Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Becker


  • Please log in to reply
19 replies to this topic

#1 michaelsbecker

michaelsbecker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 23 August 2005 - 07:07 PM

Hi! This is Mike Becker in NJ.

I have never been this stumped. Am having terrible popup (adopt.hotbar.com, searc-h.com, etc.)/browser hijack problems. It finally overwhems my machine (a Dell Dimension XPS D3000 upgraded to 512 Ram and a 40GB Harddrive running off of a cable modem) to the point where I have to reboot it in order to use it.
Over the years, I have been fortunate enough to always have been able to extract myself from malicious stuff however - I've had no luck with this trojan (?) even after days of effort. I'm completely stumped!

Am runnig 98SE and Explorer 6.0. Am up to date with all my Windows Explorer patches. Have Norton Internet Security and Live Update is working and up-to-date.
I did run Spybot S+D and Adaware immediately prior to submiting the log. I regularly run those two programs at least once a week and have been for a long time..
Experimented abit with Housecall, A-Squared and Trojan Hunter this past week to see if they would help, however, to no avail. RKDC.EXE and SGKDDL.EXE look very suspicious to me, however, I didn't want to do anything rash that I might regret later on.
Your help would be greatly appreciated
Thanks and Best Regards, Mike

Logfile of HijackThis v1.99.1
Scan saved at 7:34:34 PM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SGKDDL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\VCOM\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\sgkddl.exe reg_run
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "c:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - Startup: Fix-It.lnk = C:\Program Files\VCOM\Fix-It\mxtask.exe
O4 - Startup: rkdc.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (VoilaXctl Class) - http://www.belarc.com/Programs/advisor.exe
O16 - DPF: {B10CBD8D-F9B6-11CF-9B38-0080AD11B667} (Ikonic Button Control) - http://www.mybiz.net/mybiz/FrontOffice/activex/ikcntrls.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 25 August 2005 - 09:56 PM

Hello michaelsbecker and welcome to the BC HijackThis forum. I think there is more to this than what we are seeing in the HijackThis log. Let's run another scanner and see what it shows us.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 27 August 2005 - 09:52 AM

Oldtimer,

Thanks for responding.
Had some initial problems with your link to
WinPfind but I ultimately resolved that.

Have had WinPFind running since yesterday afternoon.
It showed it was making some ( but little) progress.
Obviously, something is not right so I I am going to
try running it again this morning.

Just wanted to let you know I'm here and I'm on it.
Will get the two logs to you as quickly as WinPfind
allows me to.

Thanks again for your help.

Best Regards,
Mike Becker

#4 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 28 August 2005 - 10:45 AM

Oldtimer,

Your advice would be appreciated.
I've now been running the WinPFind program for a little over 24 hours."
It's still running -- It's apparantly in the midst of the "Checking % WinDir % folder..." segment with one entry completed. The sections preceeding it each have one or two entries apiece.

My question to you is:
1) Should I simply continue to let it run? (I'm willing to let it run as long as necessary if you deem it worthwhile.)

2) Is this unusual or not untypical given certain circumstances?

Let me know what you advise at this point.

Thanks and Best Regards,
Mike Becker

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 29 August 2005 - 12:17 AM

Hi michaelsbecker. No, 10 to 15 minutes is aobut max for the scan unless there are disk problems. Try rebooting and running it again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 29 August 2005 - 03:28 PM

Oldtimer,

I've attempted to run WinPfind 5 separate times.
Have downloaded it 3 separate times to insure I have a noncorrupted copy.
The program is opening and starting just fine.

The same thing happens each time - it literally just crawls.
Longest run was for just over 36 hours. Always seems to just "churn" once it hits
the "Checking % WinDir % folder....".

Oldtimer, what would you alternatively suggest at this point?
1) would any other programs ( anti viral, anti spy, etc.) be slowing it down?
2) would you like me to transcribe the limted results that I was able to get?
3) can you suggest another analysis program you would like me to run
in lieu of WinPFind?

You might be right about something be wrong with my hard drive, however, my
PC is running relatively quickly and smoothly with the exception, of course,
the PopUps.

Thanks again for your help.

Best Regards,
Mike Becker

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 29 August 2005 - 10:05 PM

Hi michaelsbecker. Ok, there must be something trying to prevent the run. Since you are running Win98 we can boot to DOS and run a manual scan. Download he file I have attached and unzip the contents to a folder of its own such as c:\scan.

Now reboot into DOS. If you unzipped the contents of the zip folder to c:\scan type cd\scan and press the Enter key. If you unzipped to a different folder then substitue that folder. now type runthis.bat and wait for the scan to finish. It should only take a couple of minutes. The results will be in a file named results.txt in the folder that you ran the runthis.bat file from.

Reboot back into Windows and post the contents of the results.txt file back here.

Cheers.

OT

Attached Files

  • Attached File  scan.zip   43.59KB   6 downloads

Edited by OldTimer, 29 August 2005 - 10:06 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 30 August 2005 - 12:07 PM

Oldtimer,

Obviously the results posted below from the manual scan are not what you were looking for. Followed your directions to a tee -- I get this result every single time.

Your continued advice would be greatly appreciated.

Best Regards,
Mike Becker

SCAN RESULTS


This program must be run under Win32
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32

No matches found.
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32

No matches found.
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32
This program must be run under Win32

No matches found.

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 31 August 2005 - 09:43 AM

Hi michaelsbecker. Yeah, I was wondering about that. Boot into SafeMode and run it from there. If you get the same result the try running it from a Normal boot and see what you get.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 31 August 2005 - 08:20 PM

Oldtimer,

This is the result I got from Safe Mode:

c:\
PEC2D 7/17/03 12:21:12 PM 142366861 W98UNDO.DAT
SOFTWARE\PTech 8/18/05 6:08:34 PM 5632 setup1047.exe
c:\program files\
winsync = C:\WINDOWS\sgkddl.exe reg_run8/23/05 2:43:06 PM 6502 startuplist.txt

No matches found.

The above is extremely close to the partial results I was able to obtain with WinPFind.

Here are the results in Normal Mode:

C:\Scan>otgrep -f patterns.txt -d c:\ -m *.* >> results.txt
File creation error

C:\Scan>otgrep -f patterns.txt -d "c:\program files" -m *.* >> results.txt
File creation error

C:\Scan>otgrep -f patterns.txt -d "c:\winnt" -m *.* >> results.txt
File creation error

C:\Scan>otgrep -f patterns.txt -d "c:\winnt\system32" -m *.* >> results.txt
File creation error

C:\Scan>otgrep -f patterns.txt -d "c:\winnt\system32\drivers" -m *.* -r >> resul
ts.txt
File creation error

C:\Scan>locate.com "c:\winnt\*" /H /D- /D:T-60 >> results.txt
File creation error

C:\Scan>

I hope one of the above is helpful to you.

Thanks again for your help!

Best Regards,
Mike Becker

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 01 September 2005 - 09:59 AM

Hi michaelsbecker. I see the error of my ways. That was my fault. Please delete the runthis.bat file that you have and replace it with the one in the link below. Unzip the new RunThis.bat file to the folder with the otgrep.exe file, delete the current results.txt file and then boot to Safe Mode and run the new RunThis.bat file again. This should give us what we are looking for.

Cheers.

OT

Attached Files


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 01 September 2005 - 05:32 PM

Oldtimer,

Followed your directions exactly.

The program never goes beyond: (transcribed by hand)

c:\scan>otgrep - fpatterns.txt -d c:\ -m *.* >> results.txt

I can hear/see the hard drive working, however, it apparently goes nowhere.
Ran it four separate times. Twice for over an hour each jusyt to make sure I wasn't missing anything.

Nothing ever appears in/on the Results Folder.

Sorry we didn't make any progress with the above.
My computer continues to work quickly and smoothly with the exception of the popups.

Your continued advice would be greatly appreciated.
Thank you again for your help.

Best Regards,
Mike Becker

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 02 September 2005 - 09:36 AM

Hi michaelsbecker. How much physical memory is installed in this machine? If the hard drive is working my guess would be that it is running out of memory and doing alot of swapping with the virtual memory.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 michaelsbecker

michaelsbecker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 02 September 2005 - 10:02 AM

Oldtimer,
There should be plently of RAM and hardrive capacity for what we are trying to do.
Here is a Belarc Advisor summary of my machine run just two minutes ago.

Best Regards,
Mike Becker


Computer Profile Summary
Computer Name: Michael S. Becker
Profile Date: Friday, September 02, 2005 10:53:03
Advisor Version: 5.0h
Windows Logon: Michael S. Becker


Click here for Belarc's PC Management products, for large and small companies.

Operating System System Model
Windows 98 SE Dell Computer Corporation Dimension XPS D300
Asset Tag: CGV9F
Processor a Main Circuit Board
300 megahertz Intel Pentium II
32 kilobyte primary memory cache
512 kilobyte secondary memory cache Board: Intel Corporation AL440LX AA681533-307
Serial Number: ISAL74914610
Bus Clock: 66 megahertz
BIOS: Intel Corp. 4A4LL0X0.10A.0017.P06 11/10/97
Drives Memory Modules
39.98 Gigabytes Usable Hard Drive Capacity
34.75 Gigabytes Hard Drive Free Space

NEC CD-ROM DRIVE:28B
TDK CDRW321040B [CD-ROM drive]
Generic floppy disk drive (3.5")

IOMEGA ZIP 100 [Hard drive] -- drive 255
WDC WD400BB-75AUA1 (40.02 GB) [Hard drive] -- drive 0 256 Megabytes Installed Memory
128 Megabyte Module Size - 1 Installed
64 Megabyte Module Size - 2 Installed
Local Drive Volumes

c: (on drive 0) 11.64 GB 6.73 GB free
d: (on drive 0) 9.76 GB 9.64 GB free
e: (on drive 0) 9.70 GB 9.67 GB free
f: (on drive 0) 8.88 GB 8.71 GB free

Network Drives


Controllers Printers
Standard Floppy Disk Controller
Intel 82371AB/EB PCI Bus Master IDE Controller
Primary IDE controller (dual fifo)
Secondary IDE controller (dual fifo) hp officejet v series fax on DOT4_001
hp officejet v series printer on DOT4_001
Microsoft Fax Driver on PUB:
MightyFAX Printer Driver on PRINTFAX:

Display
RADEON 9000 [Display adapter]
RADEON 9000 - Secondary [Display adapter]
Default Monitor
Dell D2026T [Monitor]
Bus Adapters Multimedia
Intel 82371AB/EB PCI to USB Universal Host Controller
NEC USB Open Host Controller
NEC USB Open Host Controller Altec Lansing Multimedia USB Speakers - ACS 495
Creative AWE64 16-bit Audio (SB16 compatible)
Creative AWE64 Wavetable MIDI (AWE32 compatible)
Gameport Joystick (no joystick connected)
Wave Device for Voice Modem
Communications Other Devices
Creative Modem Blaster Flash56 PCI DI5630-4
SOHOware 10/100 PCI Network Adapter
Network Card MAC Address: 00:80:C6:E8:65:BC Texas Instruments OHCI Compliant IEEE 1394 Host Controller
officejet v40xi
1284.4 Compatible Printer
officejet v40xi
Creative PCI Modem Enumerator
hp officejet v series
Standard 101/102-Key or Microsoft Natural Keyboard
USB Root Hub
USB Root Hub
USB Root Hub
Software Licenses

Adobe - ActiveShare AJW110X7000000-789
Adobe Systems, Inc. - Adobe Photoshop 5.5 PWW550R7164462-452
Microsoft - Cinemania 52477-442-4147964-81779
Microsoft - Internet Explorer 71929-OEM-2000014-12345
Microsoft - MediaPlayer 53199-347-7003272-04218
Microsoft - MediaPlayer 69808-402-3516677-04969
Microsoft - Automap Streets Plus 11195-OEM-0310021-81354
Microsoft - Excel 97 28997-OEM-0025941-87092
Microsoft - IntelliPoint 2.0 52470-OEM-1208613 41960
Microsoft - Outlook 11195-OEM-0310021-81354
Microsoft - Publisher 97 CD 11195-OEM-0310021-81354
Microsoft - Small Business Financial Manager 11195-OEM-0310021-81354
Microsoft - Word for Windows 11195-OEM-0310021-81354
Microsoft - MS Office 97 Professional 53491-814-0395713-44090
Microsoft - Windows 98 SE 50807-015-2151847-64246 (Key: K3DT2-WRCQV-MR2C9-QBFV6-H9382)
TDK - DMM 1702-4281-1175-0439-1062-6394

Software Versions
a-squared StartCenter *
Acrobat Reader *
Adobe Acrobat Reader Version 5.0.0.0*
Adobe Acrobat Version 4.05*
Adobe ActiveShare Version 1.05*
Adobe ImageReady ™ 2.0 Version 2.0*
Adobe Photoshop Version 5.5*
Adobe Systems, Inc. Adobe Gamma Loader Version 1, 0, 0, 1*
Ahead software - NeroMIX Version 1, 2, 2, 12*
Ahead Software AG Karlsbad Germany Phone: ++49-7248-911-800 Fax: ++49-7248-911-888 e-mail: info@nero.com - LANGUAGE_English2 Version 5, 5, 6, 1*
ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany e-mail: info@nero.com - NeroImageDrive Version 1, 0, 0, 1*
ahead software gmbh, karlsbad - Cover Designer Version 2, 1, 0, 6*
Banner Blue Software Incorporated - Microsoft Organization Chart Version 2,0,0,1016*
Belarc Advisor and BelLive - Belarc's Content Personalization with Privacy Version 5.0h*
Borland International - Database Engine 4.0 *
C - SCCntl R*
Caere Corporation - OmniPage Limited Edition Version 4.0*
Caere Corporation - OmniPage Pro Version 7, 0, 0, 0*
Cerious Software Inc. - ThumbsPlus Version 3, 0, 3, 1*
Cerious Software, Inc. - ThumbsPlus Version 4, 0, 2, 0*
Corel Corporation Limited - Desktop Application Director 8 Version 8.0.0.390*
Corel Corporation Limited - PerfectFit 32-Bit Version 8.0.0.390*
Corel Corporation Limited - PerfectFit Installation System Version 8.0.0.395*
Corel Corporation Limited - WordPerfect for Windows Version 8.0.0.248*
Corel Corporation Limited - WordPerfect for Windows Version 8.0.0.611*
Corel Photo House ™ Version 1.0*
Corel Print House ™ Version 2.0*
Create System Disks *
Creative CD Version 2.15.0*
Creative MIDI Instrument Mapper Version 1.01.14.0*
Creative MIDI Version 2.11.0*
Creative Mixer Version 5.31.6*
Creative Remote Version 2.09.0*
Creative Technology Ltd. - Sound Blaster AWE Version 1.11.70*
Creative Technology Ltd. - Sound Blaster AWE Version 2.07.0*
Creative Technology Ltd. - WaveStudio Version 3.19.0*
Creative Wave Version 2.10.0*
Creative WaveSynth Version 1.04.11.0*
Creative® Technology Ltd. - Soundo'LE Version 3.18.3*
ei software - Personal Color Viewer Version 1.00*
End If Software - ASSESS~1 Version 1.00*
End If Software - IRONMAN Version 1.00*
Erik Deppe - DriveSpeed Application Version 1, 6, 0, 0*
Erik Deppe - Nero CD Speed Version 0, 8, 4, 2*
EXPRESS Version 1.0.001*
Hewlett-Packard Co. - hp officeJet v series A.11.10.24*
Hewlett-Packard Company - HP Printing System for Windows Version 1998.0227.1034*
ICONCLNT *
Inno Setup *
IntelliQuest Communications, Inc. - ITP Version 2, 5, 1, 0*
Intelliquest Reminder Application Version 2,5,1,0*
InterMute, Inc. - CWShredder Version 2.12*
Iomega 1-Step Backup for Zip & Jaz Version 5.30*
Iomega Copy Machine *
Iomega Corporation - Findit Application Version 5, 1, 0, 0*
Iomega Guest95 *
Iomega Startup Options *
Iomega Watch *
Lavasoft Ad-Aware SE SE 106*
Macromedia Director Version 7.0.2*
MGI Software Corp. VideoWav Version 4.0.637.0*
Microsoft ® Windows Script Host Version 5.6.0.6626*
Microsoft Automap Streets Plus Version 05.00.00.0001*
Microsoft Corporation - Clip Gallery 3.0 for Windows Version 3.0* Microsoft Corporation - DirectShow Version 6.4.07.1117*
Microsoft Corporation - DWIZARD Application Version 1, 0, 0, 30*
Microsoft Corporation - Internet Explorer Version 6.00.2800.1106*
Microsoft Corporation - Windows® NetMeeting® Version 3.0*
Microsoft Encarta Version 5.12.1240*
Microsoft Excel Version 8.0*
Microsoft Exchange Version 5.0*
Microsoft Office Binder Version 8.0.3501*
Microsoft Office Version 8.0*
Microsoft Outlook Version 8.0*
Microsoft Outlook Version 8.02*
Microsoft Photo Editor Version 3.0*
Microsoft PowerPoint for Windows Version 8.0*
Microsoft Publisher 97 Version 4.0*
Microsoft® Windows Media Player Version 9.00.00.2980*
Microsoft® Access Version 8.0.4122*
Microsoft® Find Fast Version 8.0*
Microsoft® FrontPage™ Version 2.0.2.1118*
Microsoft® Input Device Software Version 2.00*
Microsoft® Internet Services Version 6.1.10.0*
Microsoft® Pointing Device Software Version 2.00*
Microsoft® Pointing Device Software Version 2.00.*
Microsoft® Schedule+ for Windows 95™ Version 7.5*
Microsoft® Word for Windows® 97 Version 8.0*
Mixghost *
MyDVD Application Version 1, 0, 0, 1*
Novell, Inc. - PerfectFit 32-Bit Version 8.0.0.390*
OmniPage Pro for Windows 95 *
PFREG.EXE*
PowerChute plus *
Preview Systems - Vbox Version 4.3.1.1*
Preview Systems - Vbox Version 4.6.0.11*
Preview Systems Inc. VBoxClient Version 4, 3, 1, 1*
Product Registration *
Program Disk Maker *
Readiris *
RealNetworks, Inc. - RealOne Player (32-bit) Version 0.1.0.880*
RealNetworks, Inc. - RealOne Player (32-bit) Version 6.0.10.505*
RealNetworks, Inc. - RealOne Player (32-bit) Version 7.0.0.559*
Recovery Commander™ Version 2, 8, 17, 0*
Safer Networking Limited - Spybot - Search & Destroy Version 1, 4, 0, 3*
Safer Networking Limited - SpyBot-S&D Version 1, 4, 0, 3*
Seagate Software, Inc. - Backup *
Soeperman Enterprises Ltd. - HijackThis Version 1.99.0001*
Sony Corporation & SmartDisk Corporation - fpmsfw32 Application Version 1, 0, 0, 44*
Speaker Management Interface *
Start UPS Monitoring *
Symantec Core Component Version 1, 8, 54, 478*
Symantec Corporation - Client and Host Security Platform Version 103.0.2.10*
Symantec Corporation - Client and Host Security Platform Version 103.0.4.3*
Symantec Corporation - Client and Host Security Platform Version 103.0.5.2*
Symantec Corporation - LiveUpdate Version 2.6.14.0*
Symantec Corporation - Norton AntiVirus Version 11.0.9*
Symantec Corporation - Norton Internet Security Version 4.0*
Symantec Corporation - Norton Internet Security Version 8.0*
Symantec Security Drivers Version 5.5*
Symantec Shared Components Version 3.1*
UPS *
V Communications, Inc. - Fix-It Task Manager *
V Communications, Inc. - Fix-It Utilities Version 5.0.3.2*
Virtos GmbH - WaveEdit DLL Version 1, 0, 2, 1*
WinZip Version 8.0 (3105)*
Ziff-Davis, Inc. - End It All Version 1.0.0.31*
Zip Disk Icons *

--------------------------------------------------------------------------------

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:24 AM

Posted 02 September 2005 - 11:31 AM

Hi michaelsbecker. Ok, that looks ok. Let's ty this.

Download the newest version of WinPFind.zip and replace all of the files from the version you currently have. Boot to Safe Mode and try the scan again. If it still has a problem in the C:\ folder then stop the program and restart it. Click the Configure Scan Options button and in the Folder Options grouping uncheck the System Drive Folder at the top of the list. Click the Apply button and then click the Start Scan button and let's see what we get. There might be something in the root of the drive that we will want to look at a little later.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users