Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Virus Detected - Concerned About Afinding.exe, Nobicyt.exe, Wserving.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 Pat C.

Pat C.

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 14 July 2008 - 10:46 AM

Hi,

I've recently run McaFee v8.5.0.i (entreprise) and NoAdware v5 and did not discover any issues. I'm concerned about some remnant executables afinding.exe, Nobicyt.exe, wserving.exe, routing.exe, perfs.exe. Some of these may be important operating system files but I'm not sure if there could be any potential problems.

Here are the main and extra text file contents:

main.txt
----------
Deckard's System Scanner v20071014.68
Run by 30028930 on 2008-07-14 12:26:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-07-14 15:27:13 UTC - RP23 - Deckard's System Scanner Restore Point
22: 2008-07-13 23:05:16 UTC - RP22 - System Checkpoint
21: 2008-07-12 22:05:15 UTC - RP21 - System Checkpoint
20: 2008-07-11 21:26:51 UTC - RP20 - System Checkpoint
19: 2008-07-09 21:20:03 UTC - RP19 - System Checkpoint


-- First Restore Point --
1: 2008-06-26 13:28:20 UTC - RP1 - Configured PowerDVD


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as 30028930.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:46 PM, on 07-14-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ACS\DPA\ACSDPA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\novalis\bin\lr_disp_service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\wserving.exe
C:\WINDOWS\system32\Nobicyt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\KYWINS.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184673041921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1184683749281
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://acs-inc.webex.com/client/wbs25-vzbp...bex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.leaguelineup.com/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gs.acs-inc.com
O17 - HKLM\Software\..\Telephony: DomainName = gs.acs-inc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gs.acs-inc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gs.acs-inc.com
O23 - Service: ACSDPA - ACS - C:\Program Files\ACS\DPA\ACSDPA.exe
O23 - Service: AFinding log Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LR_ValEngSrvc - NovaLIS Technologies Inc. - C:\WINDOWS\system32\LR_ValEngSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: NovaLIS Dispatcher - NovaLIS Technologies - c:\novalis\bin\lr_disp_service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Routing Index Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--
End of file - 8294 bytes

-- File Associations -----------------------------------------------------------

.inf - TextPad.inf - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
.inf - TextPad.inf - shell\open\command - "C:\Program Files\TextPad 4\TextPad.exe" -s
.ini - TextPad.ini - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
.ini - TextPad.ini - shell\open\command - "C:\Program Files\TextPad 4\TextPad.exe" -s
.txt - TextPad.txt - DefaultIcon - "C:\Program Files\TextPad 4\TextPad.exe",1
.txt - TextPad.txt - shell\open\command - "C:\Program Files\TextPad 4\TextPad.exe" -s


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PGPwded (PGPwded Storage Filter Service) - c:\windows\system32\drivers\pgpwded.sys <Not Verified; PGP Corporation; PGP>
R2 PGPdisk - c:\windows\system32\drivers\pgpdisk.sys <Not Verified; PGP Corporation; PGP>
R2 PGPsdkDriver - c:\windows\system32\drivers\pgpsdk.sys <Not Verified; PGP Corporation; PGPsdk>

S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
S3 Vsp - c:\windows\system32\drivers\vsp.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACSDPA - "c:\program files\acs\dpa\acsdpa.exe" <Not Verified; ACS; ACS Data Protection Agent>
R2 AFinding (AFinding log Service) - c:\windows\system32\afinding.exe
R2 NOBICYT - c:\windows\system32\nobicyt.exe
R2 NovaLIS Dispatcher - c:\novalis\bin\lr_disp_service.exe <Not Verified; NovaLIS Technologies; NovaLIS Dispatch Service>
R2 perfmons - c:\windows\system32\perfs.exe
R2 PGPserv - c:\windows\system32\pgpserv.exe <Not Verified; PGP Corporation; PGPsdk>
R2 Routing (Routing Index Service) - c:\windows\system32\routing.exe
R2 WServing (WServing Service) - c:\windows\system32\wserving.exe

S3 LR_ValEngSrvc - c:\windows\system32\lr_valengsrvc.exe <Not Verified; NovaLIS Technologies Inc.; NovaLIS Technologies - Valuation Lookup Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2008-07-14 01:08:30 278 --a------ C:\WINDOWS\Tasks\TechSupport_PST_backup.job
2008-07-13 19:26:15 428 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{47E6B7E4-CD8D-4F49-A0D8-050D6BAB3438}.job


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-14 12:04:07 0 d-------- C:\Program Files\Trend Micro
2008-07-08 15:29:43 0 d-------- C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$
2008-07-08 13:00:08 122880 --a------ C:\WINDOWS\system32\dwspyvb6.dll <Not Verified; Desaware Inc.; SpyWorks 6.0>
2008-07-08 13:00:08 14848 --a------ C:\WINDOWS\system32\dwspy5.dll <Not Verified; Desaware Inc.; SpyWorks 5>
2008-07-08 13:00:06 126976 --a------ C:\WINDOWS\system32\c1sizerppg.dll <Not Verified; ; C1Sizer Property pages>
2008-07-08 13:00:05 249856 --a------ C:\WINDOWS\system32\XDockFloat.dll <Not Verified; DSXTech,LLC; XDockFloat Module>
2008-07-08 11:48:38 0 d-------- C:\Program Files\NoAdware5.0
2008-07-03 12:23:31 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-07-03 10:49:00 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2008-07-03 10:47:27 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-25 23:01:49 305664 --a------ C:\WINDOWS\system32\andt.sys
2008-06-25 11:32:05 0 d-------- C:\QUARANTINE
2008-06-18 13:13:11 0 d-------- C:\Program Files\QuickTime
2008-06-18 13:13:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-18 13:11:55 0 d-------- C:\Program Files\Apple Software Update
2008-06-18 13:11:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-18 12:15:28 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-06-18 12:12:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-06-18 12:12:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-07-10 12:30:25 0 d-------- C:\Documents and Settings\pacarrol\Application Data\FileZilla
2008-07-08 13:00:28 0 d-------- C:\Program Files\Common Files\ESRI
2008-07-08 12:52:07 0 d-------- C:\Program Files\Spark
2008-07-08 12:47:35 0 d-------- C:\Program Files\Real
2008-07-07 12:56:21 0 d-------- C:\Program Files\FileZilla FTP Client
2008-07-03 10:47:54 0 d-------- C:\Documents and Settings\pacarrol\Application Data\Real
2008-07-03 10:47:27 0 d-------- C:\Program Files\Common Files
2008-07-03 10:47:21 0 d-------- C:\Program Files\Common Files\Real
2008-06-26 15:02:03 0 d-------- C:\Documents and Settings\pacarrol\Application Data\webex
2008-06-26 10:33:27 0 d-------- C:\Program Files\InstallShield Installation Information
2008-06-26 10:32:32 0 d-------- C:\Program Files\CyberLink
2008-06-26 10:27:45 0 d-------- C:\Documents and Settings\pacarrol\Application Data\MP3Rocket
2008-06-20 14:24:23 0 d-------- C:\Documents and Settings\pacarrol\Application Data\Wintin
2008-06-20 11:30:52 348160 --a------ C:\WINDOWS\system32\LR_ValEngSrvc.exe <Not Verified; NovaLIS Technologies Inc.; NovaLIS Technologies - Valuation Lookup Service>
2008-06-20 11:27:42 61440 --a------ C:\WINDOWS\system32\lr_OSUtls.dll <Not Verified; NovaLIS Technologies Inc.; lr_OSUtls>
2008-06-17 14:44:09 44 --a------ C:\AUTOEXEC.BAT
2008-06-06 16:54:59 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-22 12:54:40 0 d-------- C:\Program Files\Microsoft Silverlight


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11-17-2006 04:06 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11-30-2006 08:50 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10-22-2006 12:22 PM]
"nwiz"="nwiz.exe" [10-22-2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10-22-2006 12:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02-22-2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-27-2008 10:50 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-03-2008 10:46 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02-28-2006 09:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-27-2007 05:25 PM]
"Spark"="C:\Program Files\Spark\KYWINS.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AudioDeck.lnk - C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe [09-05-2007 3:48:16 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [01-21-2000 5:15:54 AM]
PGPtray.exe.lnk - C:\WINDOWS\Installer\{524273E4-09FA-4DC4-8ACF-9C4F74E00FD3}\Icon6560581611.exe [07-17-2007 10:57:07 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02-05-2007 03:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=OCMAPIHK.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-07-14 12:31:19 ------------



extra.txt
----------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3000+
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1023.53 MiB / 472.15 MiB
Pagefile Memory (total/avail): 2462.11 MiB / 2055.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.42 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.78 GiB total, 93.93 GiB free.
D: is Fixed (NTFS) - 232.88 GiB total, 202.14 GiB free.
E: is CDROM (No Media)
H: is Network (NTFS)
K: is Network (NTFS)
P: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD1200JB-00CRA1 - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 111.78 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD2500JB-00FUA0 - 232.88 GiB - 1 partition
\PARTITION0 - Installable File System - 232.88 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\www.wintin.org\\Wintin.Net\\Wintin.exe"="C:\\Program Files\\www.wintin.org\\Wintin.Net\\Wintin.exe:*:Enabled: "
"C:\\Program Files\\FileZilla\\FileZilla.exe"="C:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\pacarrol\Application Data
ARCHOME=D:\ArcGIS91\arcexe9x
ARCHOME_USER=D:\ArcGIS91\arcexe9x
ARCINFOFONTNAME=Courier New
ARCINFOFONTSIZE=8
ATHOME=D:\ArcGIS91\arcexe9x\arctools
CI_HOLOS_CLI=C:\Program Files\Seagate Software\Open Olap\
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JAKE
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\pacarrol
LOGONSERVER=\\HALDOM1
LRFLOGS=C:\novalis\lrf\logs
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Seagate Software\NOTES\;C:\Program Files\Seagate Software\NOTES\DATA\;D:\Ora10g\bin;D:\Ora10g\jre\1.4.2\bin\client;D:\Ora10g\jre\1.4.2\bin;c:\mks\mkssi;c:\mks\mksnt;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\novalis\bin;D:\ArcGIS91\arcexe9x\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
ROOTDIR=c:/mks
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\pacarrol\LOCALS~1\Temp
TMP=C:\DOCUME~1\pacarrol\LOCALS~1\Temp
TMPDIR=C:/WINDOWS/TEMP
USERDNSDOMAIN=GS.ACS-INC.COM
USERDOMAIN=GS
USERNAME=30028930
USERPROFILE=C:\Documents and Settings\pacarrol
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mshake (new local, admin)
pacarrol (admin)
rhuyck (admin)
stmyers (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.49 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
ACS Crystal Reports 10 Runtime Files --> MsiExec.exe /I{664B0206-D524-4FFB-97E7-2B8487BCDE49}
ACS EasySketch II 8.6 --> C:\novalis\ezs2\UNWISE.EXE C:\novalis\ezs2\ezs2.log
ACS Integrated Suite 8.6 --> C:\novalis\LRFProd\UNWISE.EXE C:\novalis\LRFProd\LRFIntegratedSetup.log
ACS Land Records Framework 8.6 --> C:\novalis\LRF85\UNWISE.EXE C:\novalis\LRF85\LRFSetup.log
ACS Land Records Framework Server Components --> C:\novalis\UNWISE.EXE C:\novalis\LRFServerModules.log
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArcGIS ArcInfo Workstation --> MsiExec.exe /I{0C35348E-DA25-44E2-AF7A-78BF9C12C5EE}
ArcGIS Desktop --> MsiExec.exe /I{40F8FD5F-4701-48D6-A8FC-1F188007DF38}
ArcGIS Engine Runtime --> MsiExec.exe /I{7A2BB4EB-126F-4958-A47B-1F5340600DA1}
Cisco Systems VPN Client 5.0.01.0600 --> MsiExec.exe /X{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}
Crystal Reports --> MsiExec.exe /I{7699B723-9718-41DE-8C18-549F341C02CE}
ESRI MapObjects 2.1 Runtime --> C:\WINDOWS\system32\Unwise32.exe C:\WINDOWS\MO21RT.log
FileZilla Client 3.0.11.1 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix 2050 for SQL Server 2000 ENU (KB948110) --> "C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lotus NotesSQL 2.06 driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NotesSQL\UnInN206.isu" -c"C:\Program Files\NotesSQL\\UninDrv.DLL"
Magic Workstation 0.94f --> D:\misc\unins000.exe
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{901A0409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL\sqlsun.dll" -msql.mif i=MSSQLSERVER
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MKS Source Integrity 7.5 --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
MSI Live Update 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MSI\Live Update 3\Uninst.isu"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MTG GamePack for Magic Workstation --> D:\misc\unins001.exe
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NoAdware v5.0 --> "C:\Program Files\NoAdware5.0\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
Parcel Editor 3.4.1 --> D:\novalis\pe34\UNWISE.EXE D:\novalis\pe34\pe34install.log
Parcel Editor 9 --> MsiExec.exe /I{E139C5D5-7330-11D6-B94A-00105AC8A479}
PGP Desktop --> MsiExec.exe /X{524273E4-09FA-4DC4-8ACF-9C4F74E00FD3}
Python 2.1 --> C:\Python21\\Python21\UNWISE.EXE C:\Python21\\Python21\INSTALL.LOG
Python 2.1 combined Win32 extensions --> C:\Python21\UNWISE~1.EXE C:\Python21\w32inst.log
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Report Distribution Expert --> MsiExec.exe /I{D161CE34-C234-11D3-B3A6-00A0C9DA500E}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
TextPad 4.7 --> MsiExec.exe /X{B510A987-487E-4C66-9F4F-D386AC275715}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VIA Audio Driver Setup Program --> RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -f"C:\PROGRA~1\VIATEC~1\VIAAUD~1/Uninst.isu"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WebEx Recorder and Player --> MsiExec.exe /I{1D243F00-1389-4C63-A7E9-B17E967D1901}
Windows Desktop Search 3.01 --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinSCP 4.0.6 --> "C:\Program Files\WinSCP\unins000.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type745 / Error
Event Submitted/Written: 07/13/2008 01:46:37 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office 2000 SR-1 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Professional. The Windows installer cannot continue.

Event Record #/Type744 / Warning
Event Submitted/Written: 07/13/2008 01:46:34 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles' failed during request for component '{7AB02DE0-B463-11D1-96C4-0080C728108A}'

Event Record #/Type743 / Warning
Event Submitted/Written: 07/13/2008 01:46:34 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Event Record #/Type741 / Error
Event Submitted/Written: 07/13/2008 01:46:33 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office 2000 SR-1 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 SR-1 Professional. The Windows installer cannot continue.

Event Record #/Type740 / Warning
Event Submitted/Written: 07/13/2008 01:46:29 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles' failed during request for component '{7AB02DE0-B463-11D1-96C4-0080C728108A}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type734 / Warning
Event Submitted/Written: 07/14/2008 10:36:59 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type733 / Warning
Event Submitted/Written: 07/14/2008 10:35:22 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type732 / Warning
Event Submitted/Written: 07/14/2008 10:34:40 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type728 / Warning
Event Submitted/Written: 07/12/2008 07:32:12 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft XPS Document Writer (from PATRICK) was deleted.

Event Record #/Type727 / Warning
Event Submitted/Written: 07/12/2008 07:32:12 PM
Event ID/Source: 4 / Print
Event Description:
Printer Microsoft XPS Document Writer (from PATRICK) is pending deletion.



-- End of Deckard's System Scanner: finished at 2008-07-14 12:31:19 ------------


Thanks in advance,
Pat

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:04:37 AM

Posted 04 August 2008 - 08:08 AM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:04:37 AM

Posted 10 August 2008 - 12:21 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users