Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trymedia.b/winantivirus.2006/winfixer.o/vapsup.gw/


  • This topic is locked This topic is locked
14 replies to this topic

#1 kylezo

kylezo

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 08 May 2008 - 03:48 PM

Hello, I recovered an old laptop from a family member and it is deeply troubled. It is running Windows 2000 Build 2195: Service Pack 4FreeIt was infected with a bunch of adware/Spyware and when I tried to download Spyware Terminator, I found that Internet Explorer gave the classic 'encountered error' and 'send error log' immediately upon opening. Firefox gave 100% consistent Server errors. I removed FireFox and am able to use IE in Safe Mode with Networking (although even then occasionally I get a "'memory' could not be 'read'" error, and sometimes when I click Google results it will take me to yellowpages.com or some other trash and put up some generalization of my search terms instead of the results I clicked on). This post is coming from Safe Mode :thumbsup:

I booted to safe mode to download Spyware Terminator, which found and removed 35 critical objects, and then I downloaded and ran Windows Malicious Software Removal Tool which found 1 remaining trojan.

AVG seems to be unable to update - it says it can't connect. This computer also has McAffee installed.

I do not have a recovery CD as this is a very old computer, no install disk anywhere. Although I do have a Windows XP CD that I think I could use if necessary.

Heres my DSS/HJT logs:

main.txt:
Deckard's System Scanner v20071014.68
Run by Allyson on 2002-05-09 02:10:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 88% (more than 75%).


-- HijackThis (run as Allyson.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:15 AM, on 5/9/2002
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Documents and Settings\Allyson\Desktop\dss.exe
C:\WINNT\system32\wuauclt.exe
C:\DOCUME~1\Allyson\Desktop\Allyson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://cam-rg.dev.lane.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.121
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: hellenophile - {6f396a67-f473-48c9-9950-636ce17e584e} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/my/th/thm/ad8.gif
O24 - Desktop Component 1: (no name) - http://img.icbdr.com/images/shell/bg_cb_Masthead.gif

--
End of file - 6607 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\winnt\system32\drivers\mvstdi5x.sys
R1 omci (OMCI WDM Device Driver) - c:\winnt\system32\drivers\omci.sys
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\winnt\system32\drivers\sp_rsdrv2.sys
R2 DS1410D - c:\winnt\system32\drivers\ds1410d.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\winnt\system32\drivers\mdc8021x.sys
R2 PRPC - c:\winnt\system32\drivers\prpc.sys
R3 EntDrv50 - c:\winnt\system32\drivers\entdrv50.sys
R3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys

S1 vspf - c:\winnt\system32\drivers\vspf5.sys (file missing)
S1 vspf_hk - c:\winnt\system32\drivers\vspf_hk5.sys (file missing)
S3 BCM42RLY - c:\winnt\system32\bcm42rly.sys (file missing)
S3 bvrp_pci - c:\winnt\system32\drivers\bvrp_pci.sys
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\winnt\system32\cbtndis5.sys
S3 Dot4Print (Print Class Driver for IEEE-1284.4 hpoipr) - c:\winnt\system32\drivers\hpoipr07.sys (file missing)
S3 hpoid407 (IEEE-1284.4 Driver hpoid407) - c:\winnt\system32\drivers\hpoid407.sys (file missing)
S3 hpoius07 (USB to IEEE-1284.4 Translation Driver hpoius07) - c:\winnt\system32\drivers\hpoius07.sys (file missing)
S3 WLAN (NETGEAR Wireless 802.11b LAN Driver) - c:\winnt\system32\drivers\cw10.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe"
R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2002-04-09 and 2002-05-09 -----------------------------

2007-09-13 11:36:20 0 --a------ C:\WINNT\nsreg.dat
2007-09-13 11:36:06 0 d-------- C:\Documents and Settings\Allyson\Application Data\Mozilla
2007-09-13 10:31:49 58048 --a------ C:\WINNT\system32\drivers\mvstdi5x.sys
2007-09-13 10:31:48 108256 --a------ C:\WINNT\system32\drivers\naiavf5x.sys
2007-09-13 10:27:12 0 d-------- C:\WINNT\5DF3D1BB894E4DCD8275159AC9829B43.TMP
2007-09-12 13:55:24 0 d-------- C:\Program Files\Common Files\ODBC
2007-09-12 12:27:18 0 d-------- C:\Documents and Settings\Allyson\Application Data\AVG7
2007-09-12 12:26:20 0 d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2007-09-12 12:25:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-12 12:25:42 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-12 11:14:32 0 d-------- C:\Program Files\Enigma Software Group
2007-09-10 15:42:33 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_554.dat
2007-09-10 13:46:45 38912 --a------ C:\WINNT\system32\mgxasio.dll
2007-09-10 13:46:44 24576 --a------ C:\WINNT\system32\TTIC32.dll
2007-09-10 13:46:44 24576 --a------ C:\WINNT\system32\TTI32.dll
2007-09-10 13:46:44 32768 --a------ C:\WINNT\system32\STRING32.dll
2007-09-10 13:46:44 430080 --a------ C:\WINNT\system32\MXRestore.exe
2007-09-10 13:46:43 57344 --a------ C:\WINNT\system32\DLLTPO32.dll
2007-09-10 13:46:43 188416 --a------ C:\WINNT\system32\DLLRES32.dll
2007-09-10 13:46:43 40960 --a------ C:\WINNT\system32\DLLRD32.dll
2007-09-10 13:46:43 65536 --a------ C:\WINNT\system32\DLLPTL32.dll
2007-09-10 13:46:43 53248 --a------ C:\WINNT\system32\DLLPRJ32.dll
2007-09-10 13:46:43 49152 --a------ C:\WINNT\system32\DLLPRF32.dll
2007-09-10 13:46:43 36864 --a------ C:\WINNT\system32\DLLPNT32.dll
2007-09-10 13:46:43 32768 --a------ C:\WINNT\system32\DLLMSC32.dll
2007-09-10 13:46:43 24576 --a------ C:\WINNT\system32\DLLIX.dll
2007-09-10 13:46:43 32768 --a------ C:\WINNT\system32\DLLISO32.dll
2007-09-10 13:46:43 49152 --a------ C:\WINNT\system32\DLLIO32.dll
2007-09-10 13:46:43 45056 --a------ C:\WINNT\system32\DLLIMG32.dll
2007-09-10 13:46:43 151552 --a------ C:\WINNT\system32\DLLDRV32.dll
2007-09-10 13:46:43 32768 --a------ C:\WINNT\system32\DLLDIR32.dll
2007-09-10 13:46:43 163840 --a------ C:\WINNT\system32\DLLDEV32.dll
2007-09-10 13:46:42 94208 --a------ C:\WINNT\system32\DLLCPY32.dll
2007-09-10 13:46:42 61440 --a------ C:\WINNT\system32\DLLCDF32.dll
2007-09-10 13:46:42 114688 --a------ C:\WINNT\system32\DLLCDA32.dll
2007-09-10 13:46:42 462848 --a------ C:\WINNT\system32\DLLAV32.dll
2007-09-10 13:46:41 0 d-------- C:\Program Files\Common Files\MAGIX Shared
2007-09-10 13:44:59 0 d-------- C:\MAGIX
2007-09-10 13:44:58 1089536 --a------ C:\WINNT\system32\ROBOEX32.DLL
2007-09-10 13:44:58 49152 --a------ C:\WINNT\system32\INETWH32.dll
2007-09-10 13:44:58 85504 --a------ C:\WINNT\system32\HtmlWH.dll
2007-09-10 13:44:28 638976 --a------ C:\WINNT\system32\mgxoschk.dll
2007-09-10 13:44:28 0 d-------- C:\WINNT\system32\MAGIX
2007-09-10 10:08:22 52224 --a------ C:\WINNT\main_uninstaller.exe
2007-09-07 13:14:56 225280 --a------ C:\WINNT\system32\rewire.dll
2007-09-07 13:10:52 0 d-------- C:\Program Files\Image-Line
2007-08-31 20:09:16 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_59c.dat
2007-08-31 20:00:24 0 d--hs---- C:\System Volume Information
2007-08-29 21:31:59 0 d-------- C:\Program Files\Axis Communications
2007-08-29 16:28:33 0 d-------- C:\Documents and Settings\Allyson\Application Data\Help
2007-08-29 16:05:31 0 d-------- C:\Program Files\Acoustica Beatcraft
2007-08-27 11:46:28 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_5ac.dat
2007-08-20 18:14:19 0 d-------- C:\Documents and Settings\Allyson\Application Data\Gamelab
2007-08-20 17:30:34 0 d-------- C:\Documents and Settings\Allyson\Saved Games
2007-08-19 17:55:04 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-19 17:37:41 57344 --a------ C:\WINNT\system32\WNASPINT.DLL
2007-08-19 17:36:12 0 d-------- C:\eJay
2007-07-30 13:03:25 0 d-------- C:\Documents and Settings\Allyson\Application Data\AdobeUM
2007-07-26 21:41:52 0 d-------- C:\Program Files\QuickZip4
2007-07-21 21:24:54 0 d-------- C:\Downloads
2007-07-21 20:28:02 0 d-------- C:\Documents and Settings\Allyson\Application Data\PlayFirst
2007-07-21 20:28:02 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-07-14 09:53:20 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_594.dat
2007-07-13 16:24:53 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_56c.dat
2007-07-10 20:25:30 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2007-07-10 14:21:29 0 d-------- C:\quarantine
2007-06-19 09:42:03 0 d-------- C:\Documents and Settings\Allyson\Application Data\Adobe
2007-06-19 08:59:33 0 d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-09 16:49:06 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-06-09 16:46:55 0 d-------- C:\Program Files\Video ActiveX Access
2007-05-17 13:55:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_600.dat
2007-05-17 13:54:20 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_404.dat
2007-05-08 15:03:04 1275392 -----n--- C:\WINNT\system32\msxml4.dll
2007-03-15 14:48:16 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2007-03-11 19:06:59 0 d--hs---- C:\WINNT\ftpcache
2007-03-01 16:51:28 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6e8.dat
2007-03-01 16:51:20 0 d-------- C:\d35284e31f3ede133346f81d
2007-02-27 23:56:02 0 d-------- C:\Program Files\CCleaner
2007-02-13 23:25:48 0 d-------- C:\Documents and Settings\Allyson\Application Data\funkitron
2007-02-13 22:35:17 0 d-------- C:\Documents and Settings\Allyson\Application Data\Gaijin Ent
2007-02-13 01:48:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_614.dat
2007-02-11 12:22:22 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_558.dat
2007-02-11 11:32:01 0 d--hs---- C:\WA7P
2007-02-11 11:31:35 0 d-------- C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007
2007-02-11 11:31:18 0 d-------- C:\Program Files\Common Files\Companion Wizard
2007-02-11 11:31:13 8704 --a------ C:\WINNT\system32\SpOrder.dll
2007-02-08 20:29:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Playtonium Games
2007-02-06 23:18:16 0 d-------- C:\Documents and Settings\Allyson\Application Data\Google
2007-02-06 22:55:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-02-06 21:55:39 0 d-------- C:\Documents and Settings\Allyson\Application Data\iWin
2007-02-06 21:54:03 0 d-------- C:\My Games
2007-02-06 21:53:47 0 d-------- C:\My Download Files
2007-02-06 21:50:03 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-02-06 21:49:36 0 d-------- C:\Program Files\Real
2007-02-06 21:49:23 0 d-------- C:\Program Files\Google
2007-02-06 21:49:15 0 d-------- C:\Program Files\Common Files\Real
2007-02-06 21:44:05 0 d-------- C:\Program Files\iWin.com
2007-02-06 21:39:34 0 d---s---- C:\Documents and Settings\Allyson\UserData
2007-02-06 21:08:45 94208 --a------ C:\WINNT\system32\W32N50CT.dll
2007-02-06 21:08:45 17142 --a------ C:\WINNT\system32\CBTNDIS5.sys
2007-02-04 13:32:49 0 d-------- C:\Documents and Settings\Allyson\Application Data\Identities
2007-02-04 13:32:43 0 d--h----- C:\Documents and Settings\Allyson\Templates
2007-02-04 13:32:43 0 d-------- C:\Documents and Settings\Allyson\Start Menu
2007-02-04 13:32:43 0 d--h----- C:\Documents and Settings\Allyson\SendTo
2007-02-04 13:32:43 0 dr-h----- C:\Documents and Settings\Allyson\Recent
2007-02-04 13:32:43 0 d--h----- C:\Documents and Settings\Allyson\PrintHood
2007-02-04 13:32:43 1310720 --ah----- C:\Documents and Settings\Allyson\NTUSER.DAT
2007-02-04 13:32:43 0 d--h----- C:\Documents and Settings\Allyson\NetHood
2007-02-04 13:32:43 0 d-------- C:\Documents and Settings\Allyson\My Documents
2007-02-04 13:32:43 0 d--h----- C:\Documents and Settings\Allyson\Local Settings
2007-02-04 13:32:43 0 dr------- C:\Documents and Settings\Allyson\Favorites
2007-02-04 13:32:43 0 d-------- C:\Documents and Settings\Allyson\Desktop
2007-02-04 13:32:43 0 d---s---- C:\Documents and Settings\Allyson\Cookies
2007-02-04 13:32:43 0 d--h----- C:\Documents and Settings\Allyson\Application Data
2007-02-04 13:32:43 0 d-------- C:\Documents and Settings\Allyson\Application Data\Macromedia
2007-02-04 13:32:43 0 d-------- C:\Documents and Settings\Allyson\Application Data\Earthlink
2006-09-12 13:04:02 0 d-------- C:\Program Files\OfficeUpdate11
2006-09-12 12:51:38 0 d-------- C:\Program Files\Common Files\L&H
2006-09-12 12:51:33 0 d-------- C:\Program Files\Common Files\SpeechEngines
2006-09-12 12:51:13 0 d-------- C:\Program Files\Microsoft ActiveSync
2006-09-12 12:50:40 0 d-------- C:\Program Files\Microsoft Works
2006-09-12 12:50:05 0 d-------- C:\WINNT\SHELLNEW
2006-09-12 12:48:17 0 d-------- C:\WINNT\PCHEALTH
2006-09-12 12:41:32 0 d-------- C:\HP2430
2006-09-12 12:36:11 0 d-------- C:\Program Files\Common Files\Cisco Systems
2006-09-12 12:35:06 0 d-------- C:\Program Files\Network Associates
2006-09-12 12:35:03 0 dr-h----- C:\MSOCache
2006-08-07 13:52:37 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_440.dat
2006-07-27 12:30:29 0 d-------- C:\WINNT\system32\Windows Media
2006-07-27 12:29:18 0 d--h----- C:\WINNT\$NtUpdateRollupPackUninstall$
2006-07-27 12:29:10 0 d-------- C:\WINNT\msiinst.tmp
2006-07-27 12:22:43 186 --a------ C:\WINNT\myClean.bat
2006-07-27 12:01:01 20 --a------ C:\WINNT\´û»
2006-07-27 11:51:17 0 d-------- C:\WINNT\SchCache
2006-06-30 20:11:15 253952 --a------ C:\WINNT\UNTSINST.EXE
2006-06-30 20:11:03 253952 --a------ C:\WINNT\UNCSDEMO.EXE
2006-06-30 20:10:54 188960 --a------ C:\WINNT\system\WINGDE.DLL
2006-06-30 20:10:54 12800 --a------ C:\WINNT\system\WING32.DLL
2006-06-30 20:10:54 92208 --a------ C:\WINNT\system\WING.DLL
2006-06-30 17:08:37 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_638.dat
2006-06-22 07:32:12 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3fc.dat
2006-04-19 19:41:37 733184 --a------ C:\WINNT\system32\qedwipes.dll
2006-04-19 19:41:37 1798144 --a------ C:\WINNT\system32\qedit.dll
2006-04-19 19:41:37 324096 --a------ C:\WINNT\system32\mswebdvd.dll
2006-04-19 19:41:37 13312 --a------ C:\WINNT\system32\msdmo.dll
2006-04-19 19:41:36 18944 --a------ C:\WINNT\system32\encapi.dll
2006-04-19 19:41:35 18432 --a------ C:\WINNT\system32\dswave.dll
2006-04-19 19:41:35 76800 --a------ C:\WINNT\system32\dmscript.dll
2006-04-19 19:41:35 664576 --a------ C:\WINNT\system32\dinput8.dll
2006-04-19 19:41:35 1703936 --a------ C:\WINNT\system32\d3d9.dll
2006-04-19 19:41:35 1201152 --a------ C:\WINNT\system32\d3d8.dll
2006-04-19 19:41:34 1769472 --a------ C:\WINNT\system32\dxdiagn.dll
2006-04-19 19:41:34 491520 --a------ C:\WINNT\system32\dsdmoprp.dll
2006-04-19 19:41:34 186880 --a------ C:\WINNT\system32\dsdmo.dll
2006-04-19 19:41:34 112128 --a------ C:\WINNT\system32\dpvvox.dll
2006-04-19 19:41:34 80896 --a------ C:\WINNT\system32\dpvsetup.exe
2006-04-19 19:41:34 381952 --a------ C:\WINNT\system32\dpvoice.dll
2006-04-19 19:41:34 19968 --a------ C:\WINNT\system32\dpvacm.dll
2006-04-19 19:41:33 1189888 --a------ C:\WINNT\system32\dx8vb.dll
2006-04-19 19:41:33 16896 --a------ C:\WINNT\system32\dpnsvr.exe
2006-04-19 19:41:33 3072 --a------ C:\WINNT\system32\dpnlobby.dll
2006-04-19 19:41:33 68096 --a------ C:\WINNT\system32\dpnhupnp.dll
2006-04-19 19:41:33 32768 --a------ C:\WINNT\system32\dpnhpast.dll
2006-04-19 19:41:33 723968 --a------ C:\WINNT\system32\dpnet.dll
2006-04-19 19:41:33 3072 --a------ C:\WINNT\system32\dpnaddr.dll
2006-04-19 19:41:33 44032 --a------ C:\WINNT\system32\dimap.dll
2006-04-19 19:41:33 459264 --a------ C:\WINNT\system32\diactfrm.dll
2006-04-19 19:41:33 7168 --a------ C:\WINNT\system32\d3d8thk.dll
2006-04-16 11:08:10 0 d-------- C:\Program Files\QuickTime
2006-02-07 06:08:13 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2b8.dat
2006-02-03 15:58:01 38229 -----n--- C:\WINNT\system32\drivers\StMp3Rec.sys
2006-01-28 16:39:03 155648 --a------ C:\WINNT\system32\ifc21.dll
2006-01-28 16:39:03 94208 --a------ C:\WINNT\system32\FEELIT.DLL
2006-01-28 16:39:03 0 d-------- C:\Program Files\Common Files\Logitech
2006-01-28 16:39:02 97792 --a------ C:\WINNT\system32\LGUICOM.DLL
2006-01-28 16:39:02 104960 --a------ C:\WINNT\system32\COMNCTR.DLL
2006-01-22 16:00:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2006-01-22 15:59:56 0 d-------- C:\Program Files\BFG
2005-12-06 07:09:35 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2005-10-10 12:21:42 278584 -----n--- C:\WINNT\system32\hpzidr12.dll
2005-10-09 12:36:09 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_1dc.dat
2005-10-07 17:56:07 0 d-------- C:\WINNT\Hewlett-Packard
2005-10-07 17:55:04 36864 -----n--- C:\WINNT\system32\hpbmmjno.dll
2005-10-07 17:53:47 0 d-------- C:\Program Files\Zero G Registry
2005-10-07 17:52:16 94208 -----n--- C:\WINNT\system32\HPZipt12.dll
2005-10-07 17:52:15 57344 -----n--- C:\WINNT\system32\HPZisn12.dll
2005-10-07 17:52:10 49152 -ra------ C:\WINNT\system32\hpbprnfx.exe
2005-10-07 17:52:01 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2005-10-07 17:51:55 20 --a------ C:\WINNT\´û¼
2005-10-07 17:51:43 0 d-------- C:\Program Files\hp
2005-10-07 17:51:13 412 -ra------ C:\WINNT\system32\hp3aioz6.dat
2005-10-07 17:51:12 221184 -ra------ C:\WINNT\system32\HP3AIOZ6.dll
2005-10-07 17:51:03 196608 -----n--- C:\WINNT\system32\hpzipr12.dll
2005-10-07 17:51:03 65536 -----n--- C:\WINNT\system32\hpzipm12.exe
2005-10-07 17:51:02 745472 -ra------ C:\WINNT\system32\hpptpml.dll
2005-10-07 17:51:01 229376 -ra------ C:\WINNT\system32\hpgtpusd.dll
2005-10-07 17:51:01 274432 -ra------ C:\WINNT\system32\hpbovset.dll
2005-10-07 17:31:36 0 d-------- C:\Program Files\Common Files\SWF Studio
2005-09-29 07:39:51 2896 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2005-09-29 07:29:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2005-09-28 18:28:37 0 d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2005-09-28 18:27:16 0 d-------- C:\WINNT\system32\BWKDLogs
2005-09-28 18:26:22 0 d-------- C:\Program Files\Kodak
2005-09-28 18:24:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2005-07-29 10:01:50 0 d-------- C:\WINNT\SoftwareDistribution
2005-07-11 08:10:00 290905 --a------ C:\WINNT\system32\PRISMSVR.exe
2005-07-11 08:10:00 372825 --a------ C:\WINNT\system32\PRISMAPI.dll
2005-06-15 08:33:33 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2005-06-14 16:18:55 0 d-------- C:\Program Files\hp officejet 5100 corporate driver
2005-06-14 16:08:45 0 d-------- C:\col1832
2005-06-14 15:58:02 0 d--h----- C:\Documents and Settings\All Users\Application Data\GTek
2005-05-31 12:08:08 113900 --a------ C:\WINNT\system32\dneinobj.dll
2005-05-27 07:51:00 131072 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT
2005-05-27 07:49:12 65536 --a------ C:\WINNT\system32\YCRWin32.dll
2005-05-27 07:49:05 0 d-------- C:\Program Files\Yahoo!
2005-05-27 07:42:04 929792 -ra------ C:\WINNT\system32\PRISME5.dll
2005-05-27 07:42:04 15781 -ra------ C:\WINNT\system32\drivers\mdc8021x.sys
2005-05-25 10:35:11 0 d-------- C:\Program Files\MVReader
2005-05-24 09:41:54 0 d-------- C:\VPN
2005-05-10 15:01:25 0 d-------- C:\Program Files\SmartDraw 7
2005-04-22 13:23:37 0 d-------- C:\WINNT\system32\BITS
2005-04-20 10:18:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2005-04-18 11:57:03 10752 --a------ C:\WINNT\system32\gcmd5query.dll
2005-04-18 11:56:45 0 d-------- C:\Program Files\Microsoft AntiSpyware
2005-04-18 11:56:32 0 d-------- C:\WINNT\Downloaded Installations
2005-04-18 11:56:09 0 d--h----- C:\_rpcs
2005-04-18 11:52:31 82432 --a------ C:\WINNT\system32\msxml4r.dll
2005-04-18 11:52:31 44544 --a------ C:\WINNT\system32\msxml4a.dll
2005-04-18 11:52:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2005-04-18 11:49:48 0 d-------- C:\Program Files\GolfPro
2005-04-18 11:38:07 0 d-------- C:\WINNT\SigPlus
2005-04-18 11:36:57 0 d-------- C:\Program Files\Common Files\Crystal Decisions
2005-04-18 11:33:05 0 d-------- C:\WINNT\system32\appmgmt
2005-03-23 10:08:37 150016 --a------ C:\WINNT\system32\xqviewer.dll
2005-03-23 10:08:37 14848 --a------ C:\WINNT\system32\VBAMAP32.DLL
2005-03-23 10:08:32 57344 --a------ C:\WINNT\system32\PDADDIN.DLL
2005-03-23 10:08:16 413696 --a------ C:\WINNT\system32\crystalwizard.dll
2005-03-23 05:15:59 1249334 --a------ C:\WINNT\system32\cxlibw-1-6.dll
2005-03-21 15:13:32 169472 --a------ C:\WINNT\system32\MSIMTF.DLL
2005-03-21 15:13:24 37376 --a------ C:\WINNT\system32\DIMM.DLL
2005-03-21 15:13:02 11264 --a------ C:\WINNT\system32\CTFMON.EXE
2005-03-21 15:12:58 166912 --a------ C:\WINNT\system32\MSUTB.DLL
2005-03-21 15:12:46 57344 --a------ C:\WINNT\system32\MSCTFP.DLL
2005-03-21 15:12:42 289792 --a------ C:\WINNT\system32\MSCTF.DLL
2004-12-08 00:46:54 57344 --a------ C:\WINNT\uneng.exe
2004-12-08 00:46:53 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2004-12-08 00:46:31 225280 --a------ C:\WINNT\system32\wmpdxm.dll
2004-12-08 00:46:31 106496 --a------ C:\WINNT\system32\wmpasf.dll
2004-12-08 00:46:17 52224 --a------ C:\WINNT\system32\mspmsnsv.dll
2004-12-08 00:46:13 997888 --a------ C:\WINNT\system32\wmvdmoe2.dll
2004-12-08 00:46:13 892416 --a------ C:\WINNT\system32\wmspdmoe.dll
2004-12-08 00:46:13 1111040 --a------ C:\WINNT\system32\wmsdmoe2.dll
2004-12-08 00:38:30 0 d-------- C:\WINNT\system32\ReinstallBackups
2004-12-07 23:37:14 0 d-------- C:\WINNT\ServicePackFiles
2004-12-07 23:37:13 0 d-------- C:\WINNT\system32\ie_de
2004-12-07 23:22:40 0 d-------- C:\WUTemp
2004-12-07 22:34:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2004-09-22 20:00:00 36922 --a------ C:\WINNT\system32\EntAPI.dll
2004-09-22 20:00:00 11264 --a------ C:\WINNT\system32\dssdata.dll
2004-09-22 20:00:00 8448 --a------ C:\WINNT\system32\drivers\EntDrv50.sys
2004-08-03 22:59:44 655360 --a------ C:\WINNT\system32\mstscax.dll
2004-08-03 22:59:42 407552 --a------ C:\WINNT\system32\mstsc.exe
2004-06-09 08:29:56 6977 --a------ C:\WINNT\system32\DDMI2.sys
2003-11-17 17:12:40 73728 --a------ C:\WINNT\system32\hppcappm.dll
2003-10-24 15:17:50 28672 --a------ C:\WINNT\system32\hppcap3.dll
2003-10-24 15:17:44 36864 --a------ C:\WINNT\system32\hppcapui.dll
2003-10-24 15:17:24 16384 --a------ C:\WINNT\system32\hppcapResEN.DLL
2003-10-07 17:29:16 102400 --a------ C:\WINNT\system32\KodakCoI.dll
2003-10-03 15:14:26 338432 --a------ C:\WINNT\system32\IR41_QCX.DLL
2003-08-28 13:40:00 135168 --a------ C:\WINNT\system32\Scrubber.exe
2003-07-22 08:51:14 36864 --a------ C:\WINNT\system32\hppasnm0.dll
2003-07-22 08:51:14 32768 --a------ C:\WINNT\system32\hppamon0.dll
2003-07-22 08:51:12 45056 --a------ C:\WINNT\system32\hppapts0.dll
2003-07-22 08:51:10 36864 --a------ C:\WINNT\system32\hppapml0.dll
2003-07-22 08:44:00 36864 --a------ C:\WINNT\system32\hppadt40.dll
2003-07-14 12:30:28 197120 --a------ C:\WINNT\patchw32.dll
2003-07-14 12:30:27 34816 --a------ C:\WINNT\patch.exe
2003-07-14 11:30:26 95884 --a------ C:\WINNT\system32\drivers\ipvnmon.sys
2003-07-07 14:38:28 32768 --a------ C:\WINNT\delexe.exe
2003-06-23 09:39:27 0 d-------- C:\WINNT\system32\CertSrv
2003-06-23 02:44:36 1415680 --a------ C:\WINNT\system32\wmv9vcm.dll
2003-06-09 08:35:17 2 --a------ C:\WINNT\cycbts.dat
2003-06-04 18:21:06 0 d-------- C:\Program Files\MUSICMATCH
2003-06-04 18:20:09 0 --a------ C:\WINNT\i
2003-06-04 12:53:03 0 d-------- C:\Documents and Settings\Default User\Application Data\Earthlink
2003-06-03 17:43:18 0 d-------- C:\My Documents
2003-06-03 17:41:21 0 --a------ C:\WINNT\8
2003-06-03 17:41:15 0 d-------- C:\Program Files\Hewlett-Packard
2003-06-02 21:06:34 0 d-------- C:\Program Files\Verizon Online
2003-06-02 21:04:28 0 d-------- C:\WINNT\VerizonOnline
2003-06-02 21:04:26 49210 -----n--- C:\WINNT\system32\vzServices.dll
2003-06-02 21:04:18 0 d-------- C:\Program Files\Common Files\Verizon Online
2003-06-02 21:04:13 0 d-------- C:\WINNT\system32\FinePointLib
2003-05-27 11:11:10 162304 --a------ C:\UNWISE.EXE
2003-04-30 14:22:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2003-04-29 10:37:02 0 d-------- C:\Program Files\Adaptec
2003-04-29 10:36:59 66048 --a------ C:\WINNT\system32\wmerrenu.dll
2003-04-29 10:36:56 45056 --a------ C:\WINNT\system32\wmplenc.dll
2003-04-29 10:36:56 352256 --a------ C:\WINNT\system32\lyrasp.dll
2003-04-29 10:36:54 466944 --a------ C:\WINNT\system32\wmv8dmoe.dll
2003-04-29 10:36:53 446464 --a------ C:\WINNT\system32\wmvdmoe.dll
2003-04-29 10:36:53 335360 --a------ C:\WINNT\system32\wmstream.dll
2003-04-29 10:36:53 118784 --a------ C:\WINNT\system32\wmsdmoe.dll
2003-04-29 10:36:53 241725 --a------ C:\WINNT\system32\msuni11.dll
2003-04-29 10:36:53 368710 --a------ C:\WINNT\system32\msisam11.dll
2003-04-29 10:36:53 163840 --a------ C:\WINNT\system32\mindex.dll
2003-04-29 10:36:51 66048 --a------ C:\WINNT\system32\unam4ie.exe
2003-04-11 13:18:41 225 --a------ C:\TAtempBF.bat
2003-04-11 13:04:47 0 d-------- C:\WINNT\system32\Microsoft
2003-04-11 13:04:41 0 d--h----- C:\Temp
2003-03-17 09:36:26 0 d-------- C:\Program Files\Common Files\MSSoap
2003-03-17 09:36:08 0 d-------- C:\Program Files\ElnBonus
2003-03-17 09:35:21 0 d-------- C:\Program Files\EarthLink TotalAccess
2003-03-16 15:16:46 6656 --a------ C:\WINNT\system32\DLPT2.sys
2003-02-04 05:48:53 90112 -ra------ C:\WINNT\system32\hpocon09.exe
2003-02-04 05:42:17 38912 -ra------ C:\WINNT\system32\hh.exe
2003-02-04 05:37:52 0 d-------- C:\WINNT\AiOTemp
2003-02-03 13:27:11 0 d-------- C:\MABRY
2003-01-23 18:02:11 0 d-------- C:\WINNT\system32\Macromed
2003-01-20 10:39:58 151622 -ra------ C:\WINNT\system32\WLANSTA.exe
2003-01-20 10:39:58 78112 -ra------ C:\WINNT\system32\WLANRES.dll
2003-01-20 10:39:58 73806 -ra------ C:\WINNT\system32\WLANIOC.dll
2003-01-20 10:39:57 52804 -ra------ C:\WINNT\system32\drivers\CW10.SYS
2003-01-16 13:00:52 0 d-------- C:\Program Files\Logitech
2003-01-16 12:59:10 4608 --a------ C:\WINNT\system32\W95Inf32.DLL
2003-01-16 12:48:00 0 d-------- C:\Program Files\Common Files\Adobe
2003-01-16 11:04:16 0 d-------- C:\WINNT\Profiles
2003-01-16 11:01:17 0 d-------- C:\WINNT\MUI
2003-01-16 11:00:44 0 d-------- C:\Program Files\VisualOne
2003-01-16 10:53:51 0 d-------- C:\Program Files\McAfee
2003-01-16 10:53:51 0 d-------- C:\Program Files\Common Files\Network Associates
2003-01-16 10:38:50 294912 --a------ C:\WINNT\system32\MSXBSE35.DLL
2003-01-16 10:38:49 17920 --a------ C:\WINNT\system32\implode.dll
2003-01-16 10:38:48 8204362 --a------ C:\WINNT\system32\crpe32.dll
2003-01-16 10:38:41 385024 --a------ C:\WINNT\system32\vbar332.dll
2003-01-16 10:38:41 415504 --a------ C:\WINNT\system32\msrepl35.dll
2003-01-16 10:38:41 262144 --a------ C:\WINNT\system32\msrd2x35.dll
2003-01-16 10:38:41 1046288 --a------ C:\WINNT\system32\msjet35.dll
2003-01-16 10:38:39 72704 -----n--- C:\WINNT\system32\Odbctl32.dll
2003-01-16 10:38:39 36864 --a------ C:\WINNT\system32\msjter35.dll
2003-01-16 10:38:39 139264 --a------ C:\WINNT\system32\MSJINT35.DLL
2003-01-16 10:38:39 0 d-------- C:\WINNT\CRYSTAL
2003-01-16 10:38:39 0 d-------- C:\Program Files\e-TIMEsheet
2003-01-16 10:37:53 533504 --a------ C:\WINNT\system32\VTSSDL32.DLL
2003-01-16 10:37:53 551936 --a------ C:\WINNT\system32\VCFIWZ32.DLL
2003-01-16 10:37:52 1116160 --a------ C:\WINNT\system32\VCFIDL32.DLL
2003-01-16 10:37:52 91648 --a------ C:\WINNT\system32\KRONSER.DLL
2003-01-16 10:37:52 22528 --a------ C:\WINNT\system32\KRONETH.DLL
2003-01-16 10:37:45 7328 --a------ C:\WINNT\system32\drivers\DS1410D.SYS
2003-01-16 10:37:44 640512 --a------ C:\WINNT\system32\OC30.DLL
2003-01-16 10:37:15 299520 --a------ C:\WINNT\uninst.exe
2003-01-16 10:37:13 0 -rahs---- C:\MSDOS.SYS
2003-01-16 10:37:13 0 -rahs---- C:\IO.SYS
2003-01-16 10:37:03 0 d-------- C:\Program Files\Visual Basic 6.0 Setup Toolkit
2003-01-16 10:36:56 73216 --a------ C:\WINNT\ST6UNST.EXE
2003-01-16 10:29:11 0 d-------- C:\WINNT\RegisteredPackages
2003-01-16 10:28:48 0 d--h----- C:\WINNT\msdownld.tmp
2003-01-11 08:51:52 0 d-------- C:\DRIVERS
2003-01-11 08:50:12 0 d-------- C:\Program Files\microsoft frontpage
2003-01-11 08:50:10 0 d-------- C:\Program Files\WindowsUpdate
2003-01-11 08:50:10 0 d-------- C:\Program Files\Windows NT
2003-01-11 08:50:02 0 dr------- C:\WINNT\Offline Web Pages
2003-01-11 08:50:02 0 d-------- C:\WINNT\MWW32
2003-01-11 08:50:02 0 d--hs---- C:\WINNT\Installer
2003-01-11 08:50:02 0 d-------- C:\WINNT\IME
2003-01-11 08:50:02 0 d--hs---- C:\WINNT\CSC
2003-01-11 08:50:02 0 d-------- C:\Program Files
2003-01-11 08:50:02 0 d-------- C:\Program Files\Common Files
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\Templates
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\Default User\Start Menu
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\SendTo
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\Recent
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\NetHood
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\Default User\My Documents
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\Local Settings
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\Default User\Favorites
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\Default User\Desktop
2003-01-11 08:50:02 0 d---s---- C:\Documents and Settings\Default User\Cookies
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\Default User\Application Data
2003-01-11 08:50:02 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\All Users\Templates
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\All Users\Start Menu
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\All Users\Favorites
2003-01-11 08:50:02 0 d--hs---- C:\Documents and Settings\All Users\DRM
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\All Users\Documents
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\All Users\Desktop
2003-01-11 08:50:02 0 d--h----- C:\Documents and Settings\All Users\Application Data
2003-01-11 08:50:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2003-01-11 08:50:00 0 d-------- C:\WINNT\TWAIN_32
2003-01-11 08:50:00 0 d---s---- C:\WINNT\Tasks
2003-01-11 08:50:00 0 d-------- C:\WINNT\Speech
2003-01-11 08:50:00 0 d-------- C:\WINNT\Registration
2003-01-11 08:50:00 0 d-------- C:\WINNT\MSAPPS
2003-01-11 08:50:00 0 d---s---- C:\WINNT\Downloaded Program Files
2003-01-11 08:50:00 0 d-------- C:\WINNT\Debug
2003-01-11 08:50:00 0 d-------- C:\WINNT\AppPatch
2003-01-11 08:49:58 0 d-------- C:\WINNT\SECURITY
2003-01-11 08:49:36 0 d-------- C:\WINNT\Driver Cache
2003-01-11 08:49:36 0 d-------- C:\WINNT\Connection Wizard
2003-01-11 08:49:36 0 d-------- C:\WINNT\ADDINS
2003-01-11 08:49:34 0 d---s---- C:\WINNT\Web
2003-01-11 08:49:32 0 d-------- C:\WINNT\Media
2003-01-11 08:49:32 0 d-------- C:\WINNT\JAVA
2003-01-11 08:49:30 0 d-------- C:\WINNT\Cursors
2003-01-11 08:49:28 0 d-------- C:\WINNT\MSAGENT
2003-01-11 08:49:28 0 d-------- C:\WINNT\Config
2003-01-11 08:49:26 0 dr--s---- C:\WINNT\Fonts
2003-01-11 08:49:22 0 d-------- C:\WINNT\Help
2003-01-11 08:49:16 0 d--h----- C:\WINNT\INF
2003-01-11 08:49:14 0 d-------- C:\WINNT\system32\RPCPROXY
2003-01-11 08:49:14 0 d-------- C:\WINNT\system32\ROCKET
2003-01-11 08:49:14 0 d-------- C:\WINNT\system32\NtmsData
2003-01-11 08:49:14 0 d-------- C:\WINNT\system32\INETSRV
2003-01-11 08:49:14 0 d--h----- C:\WINNT\system32\GroupPolicy
2003-01-11 08:49:14 0 d-------- C:\WINNT\system32\DTCLog
2003-01-11 08:49:14 0 d-------- C:\WINNT\SYSTEM
2003-01-11 08:49:14 0 d-------- C:\WINNT\REPAIR
2003-01-11 08:49:12 0 d-------- C:\WINNT\system32\Com
2003-01-11 08:49:06 0 d-------- C:\WINNT\system32\CatRoot
2003-01-11 08:48:22 0 d-------- C:\WINNT\system32\NPP
2003-01-11 08:48:22 0 d-------- C:\WINNT\system32\MUI
2003-01-11 08:48:22 0 d-------- C:\WINNT\system32\IAS
2003-01-11 08:48:22 0 d-------- C:\WINNT\system32\EXPORT
2003-01-11 08:48:22 0 dr-hs---- C:\WINNT\system32\DLLCACHE
2003-01-11 08:48:20 0 d-------- C:\WINNT\system32\WBEM
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\WINS
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\SPOOL
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\ShellExt
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\Setup
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\RAS
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\OS2
2003-01-11 08:48:18 0 d-------- C:\WINNT\system32\DHCP
2003-01-11 08:48:12 0 d-------- C:\WINNT\system32\DRIVERS
2003-01-11 08:48:12 0 d-------- C:\WINNT\system32\drivers\ETC
2003-01-11 08:48:12 0 d-------- C:\WINNT\system32\drivers\DISDN
2003-01-11 08:48:10 0 d-------- C:\WINNT
2003-01-11 08:48:10 0 d-------- C:\WINNT\SYSTEM32
2003-01-11 08:48:10 0 d-------- C:\WINNT\system32\CONFIG
2003-01-11 08:48:08 0 d--hs---- C:\Recycled
2003-01-11 08:48:08 0 d-------- C:\Discover
2003-01-11 08:48:08 0 d-------- C:\Dell
2003-01-11 08:48:06 0 d-------- C:\I386
2003-01-11 08:48:06 0 d-------- C:\DOS
2003-01-11 08:48:06 0 d-------- C:\BACKUP
2003-01-11 08:02:21 0 d-------- C:\WINNT\system32\DirectX
2003-01-11 08:02:13 181760 --a------ C:\WINNT\system32\d3dref8.dll
2003-01-11 08:02:13 90112 --a------ C:\WINNT\system32\d3dref.dll
2003-01-11 08:02:13 0 d-------- C:\Program Files\directx
2003-01-11 08:01:54 0 d-------- C:\Program Files\Dell Modem-On-Hold
2003-01-11 08:01:46 4272 --a------ C:\WINNT\system32\drivers\bvrp_pci.sys
2003-01-11 08:01:45 0 d-------- C:\Program Files\Modem Helper
2003-01-11 08:01:43 43008 --a------ C:\WINNT\system32\prpcui.exe
2003-01-11 08:01:43 44032 --a------ C:\WINNT\system32\PRPCUI.dll
2003-01-11 08:01:43 57344 -ra------ C:\WINNT\system32\prpclang.dll
2003-01-11 08:01:43 10495 --a------ C:\WINNT\system32\drivers\prpc.sys
2003-01-11 08:01:31 17153 --a------ C:\WINNT\system32\drivers\omci.sys
2003-01-11 08:01:24 53248 --a------ C:\WINNT\system32\DellSys.dll
2003-01-11 08:01:23 0 d-------- C:\Program Files\Dell
2003-01-11 08:01:15 0 d-------- C:\Program Files\Intel
2003-01-11 08:01:00 0 d-------- C:\Program Files\InstallShield Installation Information
2003-01-11 08:00:58 0 d-------- C:\Program Files\Common Files\InstallShield
2003-01-11 08:00:52 446464 --a------ C:\WINNT\system32\HHACTIVE.DLL
2003-01-11 08:00:36 0 d-------- C:\Program Files\Synaptics
2003-01-11 08:00:33 306688 --a------ C:\WINNT\IsUninst.exe
2003-01-11 07:59:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2003-01-11 07:59:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2003-01-11 07:59:04 0 d-------- C:\Documents and Settings\Administrator\Start Menu
2003-01-11 07:59:04 0 d--h----- C:\Documents and Settings\Administrator\SendTo
2003-01-11 07:59:04 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2003-01-11 07:59:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2003-01-11 07:59:04 331776 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2003-01-11 07:59:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2003-01-11 07:59:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2003-01-11 07:59:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2003-01-11 07:59:04 0 dr------- C:\Documents and Settings\Administrator\Favorites
2003-01-11 07:59:04 0 d-------- C:\Documents and Settings\Administrator\Desktop
2003-01-11 07:59:04 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2003-01-11 07:59:04 0 d--h----- C:\Documents and Settings\Administrator\Application Data
2003-01-11 07:59:04 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2003-01-11 07:57:47 12288 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2003-01-11 07:56:40 1536 --a------ C:\WINNT\system32\TrueSoft.dat
2003-01-10 02:43:23 0 d-------- C:\WINNT\winsxs
2002-12-24 04:52:59 0 d-------- C:\My Images
2002-12-09 01:52:58 0 d-------- C:\Program Files\KB823980Scan
2002-11-22 23:04:35 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_230.dat
2002-11-11 21:49:56 141312 --a------ C:\WINNT\system32\drivers\sp_rsdrv2.sys
2002-11-11 21:49:55 0 d-------- C:\Documents and Settings\Allyson\Application Data\Spyware Terminator
2002-11-11 21:49:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2002-11-11 21:49:50 0 d-a------ C:\Program Files\Spyware Terminator
2002-11-06 01:30:42 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_498.dat
2002-09-24 17:38:24 159744 --a------ C:\WINNT\system32\win2000.dll
2002-08-21 05:13:12 189952 --a------ C:\WINNT\system32\WISPTIS.EXE
2002-08-21 05:10:16 204800 --a------ C:\WINNT\system32\INKED.DLL
2002-08-08 08:36:06 15012 --a------ C:\WINNT\system32\emptyregdb.dat
2002-07-01 04:42:49 860160 --a------ C:\WINNT\system32\ccsdk32.dll
2002-05-09 02:07:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5a4.dat
2002-05-09 00:51:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2002-05-09 00:51:31 0 d-------- C:\WINNT\system32\Kaspersky Lab
2002-04-23 16:28:22 557128 --a------ C:\WINNT\system32\dao360.dll


-- Find3M Report ---------------------------------------------------------------

2002-06-21 07:12:16 32768 --a------ C:\WINNT\system32\crwrap32.dll
2002-05-08 22:04:46 1539 --a------ C:\Documents and Settings\Allyson\Application Data\QuickZip45.ini
2002-03-20 07:38:36 27920 --a------ C:\WINNT\system32\SETUPCL.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 11:05a C:\WINNT\SYSTEM32\mobsync.exe]
"PCTVOICE"="pctspk.exe" [10/11/02 12:37a C:\WINNT\SYSTEM32\pctspk.exe]
"ATIModeChange"="Ati2mdxx.exe" [09/04/01 02:24p C:\WINNT\SYSTEM32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [05/08/02 09:14p C:\WINNT\SYSTEM32\atiptaxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [08/01/02 02:43p]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/01/02 02:43p]
"PRPCMonitor"="PRPCUI.exe" [03/25/02 02:30p C:\WINNT\SYSTEM32\prpcui.exe]
"WLANSTA.EXE"="WLANSTA.exe" [03/12/02 01:23a C:\WINNT\SYSTEM32\WLANSTA.exe]
"Logitech Utility"="Logi_MwX.Exe" [11/07/03 01:50a C:\WINNT\LOGI_MWX.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/11/02 10:17p]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/04 08:00p]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [11/11/02 09:49p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [03/21/05 03:13p C:\WINNT\SYSTEM32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdeul.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06/19/03 11:05a 139536 C:\WINNT\SYSTEM32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- Hosts -----------------------------------------------------------------------

192.168.1.2 ngsc
192.168.1.3 mail1
192.168.1.4 fms
192.168.1.10 adp
192.168.1.171 mwsvrapp01


-- End of Deckard's System Scanner: finished at 2002-05-09 09:35:53 ------------



extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Mobile Intel® Pentium® 4 - M CPU 2.00GHz
Percentage of Memory in Use: 96%
Physical Memory (total/avail): 255.43 MiB / 8 MiB
Pagefile Memory (total/avail): 611.2 MiB / 271.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.3 MiB

C: is Fixed (NTFS) - 18.59 GiB total, 13.02 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC25N020ATCS04-0 - 18.63 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 18.59 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Allyson\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ALLYSON
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Allyson
LOGONSERVER=\\ALLYSON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\Allyson\LOCALS~1\Temp
TMP=C:\DOCUME~1\Allyson\LOCALS~1\Temp
USERDOMAIN=ALLYSON
USERNAME=Allyson
USERPROFILE=C:\Documents and Settings\Allyson
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Allyson (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\yhexbmes.dll
Adobe Download Manager (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINNT\SYSTEM32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINNT\SYSTEM32\MACROMED\SHOCKW~1\Install.log
ATI Display Driver --> rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AXIS Media Control Embedded --> rundll32 "C:\Program Files\Axis Communications\AXIS Media Control Embedded\AxisMediaControlEmb.dll",UninstallMe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dell Modem-On-Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
HijackThis 2.0.2 --> "C:\Documents and Settings\Allyson\Desktop\HijackThis.exe" /uninstall
Intel SpeedStep technology Applet --> C:\WINNT\IsUninst.exe -f"C:\WINNT\System32\Intel® SpeedStep™ technology Applet.isu"
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Logitech MouseWare 9.79 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
MAGIX music maker 11 demo (US) --> C:\MAGIX\mm11_e-version\instslct.exe
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
PCTEL 2304WT V.92 MDC Modem Drivers --> ptuninst.exe
Quick Zip 4.60.018 --> "C:\Program Files\QuickZip4\unins000.exe"
Remote Desktop Connection --> MsiExec.exe /X{3E713D52-C967-41FB-AA24-3A92CC1025A4}
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Spyware Terminator --> "C:\Program Files\Spyware Terminator\unins000.exe"
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Text-To-Speech-Runtime --> MsiExec.exe /X{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Visual Basic 6.0 Setup Toolkit --> C:\WINNT\st6unst.exe -n "C:\Program Files\Visual Basic 6.0 Setup Toolkit\ST6UNST.LOG"
WebVideo Support --> C:\WINNT\main_uninstaller.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Yahoo! Install Manager --> C:\WINNT\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
ZSNES 1.51 --> C:\Documents and Settings\Allyson\Desktop\Games\ZSNES\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3758 / Warning
Event Submitted/Written: 09/21/2007 07:18:36 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type3753 / Warning
Event Submitted/Written: 09/21/2007 07:01:31 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type3742 / Warning
Event Submitted/Written: 09/21/2007 06:46:53 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type3718 / Error
Event Submitted/Written: 09/21/2007 06:20:59 PM
Event ID/Source: 5004 / McLogEvent
Event Description:
Could not contact Filter Driver.

Error = 0x2 : The system cannot find the file specified.

Event Record #/Type3716 / Warning
Event Submitted/Written: 09/21/2007 06:20:41 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3345 / Warning
Event Submitted/Written: 11/05/2002 01:02:17 AM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.182.3 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type3341 / Error
Event Submitted/Written: 11/05/2002 01:00:57 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NWLink IPX/SPX/NetBIOS Compatible Transport Protocol service failed to start due to the following error:
%%87

Event Record #/Type3340 / Warning
Event Submitted/Written: 11/05/2002 01:00:57 AM
Event ID/Source: 9503 / NwlnkIpx
Event Description:
The value for the NwlnkIpx parameter Export was illegal.

Event Record #/Type3336 / Warning
Event Submitted/Written: 11/05/2007 07:44:26 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.123.80 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.

Event Record #/Type3335 / Warning
Event Submitted/Written: 11/05/2007 07:44:26 PM
Event ID/Source: 20169 / RemoteAccess
Event Description:
Unable to contact a DHCP server. The Automatic Private IP Address 169.254.150.110 will be
assigned to dial-in clients. Clients may be unable to access resources on
the network.



-- End of Deckard's System Scanner: finished at 2002-05-09 09:35:53 ------------


I also did a Kaspersky Online Scan. Here are the results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 09, 2002 2:00:08 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/05/2008
Kaspersky Anti-Virus database records: 746352
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29932
Number of viruses found: 5
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:34:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Allyson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Allyson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Allyson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Allyson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allyson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allyson\My Documents\mw_setup.exe/data0007 Infected: not-a-virus:FraudTool.Win32.MalwareWipe.d skipped
C:\Documents and Settings\Allyson\My Documents\mw_setup.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Allyson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Allyson\ntuser.dat.LOG Object is locked skipped
C:\Downloads\TriviaGemsSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\CSC\00000003 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINNT\main_uninstaller.exe Infected: not-a-virus:AdWare.Win32.Vapsup.gw skipped
C:\WINNT\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT Object is locked skipped

Scan process completed.


Here's my post in "Misplaced HJT Logs":
http://www.bleepingcomputer.com/forums/ind...st&p=819502

Thank you!

Edited by kylezo, 08 May 2008 - 03:59 PM.


BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 20 May 2008 - 08:58 PM

Hello kylezo

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 kylezo

kylezo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 27 May 2008 - 04:33 AM

Sorry for the delay, I didn't get an email for this post, don't know why...I haven't used the computer since posting the logs, but tomorrow I can get on again and generate a new HJT log, just wanted to let you know that I am still here and still having the issues.

Thanks!
Kyle

#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 27 May 2008 - 05:39 AM

Hello Kyle,

On the top of the post you will see an option for My Controls, then on the bottom left there is a link for Email setting, make sure you click the radio button to enable it and to have Immediate Notifications.

Then on the top of this post under OPTIONS, make sure you select TRACK THIS TOPIC.

Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 kylezo

kylezo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 27 May 2008 - 03:06 PM

Update: Internet explorer has stopped crashing immediately upon opening, and I can use it outside of Safe Mode. I can't imagine why, I haven't used the computer since running the last scans. Here is the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:18 PM, on 5/28/2002
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allyson\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://cam-rg.dev.lane.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.121
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: hellenophile - {6f396a67-f473-48c9-9950-636ce17e584e} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/my/th/thm/ad8.gif
O24 - Desktop Component 1: (no name) - http://img.icbdr.com/images/shell/bg_cb_Masthead.gif

--
End of file - 5983 bytes

#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 27 May 2008 - 05:25 PM

Hi,

You do have some issues going on that we need to fix.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
FixWareout Subratam
FixWareout Lonny
  • Save it to your desktop and run it.
  • Click Next, then Install,
  • Then make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • At the end of the fix, you may need to restart your computer again.
Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply along with a new HJT log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#7 kylezo

kylezo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 29 May 2008 - 03:32 PM

Hi, Thanks for helping me with this! :thumbsup:

FixWareout report:

Username "Allyson" - 05/30/2002 13:10:47 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdeul.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.38 85.255.112.121" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"PCTVOICE"="pctspk.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRPCMonitor"="PRPCUI.exe"
"WLANSTA.EXE"="WLANSTA.EXE START"
"Logitech Utility"="Logi_MwX.Exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:46 PM, on 5/30/2002
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allyson\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://cam-rg.dev.lane.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.121
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: hellenophile - {6f396a67-f473-48c9-9950-636ce17e584e} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/my/th/thm/ad8.gif
O24 - Desktop Component 1: (no name) - http://img.icbdr.com/images/shell/bg_cb_Masthead.gif

--
End of file - 5890 bytes

#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 29 May 2008 - 04:42 PM

kylezo,

You have a few things going on beside Wareout, we need to do a few more things. This may be a mouthful so take your time and follow the instructions in order please, take your time and if there is something you don't understand post back.

First thing do to is go to C:\ Program Files and click on File > New Folder and name the folder HJT, then go to where you have HJT installed now and CUT and then Paste it into the new folder you just created. We're doing this to put HJT in its own folder for backup purposes.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.38 85.255.112.121

O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)

O22 - SharedTaskScheduler: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - (no file)
O22 - SharedTaskScheduler: hellenophile - {6f396a67-f473-48c9-9950-636ce17e584e} - (no file)




You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.


Boot your computer into Safemode
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode



  • Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
  • A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Reboot normally.

  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.

Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.


Post the log from Smitfraud fix, Malwarebytes and a New HJT log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 kylezo

kylezo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 30 May 2008 - 12:26 AM

Applied the HJT fixes without problem. I got all the way up to the smitfraud fix and hit 2, and enter, and a bit of the way through, it gave me an error - the registry files could not be accessed, and it said that it may be due to damage file data or something like that. Keep in mind that I am running Windows 2000, I think that is why the Smitfraud Fix didn't work - perhaps the data wasn't where it expected it to be. I left it running and got the the next prompt for cleaning the registry, hit y, and everything seemed to go well. I closed the lid of the laptop while it was working and when I opened it the display would not come back on. I had to shut it down using the power button. I don't have the logs right now, but I will post them up tomorrow, if they are there at all. Should I try to run the fix again?

#10 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 30 May 2008 - 03:38 AM

Good Morning,

It should run on 2000 but lets bypass it and run Malwarebytes. If you got a log from smitfraud post it please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#11 kylezo

kylezo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 30 May 2008 - 05:13 PM

SmitFraud/rapport.txt:

SmitFraudFix v2.323

Scan done at 19:05:44.56, Thu 05/30/2002
Run from C:\Documents and Settings\Allyson\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\main_uninstaller.exe Deleted
C:\DOCUME~1\Allyson\FAVORI~1\Online Security Test.url Deleted
C:\DOCUME~1\Allyson\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Allyson\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Allyson\FAVORI~1\Spyware?Malware Protection.url Deleted
C:\Program Files\Video ActiveX Access\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{450203F7-FC8D-432A-BB11-86DBBDC1BCF1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{450203F7-FC8D-432A-BB11-86DBBDC1BCF1}: DhcpNameServer=64.13.8.5 64.13.48.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{450203F7-FC8D-432A-BB11-86DBBDC1BCF1}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{660B9AF7-477F-4841-8C6C-CEB53CE96A7D}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{660B9AF7-477F-4841-8C6C-CEB53CE96A7D}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6BF888EF-671F-4619-8B8F-31001FD2234C}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6BF888EF-671F-4619-8B8F-31001FD2234C}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{76786AE6-FF81-4519-A237-5C263F2F0812}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BE3FD649-238C-471D-ACE6-45503A7A23A6}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BE3FD649-238C-471D-ACE6-45503A7A23A6}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EDF15CF5-F382-4263-BE3A-BE987B5F3514}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EDF15CF5-F382-4263-BE3A-BE987B5F3514}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{450203F7-FC8D-432A-BB11-86DBBDC1BCF1}: DhcpNameServer=64.13.8.5 64.13.48.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{450203F7-FC8D-432A-BB11-86DBBDC1BCF1}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{660B9AF7-477F-4841-8C6C-CEB53CE96A7D}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{660B9AF7-477F-4841-8C6C-CEB53CE96A7D}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6BF888EF-671F-4619-8B8F-31001FD2234C}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6BF888EF-671F-4619-8B8F-31001FD2234C}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{76786AE6-FF81-4519-A237-5C263F2F0812}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BE3FD649-238C-471D-ACE6-45503A7A23A6}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BE3FD649-238C-471D-ACE6-45503A7A23A6}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EDF15CF5-F382-4263-BE3A-BE987B5F3514}: DhcpNameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EDF15CF5-F382-4263-BE3A-BE987B5F3514}: NameServer=85.255.115.38,85.255.112.121
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.13.8.5 64.13.48.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.115.38 85.255.112.121


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


MalwareBytes log:

Malwarebytes' Anti-Malware 1.14
Database version: 805

2:57:55 PM 5/31/2002
mbam-log-5-31-2002 (14-57-55).txt

Scan type: Quick Scan
Objects scanned: 32231
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{459f4226-1aab-43b6-9dc1-b6313ef83749} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6f520be0-9b54-4558-816f-224e67997df3} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007\PGE.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007\Logs\update.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007\Logs\wa6Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Allyson\Application Data\WinAntiVirus Pro 2007\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.


New HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:03 PM, on 5/31/2002
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\WLANSTA.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HJT\HiJackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://cam-rg.dev.lane.edu/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = meadow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = meadow.local
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/my/th/thm/ad8.gif
O24 - Desktop Component 1: (no name) - http://img.icbdr.com/images/shell/bg_cb_Masthead.gif

--
End of file - 4967 bytes

#12 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 30 May 2008 - 05:47 PM

Hello,

Your doing well :thumbsup:

Not sure what these are, you can remove them with HJT unless its something you want to keep.

O24 - Desktop Component 0: (no name) - http://us.i1.yimg.com/us.yimg.com/i/us/my/th/thm/ad8.gif
O24 - Desktop Component 1: (no name) - http://img.icbdr.com/images/shell/bg_cb_Masthead.gif


Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


The rest of your log looks fine :) How are things running now???

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#13 kylezo

kylezo
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 30 May 2008 - 06:05 PM

Seems quite a bit better now! Thank you very much for your help!

#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 30 May 2008 - 07:20 PM

Hello Kyle,

Your very welcome. Some reading for you plus links to free programs to install to help keep you more secure.


Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:55 AM

Posted 04 June 2008 - 06:28 AM

Since this issue appears resolved this topic will now be closed

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users