Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

request to post a Combofix log.


  • This topic is locked This topic is locked
32 replies to this topic

#1 leighwill

leighwill

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 07 December 2009 - 12:16 PM

High, I am new here and as per guidance from a well respected freind working in computers I ran Combofix as directed by BleepingComputer and have a log file which I would like help with. Up till now I have run Malwarebytes, Adaware, Spybot, Norton Antivirus scanners. They seemed to get most of my problems. I lastly ran Combofix because I was advised to and I was still feeling as though I might have infections or problems remaining. Things appear rather good except there is still what seems to be a real problem with memory functions. Mostly my machine will keep freezing somewhat or stalling all together. I have resorted to many a cold shutdown. As per instructions I will wait to post the Combofix log file. I hope I am doing this correctly. I very much lack any experience working within forums of any type. Very inexperienced there. My operating system is Wndows XP Pro SP2, Antivirus is Norton Antivirus 2003, my computer is any ISA no name laptop model, CPU = P4 3000 Mhz, 512 RAM, Video is SiS, and Realtek AC'97 Audio card.

Edited by leighwill, 07 December 2009 - 01:41 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 10 December 2009 - 11:06 AM

Hello leighwill :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Although I am sure your friend would not give you what he/she considered bad advice it is highly inadvisable to run ComboFix except when you are working with someone trained in its use. That way if something goes wrong we have the support to help figure out what the problem is.

But since you have already run it go ahead and post the log and let's see what is going on then we'll go from there.






Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 10 December 2009 - 03:27 PM

Thanks for the reply. I really appreciate this. I understand your instructions and directions. I have already probed the issue more in the last few days. I found myself on a website where I became privy to some additional methods which I employed since. I ultimately used Dr.Web Cureit software and now am running great but am still wondering about information within a log stating still this.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !

This log was generated by a program web.exe noted in the other article which I followed instructions from. The same source where I came upon Dr.Web Cureit. This log pretty much ends as that from the Combofix log. Now that I taken many steps since the first Combofix scan and you say not to operate the program unless you recommend it I thought I would not again for now. I believe the log above stands to indicate where I currently stand. Does this indicate an issue involving memory addresses or something? I also, in trying to make sure I was corresponding correctly reviewed "beginners" instructions at BC.com and tried run dds.scr but all I get is standard incripted (?) language in Notepad. I understand that there may be Script Blocking somewhere. I've probed this and believe it is the program Autocad which I have limited use at my place of work. I've tried to fix this but with no luck. What settings in Autocad do I work towards. I noticed that the file type is listed in Explorer as Autocad Script. That same dds.scr will open up properly on other computers around my office that have no Autocad installed. This is a company computer I am having the issue with. So much for surfing nefarious sites and getting slammed with diseases. For other reasons though I would very much like to solve this dds.scr issue even if it is not necessary to my actual root problem. Thank you for you help!!!!!!!! As everyday goes by I learn a little more of this complex world of computers.

Edited by leighwill, 10 December 2009 - 03:52 PM.


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 10 December 2009 - 04:36 PM

This being a company computer makes things a little harder. The problem is sometimes we can run into proprietary issues when trying to remove things off the computer. A program or set of files I may not recognize and can find no information on may have something to do with the company and I sure don't want to remove something that can come back to be a problem.

What you asked me about in the log means there is no sign of a MBR rootkit but that doesn't mean there is not other rootkits on the machine.


I still would like to see the log ComboFix generated. If you haven't deleted it you can find it at C/ComboFix.txt.

Please copy and paste it in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 11 December 2009 - 09:53 AM

Here is a Combofix log generated this Friday morning 121109. I would guess that it appears to look good. Now again my computer appears to be working fine as of my last DrWeb Cureit scan Wednsday night. Was there any chance of knowing how apparently my AutoCad was playing a role in preventing me from properly running dds.scr? As for my mentioning that I have a company computer it should be better noted that it is merely company owned/paid for. No propietary issues here. It might as well be my own personal computer. Thanks again for your help. I've been using computers regularly since 1995. I do pretty well and getting better all the time. I have never been much of an internet person as far as forums, chat rooms, bloggging, twittering, etc. This is a new experience for me and has been real fun!

ComboFix 09-12-02.08 - Administrator 12/11/2009 8:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.109 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Doctor Web Anti-Virus *On-access scanning enabled* (Updated) {3454C8F1-ECBC-4180-A6F4-04632FBA762B}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-11 13:54 . 2009-12-11 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-12-10 19:01 . 2009-12-10 19:01 524288 ----a-w- c:\temp\dds.scr
2009-12-10 14:58 . 2009-12-10 14:58 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-10 14:57 . 2009-12-10 14:58 -------- d-----w- c:\windows\ShellNew
2009-12-08 14:50 . 2009-12-07 21:09 77312 ----a-w- C:\mbr.exe
2009-12-08 14:09 . 2009-12-08 14:09 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2009-12-08 14:00 . 2009-12-08 15:06 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-12-08 14:00 . 2009-12-11 14:12 -------- d-----w- c:\program files\DrWeb
2009-12-08 13:38 . 2009-12-08 13:38 -------- d-----w- c:\program files\CCleaner
2009-12-04 18:15 . 2009-12-04 18:15 -------- d-----w- c:\temp\diris
2009-12-02 13:15 . 2009-12-02 13:16 -------- d-----w- c:\temp\2 IROTX reports
2009-12-01 15:55 . 2009-12-02 13:26 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-01 15:55 . 2009-12-01 15:55 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-01 15:55 . 2009-12-01 15:55 -------- d-----w- c:\documents and settings\HelpAssistant\TOSHIBA
2009-12-01 15:32 . 2009-12-01 15:32 35328 ----a-w- C:\oft8ry.dll
2009-11-24 13:43 . 2009-11-24 13:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\LG Electronics
2009-11-24 13:40 . 2009-11-24 13:40 -------- d-----w- c:\program files\LG PC Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 14:17 . 2005-02-04 04:29 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-10 18:27 . 2006-10-03 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-10 15:08 . 2005-01-29 15:43 69528 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 12:33 . 2005-02-04 07:07 -------- d-----w- c:\program files\Common Files\aolback
2009-12-04 18:43 . 2005-02-04 04:29 -------- d-----w- c:\program files\Symantec
2009-12-04 18:38 . 2006-10-03 15:44 -------- d-----w- c:\program files\Lavasoft
2009-12-04 18:38 . 2008-07-02 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-04 18:38 . 2005-02-04 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-03 16:10 . 2009-04-01 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 16:08 . 2009-05-27 13:39 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 12:10 . 2009-07-13 12:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-24 13:40 . 2005-01-29 16:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-19 13:52 . 2009-10-19 13:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Blitware
2006-10-19 00:04 . 2006-10-19 00:04 3838056 ----a-w- c:\program files\msgrplus.exe
2005-02-04 06:10 . 2005-02-04 06:03 1339 ----a-w- c:\program files\uninstal.log
2001-09-28 23:00 . 2005-12-31 20:42 164864 ----a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( SnapShot@2009-12-04_19.04.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-10 14:58 . 2009-12-10 14:58 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2005-01-28 18:28 . 2009-12-10 14:17 234368 c:\windows\system32\FNTCACHE.DAT
+ 2009-12-10 14:58 . 2009-12-10 14:58 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2005-02-04 04:25 . 2009-08-10 18:05 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-12-10 14:58 . 2009-12-10 14:58 3485184 c:\windows\Installer\243443.msi
+ 2009-12-08 13:57 . 2009-12-08 13:57 29235200 c:\windows\Installer\3d90b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2004-11-12 106496]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 499712]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-10-15 249856]
"eFax 4.2"="c:\program files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"FG_Monitor"="c:\program files\Folder Guard XP\FGKey.exe" [2007-02-25 132680]
"WatcherHelper"="c:\program files\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2007-10-29 120088]
"DIGIWMIX"="c:\windows\system32\drivers\Digigram\Mixer\DigiWMix.exe" [2005-05-25 339968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-04 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-11-12 49152]
"AirCardEnabler"="" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-2-11 81920]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-3-15 114688]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-1-29 331776]
Wireless-G Notebook Adapter Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2009-9-11 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=usbmn2x2.dll
"midi3"=usbmn2x2.dll
"wave3"=vxnt.dll
"mixer2"=vxnt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"Eventlog"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"2116:TCP"= 2116:TCP:Services

R2 Airlink101 802.11g CardBus WLService;Airlink101 802.11g CardBus Adapter WLService;c:\program files\Airlink101\AWLC3026T\WLService.exe [9/11/2009 2:56 PM 49152]
R2 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/4/2005 1:02 AM 8768]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard XP\FGUARD32.SYS [8/27/2007 1:15 PM 48896]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [3/26/2007 1:18 PM 20352]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 DW90USB;DW90USB Device;c:\windows\system32\drivers\DW90USB.SYS [2/11/2007 12:09 PM 39096]
S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [2/3/2005 10:33 PM 62800]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [8/16/2006 12:35 PM 29292]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [2/12/2005 6:08 PM 183680]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [9/21/2007 3:47 PM 164480]
S3 SWUMX12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [9/21/2007 3:48 PM 140672]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\DRIVERS\tnet1130x.sys --> c:\windows\system32\DRIVERS\tnet1130x.sys [?]
S3 USB22LDR;Midiman USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys [1/27/2006 7:52 PM 16508]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver;c:\windows\system32\drivers\usbmm2x2.sys [1/27/2006 7:53 PM 32508]
S3 VXWDM;Digigram VX-generic Driver (WDM);c:\windows\system32\drivers\vxwdm.sys [1/10/2009 5:31 PM 182040]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: csccb.org\www
Trusted Zone: magnetec-inspection.com\www
Trusted Zone: trma.org\www
Trusted Zone: yahoo.com\www
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 08:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3336)
c:\progra~1\WINDOW~2\wmpband.dll
.
Completion time: 2009-12-11 08:29
ComboFix-quarantined-files.txt 2009-12-11 14:29

Pre-Run: 21,967,970,304 bytes free
Post-Run: 22,184,165,376 bytes free

- - End Of File - - 6B5AF4E6A82ECB0B35C34719F54BC9AD

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 11 December 2009 - 04:38 PM

You're getting ahead of me here. From your CF log it appears you ran CF in SAfe Mode and you did not disable your AV. Let's go back to the beginning and please don't run anything else unless I ask for it.


Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post the DDS.txt and attach the other






Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 15 December 2009 - 12:59 PM

OK, I will follow your instructions/steps exactly from here on.

I thought I had any Antivirus disabled. On that note though I can tell you that I have all but uninstalled any that I had. I uninstalled a Norton Antivirus 2003 and the DrWeb Cureit that I had used recently. Upon starting CB I would get a note that DrWeb was detected. I am totally confused as to what is happening there. Some reference somewhere in my computer still remains I guess.

As for beginning with your set of instructions/steps I had stated that I can't run dds.scr as I must still have a script blocker or something preventing this. I had noted that I believe it has to do with the program AutoCad which is on my computer. When I go to save dds.scr initially the file is noted as an AutoCad Script file in the File Download window. This is the only indication to me that it might have something to do with AutoCad. Can we find an answer to this? I do not know how to. I've tried plenty to peck for the proper AutoCad setting and have also gone throughout seeing if I can get any other script blockers disabled.

Edited by leighwill, 15 December 2009 - 01:03 PM.


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 15 December 2009 - 01:26 PM

I really don't know why autocad would be interfering with DDS, I have never heard of that before but then I learn something new every day.

Let's try the following and then follow up with GMER like I put in my last post if you can get it to run. You can post the log.txt from RSIT in the reply window. The info.txt can be added as an attachment.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 17 December 2009 - 08:47 AM

I have run the RSIT and have those text files ready but am having increasingly more trouble running the GMER. There has been a system reboot occur during scan process. The last scan this morning only ran for about 5 minutes before reboot. I get a system error message after each. What now?

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 17 December 2009 - 10:21 AM

If you have the RSIT go ahead and post it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 17 December 2009 - 11:47 AM

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-12-15 13:55:31
Microsoft Windows XP Professional Service Pack 2
System drive C: has 21 GB (55%) free of 38 GB
Total RAM: 479 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:48 PM, on 12/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Airlink101\AWLC3026T\WLService.exe
C:\Program Files\Airlink101\AWLC3026T\AWLC3026T.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Folder Guard XP\FGKey.exe
C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\WINDOWS\system32\drivers\Digigram\Mixer\DigiWMix.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard XP\FGKey.exe /Start
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
O4 - HKLM\..\Run: [DIGIWMIX] C:\WINDOWS\system32\drivers\Digigram\Mixer\DigiWMix.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107015423415
O23 - Service: Airlink101 802.11g CardBus Adapter WLService (Airlink101 802.11g CardBus WLService) - Unknown owner - C:\Program Files\Airlink101\AWLC3026T\WLService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

--
End of file - 5313 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe [2004-11-12 106496]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-11-20 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-11-20 499712]
"SiSPower"=SiSPower.dll,ModeAgent []
"SiS Windows KeyHook"=C:\WINDOWS\system32\keyhook.exe [2004-10-15 249856]
"eFax 4.2"=C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe [2006-07-14 107008]
"FG_Monitor"=C:\Program Files\Folder Guard XP\FGKey.exe [2007-02-24 132680]
"AirCardEnabler"= []
"WatcherHelper"=C:\Program Files\Sierra Wireless Inc\3G Watcher\WaHelper.exe [2007-10-29 120088]
"DIGIWMIX"=C:\WINDOWS\system32\drivers\Digigram\Mixer\DigiWMix.exe [2005-05-25 339968]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-02-04 77824]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2005-02-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2005-02-04 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2004-08-11 68096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2
"TapiSrv"=3
"Schedule"=2
"Eventlog"=2
"ccEvtMgr"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
Device Detector 2.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe"="C:\Program Files\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe:*:Enabled:SwiApiMux"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.scr - open - "C:\WINDOWS\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-12-15 13:55:32 ----D---- C:\Program Files\trend micro
2009-12-15 13:55:31 ----D---- C:\rsit
2009-12-11 13:45:14 ----A---- C:\WINDOWS\cedt.INI
2009-12-11 13:43:28 ----D---- C:\Program Files\Emerald Editor Community
2009-12-11 08:29:26 ----D---- C:\WINDOWS\temp
2009-12-11 08:29:24 ----A---- C:\ComboFix.txt
2009-12-11 07:54:02 ----D---- C:\Documents and Settings\All Users\Application Data\Doctor Web
2009-12-10 08:58:21 ----D---- C:\Program Files\Microsoft ActiveSync
2009-12-10 08:57:32 ----D---- C:\WINDOWS\ShellNew
2009-12-08 08:50:20 ----A---- C:\mbr.exe
2009-12-08 08:11:45 ----A---- C:\WINDOWS\ntbtlog.txt
2009-12-08 08:00:06 ----D---- C:\Program Files\DrWeb
2009-12-08 08:00:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-08 07:38:34 ----D---- C:\Program Files\CCleaner
2009-12-04 13:11:08 ----A---- C:\ComboFix1.txt
2009-12-04 12:45:36 ----A---- C:\Boot.bak
2009-12-04 12:45:29 ----RASHD---- C:\cmdcons
2009-12-04 12:24:52 ----A---- C:\WINDOWS\PEV.exe
2009-12-04 12:24:52 ----A---- C:\WINDOWS\NIRCMD.exe
2009-12-04 12:24:52 ----A---- C:\WINDOWS\MBR.exe
2009-12-04 12:24:51 ----A---- C:\WINDOWS\zip.exe
2009-12-04 12:24:51 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-12-04 12:24:51 ----A---- C:\WINDOWS\SWSC.exe
2009-12-04 12:24:51 ----A---- C:\WINDOWS\SWREG.exe
2009-12-04 12:24:51 ----A---- C:\WINDOWS\sed.exe
2009-12-04 12:24:51 ----A---- C:\WINDOWS\grep.exe
2009-12-04 12:24:32 ----D---- C:\WINDOWS\ERDNT
2009-12-04 11:17:12 ----D---- C:\Qoobox
2009-12-02 13:41:51 ----A---- C:\WINDOWS\wininit.ini
2009-12-01 09:32:18 ----A---- C:\oft8ry.dll
2009-11-24 07:43:55 ----D---- C:\Documents and Settings\Administrator\Application Data\LG Electronics
2009-11-24 07:40:58 ----D---- C:\Program Files\LG PC Suite

======List of files/folders modified in the last 1 months======

2009-12-15 13:55:38 ----D---- C:\WINDOWS\Prefetch
2009-12-15 13:55:32 ----RD---- C:\Program Files
2009-12-15 13:06:05 ----A---- C:\WINDOWS\NeroDigital.ini
2009-12-15 12:55:05 ----D---- C:\WINDOWS
2009-12-15 09:06:05 ----D---- C:\Temp
2009-12-11 08:29:27 ----D---- C:\WINDOWS\system32\drivers
2009-12-11 08:26:55 ----A---- C:\WINDOWS\system.ini
2009-12-11 08:24:53 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-11 08:17:40 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-12-11 08:17:23 ----SD---- C:\WINDOWS\Tasks
2009-12-11 08:17:20 ----SHD---- C:\WINDOWS\Installer
2009-12-11 08:11:20 ----D---- C:\Program Files\Common Files
2009-12-10 12:40:22 ----D---- C:\WINDOWS\Help
2009-12-10 12:27:34 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-10 08:59:09 ----A---- C:\WINDOWS\ODBC.INI
2009-12-10 08:58:45 ----A---- C:\WINDOWS\win.ini
2009-12-10 08:58:20 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-10 08:58:04 ----D---- C:\Program Files\Common Files\Designer
2009-12-10 08:57:36 ----D---- C:\Program Files\Microsoft Office
2009-12-10 08:57:35 ----D---- C:\Program Files\Common Files\System
2009-12-10 08:55:42 ----D---- C:\WINDOWS\system32
2009-12-10 08:55:42 ----D---- C:\WINDOWS\system
2009-12-09 06:33:12 ----D---- C:\Program Files\Common Files\aolback
2009-12-08 07:39:15 ----D---- C:\WINDOWS\Debug
2009-12-08 07:39:14 ----D---- C:\WINDOWS\Minidump
2009-12-04 13:02:04 ----D---- C:\WINDOWS\system32\config
2009-12-04 12:58:15 ----D---- C:\WINDOWS\AppPatch
2009-12-04 12:48:29 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-04 12:45:36 ----RASH---- C:\boot.ini
2009-12-04 12:43:24 ----D---- C:\Program Files\Symantec
2009-12-04 12:38:45 ----D---- C:\Program Files\Lavasoft
2009-12-04 12:38:43 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-12-04 12:38:40 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-12-04 12:38:01 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-12-03 10:10:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-03 09:33:09 ----HD---- C:\WINDOWS\inf
2009-12-03 06:10:48 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-12-02 22:54:33 ----D---- C:\MagFileStart
2009-12-01 13:39:42 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-12-01 13:37:20 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-12-01 09:41:00 ----D---- C:\Documents and Settings
2009-12-01 09:16:22 ----D---- C:\Program Files\Outlook Express
2009-11-24 07:40:58 ----HD---- C:\Program Files\InstallShield Installation Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2004-11-12 13056]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-09-11 20747]
R2 Asapi;Asapi; C:\WINDOWS\system32\drivers\Asapi.sys [2000-05-12 8768]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-02-04 8552]
R2 FGUARD32;FGUARD32; \??\C:\Program Files\Folder Guard XP\FGUARD32.SYS []
R2 RVIEG01;VSC Engine; \??\C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys []
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-08-11 400384]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-08-11 635281]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2004-08-03 126686]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 odysseyIM3;Odyssey Network Services Miniport; C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 62673]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-11-12 230400]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2002-07-10 32256]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2004-08-03 404990]
R3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2004-08-03 13240]
R3 swivsp;AC8xx Virtual Serial Port; C:\WINDOWS\system32\DRIVERS\swivspnt.sys [2007-03-26 20352]
R3 swmsflt;swmsflt; C:\WINDOWS\System32\drivers\swmsflt.sys [2007-11-06 25736]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2003-11-20 178528]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 BCM43XX;U.S. Robotics Wireless MAXg Adapter; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\CBTNDIS5.SYS []
S3 DW90USB;DW90USB Device; C:\WINDOWS\system32\DRIVERS\DW90USB.sys [2001-04-09 39096]
S3 DzlUsb;Dazzle DVC USB Device; C:\WINDOWS\system32\DRIVERS\DzlUsb.sys [1999-11-30 62800]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver; C:\WINDOWS\System32\Drivers\FTD2XX.sys [2004-10-15 29292]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2004-08-03 1309184]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver; C:\WINDOWS\system32\DRIVERS\NETR33X.SYS [2003-11-11 183680]
S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2004-08-03 180360]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2004-09-07 17664]
S3 RT61;Airlink101 802.11g CardBus Adapter Driver; C:\WINDOWS\system32\DRIVERS\RT61.sys [2005-10-27 356096]
S3 RT73;Linksys Home Wireless-G USB Adapter Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2005-11-24 245248]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2004-08-03 95424]
S3 SWMX00;Sierra Wireless USB MUX Driver (#00); C:\WINDOWS\system32\DRIVERS\swmx00.sys []
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00); C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys []
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12); C:\WINDOWS\system32\DRIVERS\swnc8u12.sys [2007-09-21 164480]
S3 SWUMX12;Sierra Wireless USB MUX Driver (UMTS12); C:\WINDOWS\system32\DRIVERS\swumx12.sys [2007-09-21 140672]
S3 SWUMX20;Sierra Wireless USB MUX Driver (UMTS20); C:\WINDOWS\system32\DRIVERS\swumx20.sys []
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0; C:\WINDOWS\system32\DRIVERS\tnet1130x.sys []
S3 USB22LDR;Midiman USB MidiSport 2x2 Loader; C:\WINDOWS\system32\drivers\usb22ldr.sys [2002-06-10 16508]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 USBMM2X2;Midiman USB MidiSport 2x2 Midi Driver; C:\WINDOWS\system32\drivers\usbmm2x2.sys [2002-06-10 32508]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 VXWDM;Digigram VX-generic Driver (WDM); C:\WINDOWS\system32\drivers\vxwdm.sys [2007-09-24 182040]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Airlink101 802.11g CardBus WLService;Airlink101 802.11g CardBus Adapter WLService; C:\Program Files\Airlink101\AWLC3026T\WLService.exe [2004-03-29 49152]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2004-01-07 45056]
R2 TabletService;TabletService; C:\WINDOWS\system32\Tablet.exe [2005-10-19 749568]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2001-05-01 53248]
S2 NICSer_WPC54G;NICSer_WPC54G; C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 455680]
S2 ZipToA;ZipToA; C:\WINDOWS\system32\ZipToA.exe [2000-02-10 356352]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2005-05-16 74360]

-----------------EOF-----------------











info.txt logfile of random's system information tool 1.06 2009-12-15 13:55:51

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Able Video Snapshot 1.4-->"C:\Program Files\AbleVideoSnapshot\unins000.exe"
Acoustica Beatcraft-->C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
Acoustica Effects Pack-->C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Airlink101 802.11g CardBus Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC8869AB-DCB7-43BE-860E-B8E1C6D86F9E}\setup.exe" -l0x9
AutoCAD 2005 - English-->MsiExec.exe /I{5783F2D7-0301-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
BadCopy Pro-->C:\PROGRA~1\Jufsoft\BadCopy\UNWISE.EXE C:\PROGRA~1\Jufsoft\BadCopy\INSTALL.LOG
Cakewalk Audio FX Pack 1-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cakewalk\Cakewalk Audio FX Pack 1\Uninst.isu"
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Clean! 2.0-->C:\PROGRA~1\STEINB~1\CLEAN!~1.0\UNWISE.EXE C:\PROGRA~1\STEINB~1\CLEAN!~1.0\INSTALL.LOG
Crimson Editor SVN263-->C:\Program Files\Emerald Editor Community\Crimson Editor SVN263\uninst.exe
Digigram VXkit V05.21d-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BC0702-0B5A-4FB7-83DC-9A9EC179D976}\Setup.exe" -l0x9
DreamStation DXi-->C:\WINDOWS\DSDXIRMV.EXE C:\PROGRAM FILES\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI
eFax Messenger 4.2-->C:\Program Files\eFax Messenger 4.2\Uninstall.exe
emagic EXSP24 VST-PlugIn-->C:\WINDOWS\unvise32.exe C:\Program Files\emagic\emagic EXSP24 VST-PlugInuninstall.log
Error Expert 1.5-->"C:\Program Files\Error Expert\unins000.exe"
EST99-->C:\PROGRA~1\ASME\UNWISE.EXE C:\PROGRA~1\ASME\INSTALL.LOG
FixedLength-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E34B40B-CFF3-11D3-8302-00A024A89C17}\setup.exe"
Folder Guard-->"C:\Program Files\Folder Guard XP\Setup.exe" /U
Franklin Covey Co. Franklin Planner-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Franklin Covey\Planner\Uninst70.isu"
FTDI FTD2XX USB Drivers-->C:\WINDOWS\system32\FTDIUNIN.exe C:\WINDOWS\system32\FTD2XXUN.INI
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
hp deskjet 6122 series-->rundll32 hpzcon07.dll,VendorJettison hp deskjet 6122 series
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
LG PhoneManager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B83245C1-AB8A-40C1-91C0-CEDBDB84255D}\setup.exe" -l0x9 -removeonly
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
Logic Platinum 5-->C:\WINDOWS\unvise32.exe C:\Program Files\emagic\Logic 5\uninstal.log
Looper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E34B40A-CFF3-11D3-8302-00A024A89C17}\setup.exe"
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft DirectX Transform optional components-->RUNDLL32.EXE ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\DXTXTRA.INF,UNINSTALL.NT,12
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MovieStar-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MovieStar\MovieStar.isu"
Nero Media Player-->C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Odyssey Client-->MsiExec.exe /X{99D42EC7-652B-4819-B3E6-6450C815E03F}
Olympus Digital Wave Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB91E774-867B-4567-ACE7-8144EF036068}\Setup.exe"
Overture-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cakewalk\Overture\Uninst.isu"
PDF Producer-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\DATA BECKER\PDF Producer\Uninst.isu"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rhythm'n'Chords 2 Lite CW-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E34B508-CFF3-11D3-8302-00A024A89C17}\setup.exe"
Sierra Wireless 3G Watcher-->MsiExec.exe /I{BE511F88-2774-48F2-B096-D8F0AE167354}
SiS 900 PCI Fast Ethernet Adapter Driver-->C:\Progra~1\SiSLan\Uninst.exe
SiS VGA Utilities-->Rundll32 SiSInst.dll,Uninstall VGA,R,oem4.inf
Smart Link 56K Modem-->C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
SmartScore-->C:\PROGRA~1\SMARTS~1\Unwise32.EXE C:\PROGRA~1\SMARTS~1\INSTALL.LOG
SONAR 1.0-->C:\PROGRA~1\Cakewalk\SONAR1~1\UNWISE.EXE C:\PROGRA~1\Cakewalk\SONAR1~1\INSTALL.LOG
Sonic Foundry ACID 2.0d-->C:\PROGRA~1\SONICF~1.0\UEX_ACID.EXE ACID 2.0
SoundDiver 3.0-->C:\WINDOWS\unvise32.exe C:\Program Files\emagic\SoundDiver 3.0\uninstal.log
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tablet-->C:\Program Files\Tablet\Remove.exe /u
Tassman DXi SE 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B23F9E40-E6E5-11D4-89B3-00201856C449}\Setup.exe"
TOSHIBA e-STUDIO3511-4511 Series Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A17E144C-CBFC-43EC-AC7B-034FD0DA1268}\Setup.exe" -l0x9
VeloMaster Lite CW-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E34B40D-CFF3-11D3-8302-00A024A89C17}\setup.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Sound Canvas DXi-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{745877DC-8FFE-4E4C-ABBC-589B887A47D1}\setup.exe" UNINSTALL_XXX
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WaveLab Lite-->"C:\Program Files\Steinberg\WaveLab Lite\Unwise.exe" C:\PROGRA~1\STEINB~1\WAVELA~1\Install.log
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wireless-G Notebook Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2EDF5F-F3C6-4919-AE34-C08A71AD034A}\Setup.exe" -l0x9

======Security center information======

AV: Doctor Web Anti-Virus

======System event log======

Computer Name: EDDYLAPTOP2
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\MICHELLE on the network \Device\NetBT_Tcpip_{A657866A-78B7-4A2D-B4A3-3E3FCDB9A86F}.
The data is the error code.

Record Number: 39090
Source Name: BROWSER
Time Written: 20090603145833.000000-300
Event Type: warning
User:

Computer Name: EDDYLAPTOP2
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 39089
Source Name: Tcpip
Time Written: 20090603141046.000000-300
Event Type: warning
User:

Computer Name: EDDYLAPTOP2
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 39080
Source Name: Tcpip
Time Written: 20090603121223.000000-300
Event Type: warning
User:

Computer Name: EDDYLAPTOP2
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 39079
Source Name: Tcpip
Time Written: 20090603104156.000000-300
Event Type: warning
User:

Computer Name: EDDYLAPTOP2
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 39078
Source Name: Tcpip
Time Written: 20090603094446.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: EDDYLAPTOP2
Event Code: 1000
Message: Faulting application logic platinum 5.5.1.exe, version 5.5.1.588, faulting module logic platinum 5.5.1.exe, version 5.5.1.588, fault address 0x00113468.

Record Number: 8124
Source Name: Application Error
Time Written: 20081108195117.000000-360
Event Type: error
User:

Computer Name: EDDYLAPTOP2
Event Code: 1517
Message: Windows saved user EDDYLAPTOP2\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 8110
Source Name: Userenv
Time Written: 20081108110633.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EDDYLAPTOP2
Event Code: 1517
Message: Windows saved user EDDYLAPTOP2\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 8097
Source Name: Userenv
Time Written: 20081105211006.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EDDYLAPTOP2
Event Code: 1517
Message: Windows saved user EDDYLAPTOP2\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 8079
Source Name: Userenv
Time Written: 20081104211149.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EDDYLAPTOP2
Event Code: 1517
Message: Windows saved user EDDYLAPTOP2\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 8050
Source Name: Userenv
Time Written: 20081102202019.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Autodesk Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 17 December 2009 - 12:25 PM

See if you can disable your Dr Web and then give GMER a try one more time. If you get an error message let me know what it says.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 17 December 2009 - 01:09 PM

I am currently giving GMER another try. The thing about DrWeb is that I had actually uninstalled it. Would there be any remnants lying around in the Registry or something?

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 AM

Posted 17 December 2009 - 02:00 PM

If it is completely uninstalled then it's probably just WMI reporting it as still being there. That happens sometimes and if we use ComboFix again I can remove the reference. Nothing to really be concerned about it uninstalled correctly and probably won't make a difference in GMER running.

Sorry if you had already told me that and I missed or forgot it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 leighwill

leighwill
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago
  • Local time:07:16 AM

Posted 18 December 2009 - 08:58 AM

Finally I have the Gmer.txt file after apparently successfully scanning twice consecutively. It seems odd though that it ends on M's. Hmm, hmm. I am wondering what to do though about posting the results for you. And on that note is "posting" the act of copy/pasteing the text like I've done with files so far or can it also mean the act of attaching as well. That aside, I have tried and seem to be having some trouble. The Notepad file is also almost 5 mb. That seems odd as it is merely just text. The file is not that enormous by any means for what I understand is the SIZE nature of text files. I also see a Max. single upload size limit of 512k on attachments to this forum. What do I do?

I had finally gotten the text verbage in this reply window but had error trying to post it. Too much text. I could split it up?

Edited by leighwill, 18 December 2009 - 10:42 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users