B3E-C01A4B90FB73}
VMware Server --> MsiExec.exe /I{FEE84D71-7FF0-46C1-AED4-1BD821D53A9F}
VNC Free Edition 4.1.2 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Server 2003 Administration Tools Pack --> MsiExec.exe /I{5E076CF2-EFED-43A2-A623-13E0D62EC7E0}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.7 --> "C:\Program Files\WinSCP\unins000.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type5268 / Error
Event Submitted/Written: 04/30/2008 03:16:23 PM
Event ID/Source: 2002 / Intel® AMT
Event Description:
[UNS] Failed to subscribe to local Intel® AMT.

Event Record #/Type5250 / Error
Event Submitted/Written: 04/30/2008 03:09:22 PM
Event ID/Source: 2002 / Intel® AMT
Event Description:
[UNS] Failed to subscribe to local Intel® AMT.

Event Record #/Type5243 / Error
Event Submitted/Written: 04/30/2008 03:04:46 PM
Event ID/Source: 100 / vmauthd
Event Description:
Unable to grant interactive access to new session because the interactive desktop could not be determined.

Event Record #/Type5242 / Error
Event Submitted/Written: 04/30/2008 03:04:46 PM
Event ID/Source: 100 / vmauthd
Event Description:
OpenDesktop failed.

Event Record #/Type5134 / Error
Event Submitted/Written: 04/29/2008 06:40:08 AM
Event ID/Source: 1030 / Userenv
Event Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type53308 / Warning
Event Submitted/Written: 05/01/2008 06:17:07 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/adonis-cluster.cup.cam.ac.uk. No authentication protocol was available.

Event Record #/Type53283 / Warning
Event Submitted/Written: 05/01/2008 05:17:05 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/adonis-cluster.cup.cam.ac.uk. No authentication protocol was available.

Event Record #/Type53234 / Warning
Event Submitted/Written: 05/01/2008 03:17:06 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/adonis-cluster.cup.cam.ac.uk. No authentication protocol was available.

Event Record #/Type53185 / Warning
Event Submitted/Written: 05/01/2008 01:17:07 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/adonis-cluster.cup.cam.ac.uk. No authentication protocol was available.

Event Record #/Type53160 / Warning
Event Submitted/Written: 05/01/2008 00:17:06 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/adonis-cluster.cup.cam.ac.uk. No authentication protocol was available.



-- End of Deckard's System Scanner: finished at 2008-05-01 07:59:43 ------------



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 01, 2008 8:20:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 733621
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 16140
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:10:28

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\log.txt Object is locked skipped
C:\WINDOWS\system32\pmnmmJdA.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qol skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\atchksrv.log Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_200.dat Object is locked skipped
C:\WINDOWS\Temp\vmware-serverd.log Object is locked skipped
C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\Perflib_Perfdata_efc.dat Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF1650.tmp Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF1660.tmp Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF43F.tmp Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF44F.tmp Object is locked skipped

Scan process completed.

#3 Scazza

Scazza
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 01 May 2008 - 02:29 AM

Kaspersky Anti-Virus database records: 733621
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 16140
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:10:28

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\log.txt Object is locked skipped
C:\WINDOWS\system32\pmnmmJdA.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qol skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\atchksrv.log Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_200.dat Object is locked skipped
C:\WINDOWS\Temp\vmware-serverd.log Object is locked skipped
C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\Perflib_Perfdata_efc.dat Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF1650.tmp Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF1660.tmp Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF43F.tmp Object is locked skipped
C:\DOCUME~1\mscarrow\LOCALS~1\Temp\~DF44F.tmp Object is locked skipped

Scan process completed.

#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:12 PM

Posted 22 May 2008 - 02:29 PM

Hello


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:12 PM

Posted 30 May 2008 - 12:26 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users