Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]My Computer Is Becoming Useless! Please Help!


  • This topic is locked This topic is locked
25 replies to this topic

#1 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 August 2007 - 01:09 PM

Freezes, pages won't load, takes forever to do anything...
I hope I have included everything needed to get some help with this issue!!!
Any help would be GREATLY appreciated!!!!

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:49:55 PM 8/6/2007

+ Scan result:



C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168934.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168935.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168930.dll -> Adware.TTC : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168931.exe -> Adware.TTC : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168933.exe -> Adware.WildMedia : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168932.exe -> Adware.ZQuest : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168929.exe -> Backdoor.VB.kb : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168925.exe -> Downloader.Agent.ac : No action taken.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\A0168927.exe -> Downloader.VB.awj : No action taken.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 1:59:29 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\qoeapp.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {126568FF-8567-F9EA-4F14-FB8DCE2180CE} - (no file)
O2 - BHO: (no name) - {48dc54ed-76b0-442e-b9c0-cc408f261154} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5D401015-0ABA-4901-983F-BA3CA8DFC206} - C:\Program Files\MSN\hokeqo83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {9d1580f3-c186-4bb9-8664-bf67e5ec9b0b} - (no file)
O2 - BHO: 0 - {D8698198-7352-4715-F598-8F987770805C} - C:\Program Files\Uninstall Information\lavukasy.dll (file missing)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...ads/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab53083.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...an/pestscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe


Logfile of HijackThis v1.99.1
Scan saved at 1:59:29 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\qoeapp.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {126568FF-8567-F9EA-4F14-FB8DCE2180CE} - (no file)
O2 - BHO: (no name) - {48dc54ed-76b0-442e-b9c0-cc408f261154} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5D401015-0ABA-4901-983F-BA3CA8DFC206} - C:\Program Files\MSN\hokeqo83122.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {9d1580f3-c186-4bb9-8664-bf67e5ec9b0b} - (no file)
O2 - BHO: 0 - {D8698198-7352-4715-F598-8F987770805C} - C:\Program Files\Uninstall Information\lavukasy.dll (file missing)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/F...oad/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...ads/tgctlcm.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab53083.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...an/pestscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 07 August 2007 - 08:40 PM

Hi hapworth,

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Player or Media Player Classic.
To remove, open Start->Control Panel->Add/Remove Programs find Viewpoint Media Player and select Remove

Your Java is outdated and is now a security risk
Go to Start » Control Panel » Add/Remove Programs
Search all previous installed versions of Java. (J2SE Runtime Environment.... )
(They should have this icon next to it: Posted Image)
Remove all versions of Java.
You can download and install the newest version of Java Runtime Environment (JRE) (version 6 update 2), from here:
http://java.sun.com/...loads/index.jsp

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {126568FF-8567-F9EA-4F14-FB8DCE2180CE} - (no file)
O2 - BHO: (no name) - {48dc54ed-76b0-442e-b9c0-cc408f261154} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5D401015-0ABA-4901-983F-BA3CA8DFC206} - C:\Program Files\MSN\hokeqo83122.dll (file missing)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {9d1580f3-c186-4bb9-8664-bf67e5ec9b0b} - (no file)
O2 - BHO: 0 - {D8698198-7352-4715-F598-8F987770805C} - C:\Program Files\Uninstall Information\lavukasy.dll (file missing)
O15 - Trusted Zone: *.adgate.info


If you removed Viewpoint, then also check this line (if present):

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML


Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Now reboot your computer normally.

Make hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide extensions for known file types option
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

Use Windows Explorer to find and delete the following file (if present):
C:\WINDOWS\WebAssist.dll

If this file isn't present that's fine, however if you have any trouble deleting it, please let me know in your next response.

Download Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply
Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
ASAP & UNITE Member

#3 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 07 August 2007 - 11:22 PM

Thank you very much for the help. Here is the information you have requested.

Deckard's System Scanner v20070807.62
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.66GHz
Percentage of Memory in Use: 78%
Physical Memory (total/avail): 254 MiB / 53.88 MiB
Pagefile Memory (total/avail): 621.98 MiB / 309.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1979.65 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 19.98 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: CA Personal Firewall 9.1.0.33 v9.1.0.33 (CA)
AV: CA Anti-Virus v8.4.0.24 (CA, Inc.)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\Freaky Freezeday\\Freezeday.exe"="C:\\Program Files\\Freaky Freezeday\\Freezeday.exe:*:Enabled:Macromedia Projector"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Disabled:KazaaLite"
"C:\\academic\\iss2\\iss.exe"="C:\\academic\\iss2\\iss.exe:*:Disabled:Sybase Inc. Product File"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\roger logan\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D3WGSN41
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\roger logan
LOGONSERVER=\\D3WGSN41
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Outlook Express;C:\academic\orawin95\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Academic\orawin95\Bin;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROGERL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROGERL~1\LOCALS~1\Temp
USERDOMAIN=D3WGSN41
USERNAME=roger logan
USERPROFILE=C:\Documents and Settings\roger logan
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

kourtney harris (admin)
roger logan (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1888DAFD-C634-4BC4-865C-3455E24F6177}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDC05F7-83E4-4611-AD3C-A6EB2100332A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{869D88A5-BD6C-4E39-8536-D95259EAD7E8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{881A74B3-3D17-4842-B9AF-0761C6E6C4B5}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5BAAFAE-3561-463D-8E3F-91761A57ADB8}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 1.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CA Internet Security Suite --> "C:\Program Files\CA\CA Internet Security Suite\caunst.exe" /u
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Comcast PhotoShow Deluxe --> "C:\Program Files\Comcast\Comcast PhotoShow\data\Xtras\Uninstall.exe"
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove/remove/remove
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
FinePixViewer Ver.4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Golden Tee Golf Course Addon #1 --> C:\Games\GOLDEN~1\UNWISE.EXE C:\Games\GOLDEN~1\INSTALL.LOG
HP Extended Capabilities 5.3 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
ImageMixer VCD for FinePix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3AA158A-9421-4883-8767-E771B0964A1D}\setup.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Kazaa Lite K++ v2.4.3 --> "C:\Program Files\Kazaa Lite K++\unins000.exe"
Lexmark 1200 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXCZUN5C.EXE -dLexmark 1200 Series
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
MicroStaff WINASPI NT --> C:\MWASPINT\uninst.exe
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RAW FILE CONVERTER LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\SETUP.EXE" -l0x9
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
RoadRunner --> MsiExec.exe /I{A73EFA95-4872-4AE3-8EE9-10D2E2D713CF}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SST Programming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03ADCA1C-BCF0-4B12-AFCF-8EBF2CB3AB07}\setup.exe" AddRem
TurboTax Basic 2003 --> C:\Program Files\TurboTax\Basic 2003\TaxUnst.EXE "C:\Program Files\TurboTax\Basic 2003\Uninstall.log" -NoGui
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Uniblue SpeedUpMyPC 3 --> "C:\Program Files\Uniblue\SpeedUpMyPC 3\unins000.exe"
USB MassStorage CardReader --> C:\Program Files\Kodak40a_5005\Remove.exe
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\setup.exe" -l0x9 -eliminate
WordPerfect Office 11 --> MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}


-- Application Event Log -------------------------------------------------------

Event ID #23916: Error
Event Submitted/Written: 08/08/2007 00:01:54 AM
Event Source: crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event ID #23915: Error
Event Submitted/Written: 08/08/2007 00:01:53 AM
Event Source: crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event ID #23914: Error
Event Submitted/Written: 08/08/2007 00:01:44 AM
Event Source: crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event ID #23913: Error
Event Submitted/Written: 08/08/2007 00:01:43 AM
Event Source: crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event ID #23912: Error
Event Submitted/Written: 08/08/2007 00:01:43 AM
Event Source: crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event ID #10961: Error
Event Submitted/Written: 08/08/2007 00:00:35 AM
Event Source: Schedule
Event Description:
The At1.job command failed to start due to the following error:
%%2147942405

Event ID #10933: Error
Event Submitted/Written: 08/07/2007 11:00:00 PM
Event Source: Schedule
Event Description:
The At24.job command failed to start due to the following error:
%%2147942405

Event ID #10932: Error
Event Submitted/Written: 08/07/2007 10:00:00 PM
Event Source: Schedule
Event Description:
The At23.job command failed to start due to the following error:
%%2147942405

Event ID #10931: Error
Event Submitted/Written: 08/07/2007 09:00:00 PM
Event Source: Schedule
Event Description:
The At22.job command failed to start due to the following error:
%%2147942405

Event ID #10930: Error
Event Submitted/Written: 08/07/2007 08:00:00 PM
Event Source: Schedule
Event Description:
The At21.job command failed to start due to the following error:
%%2147942405



-- End of Deckard's System Scanner: finished at 2007-08-08 at 00:04:18 ---------


Deckard's System Scanner v20070807.62
Run by roger logan on 2007-08-07 at 23:59:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
69: 2007-08-08 04:59:46 UTC - RP1220 - Deckard's System Scanner Restore Point
68: 2007-08-08 04:32:05 UTC - RP1219 - Removed Java 2 Runtime Environment, SE v1.4.2
67: 2007-08-08 04:30:31 UTC - RP1218 - Removed Java™ SE Runtime Environment 6 Update 1
66: 2007-08-07 20:53:49 UTC - RP1217 - System Checkpoint
65: 2007-08-06 20:34:52 UTC - RP1216 - Installed Ad-Aware 2007


-- First Restore Point --
1: 2007-06-16 04:34:38 UTC - RP1152 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as roger logan.exe) -----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:01:08 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\roger logan\My Documents\dss.exe
C:\PROGRA~1\HIJACK~1\roger logan.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070715-234616-124 O15 - Trusted Zone: *.errorsafe.com (HKLM)
backup-20070715-234616-252 O15 - Trusted Zone: *.systemdoctor.com (HKLM)
backup-20070715-234616-259 O15 - Trusted Zone: *.snipernet.biz (HKLM)
backup-20070715-234616-301 O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
backup-20070715-234616-374 O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
backup-20070715-234616-391 O15 - Trusted Zone: *.imagesrvr.com (HKLM)
backup-20070715-234616-487 O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
backup-20070715-234616-590 O15 - Trusted Zone: *.matcash.com (HKLM)
backup-20070715-234616-623 O15 - Trusted Zone: *.adgate.info (HKLM)
backup-20070715-234616-736 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
backup-20070715-234616-743 O15 - Trusted Zone: *.winfixer.com (HKLM)
backup-20070715-234616-798 O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
backup-20070715-234616-818 O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
backup-20070715-234617-443 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20070715-235135-160 O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab51831.cab
backup-20070715-235135-328 R3 - Default URLSearchHook is missing
backup-20070715-235135-396 O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/...pandaonline.cab
backup-20070715-235135-962 O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm565YYUS
backup-20070715-235135-971 O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\gwuljatw.dll
backup-20070715-235136-277 O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab53083.cab
backup-20070715-235136-550 O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.55.cab
backup-20070715-235136-911 O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/...pandaonline.cab
backup-20070715-235136-996 O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab50560.cab
backup-20070717-225324-759 O3 - Toolbar: (no name) - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
backup-20070717-225324-801 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070717-231040-894 O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadc...easeInstall.cab
backup-20070729-112603-825 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
backup-20070729-112826-460 O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
backup-20070729-112829-714 O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.89.cab
backup-20070729-112830-370 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...ploader_v10.cab
backup-20070729-112831-511 O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
backup-20070729-112832-469 O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/...PA.cab40641.cab
backup-20070807-233852-118 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
backup-20070807-233853-105 O2 - BHO: (no name) - {5D401015-0ABA-4901-983F-BA3CA8DFC206} - C:\Program Files\MSN\hokeqo83122.dll (file missing)
backup-20070807-233853-163 O15 - Trusted Zone: *.adgate.info
backup-20070807-233853-203 O2 - BHO: 0 - {D8698198-7352-4715-F598-8F987770805C} - C:\Program Files\Uninstall Information\lavukasy.dll (file missing)
backup-20070807-233853-210 O2 - BHO: (no name) - {9d1580f3-c186-4bb9-8664-bf67e5ec9b0b} - (no file)
backup-20070807-233853-282 O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
backup-20070807-233853-372 O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
backup-20070807-233853-426 O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
backup-20070807-233853-570 O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
backup-20070807-233853-604 O2 - BHO: (no name) - {126568FF-8567-F9EA-4F14-FB8DCE2180CE} - (no file)
backup-20070807-233853-824 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
backup-20070807-233853-999 O2 - BHO: (no name) - {48dc54ed-76b0-442e-b9c0-cc408f261154} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT®>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Intel® 537EP V9x DFV PCI Modem>
R3 SaiMini - c:\windows\system32\drivers\saimini.sys <Not Verified; Saitek; Configuration Software>
R3 SaiNtBus - c:\windows\system32\drivers\saintbus.sys <Not Verified; Saitek; Configuration Software>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - c:\windows\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
S3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
S3 SaiH0109 - c:\windows\system32\drivers\saih0109.sys <Not Verified; Saitek; Configuration Software>
S3 SaiU0109 - c:\windows\system32\drivers\saiu0109.sys <Not Verified; Saitek; Configuration Software>
S4 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-08 00:00:35 350 --a------ C:\WINDOWS\Tasks\At1.job
2007-08-07 23:00:00 350 --a------ C:\WINDOWS\Tasks\At24.job
2007-08-07 22:00:00 350 --a------ C:\WINDOWS\Tasks\At23.job
2007-08-07 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2007-08-07 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2007-08-07 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2007-08-07 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2007-08-07 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2007-08-07 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2007-08-07 15:44:00 282 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-08-07 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2007-08-07 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2007-08-07 12:00:00 350 --a------ C:\WINDOWS\Tasks\At13.job
2007-08-07 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2007-08-07 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2007-08-07 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2007-08-07 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job
2007-08-07 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2007-08-07 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2007-08-07 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2007-08-07 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2007-08-07 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2007-08-07 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2007-08-07 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2007-08-06 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2007-07-22 11:25:00 276 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-07-15 23:02:57 526 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as roger logan at 9 02 PM.job
2007-07-14 14:42:55 350 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2007-07-09 19:25:54 404 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2004-04-08 13:40:06 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-07-08 and 2007-08-08 -----------------------------

2007-08-07 11:47:35 0 dr-h----- C:\Documents and Settings\roger logan\Recent
2007-08-06 15:35:42 0 d-------- C:\Program Files\Lavasoft
2007-08-06 15:35:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-01 23:33:51 0 d-------- C:\Documents and Settings\kourtney harris\Application Data\Grisoft
2007-07-30 14:11:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-07-30 14:00:36 0 d-------- C:\Documents and Settings\roger logan\Application Data\Grisoft
2007-07-30 13:59:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-30 13:36:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 16:29:23 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-28 15:09:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-07-16 00:36:25 218112 --a------ C:\Program Files\HijackThis.exe <Not Verified; Soeperman Enterprises Ltd.; HijackThis>
2007-07-15 22:02:25 0 d-------- C:\Program Files\Common Files\Scanner
2007-07-15 18:00:03 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-07-15 18:00:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-07-15 18:00:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-07-15 18:00:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-07-15 18:00:03 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-07-15 18:00:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-07-15 18:00:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-07-15 18:00:02 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-07-15 18:00:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-07-15 18:00:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-07-15 18:00:02 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-07-15 18:00:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-07-15 18:00:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-07-15 18:00:02 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-07-15 18:00:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-07-15 18:00:02 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-07-15 18:00:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-07-15 18:00:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-07-15 18:00:01 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-07-15 17:47:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-15 17:44:42 0 d-------- C:\WINDOWS\system32\?icrosoft.NET
2007-07-15 17:34:01 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-07-14 14:19:02 0 d-------- C:\Documents and Settings\kourtney harris\Application Data\Uniblue
2007-07-14 13:49:17 0 d--hs---- C:\WINDOWS\a291cnRuZXkgaGFycmlz
2007-07-14 13:46:25 0 d-------- C:\Documents and Settings\roger logan\Application Data\?ecurity
2007-07-14 13:45:48 0 d-------- C:\Program Files\ISM
2007-07-10 15:22:56 0 d-------- C:\Documents and Settings\roger logan\Application Data\Smart PC Solutions
2007-07-09 19:45:55 0 d-------- C:\Documents and Settings\roger logan\Application Data\System Tweaker
2007-07-09 19:26:04 0 d-------- C:\Documents and Settings\roger logan\Application Data\Uniblue
2007-07-09 19:25:42 0 d-------- C:\Program Files\Uniblue


-- Find3M Report ---------------------------------------------------------------

2007-08-07 23:32:21 0 d-------- C:\Program Files\Common Files
2007-08-07 23:31:34 0 d-------- C:\Program Files\Java
2007-08-07 11:32:44 0 d-------- C:\Program Files\BFG
2007-07-22 09:41:13 0 d-------- C:\Documents and Settings\roger logan\Application Data\AdobeUM
2007-07-16 00:39:48 0 d-------- C:\Program Files\_ArcadeDownloadFolder
2007-07-16 00:38:53 212849 --a------ C:\Program Files\hijackthis.zip
2007-07-15 22:02:25 0 d-------- C:\Program Files\CA
2007-07-15 18:35:17 0 d-------- C:\Program Files\Common Files\?ystem
2007-07-15 17:44:42 0 d-------- C:\Documents and Settings\roger logan\Application Data\?ecurity
2007-07-11 13:38:12 0 d-------- C:\Program Files\Real
2007-07-10 15:19:59 0 d-------- C:\Program Files\RegistryFix
2007-07-06 15:51:52 0 d-------- C:\Program Files\LimeWire
2007-07-04 16:41:47 126976 --a------ C:\WINDOWS\xhelper.dll
2007-07-01 23:18:03 1856188 ---hs---- C:\WINDOWS\system32\sttss.ini2
2007-07-01 18:12:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-01 16:27:26 0 d-------- C:\Program Files\Kazaa Lite K++
2007-07-01 13:46:17 1837973 ---hs---- C:\WINDOWS\system32\sttss.bak2
2007-06-29 18:59:42 1843914 ---hs---- C:\WINDOWS\system32\sttss.bak1
2007-06-29 18:44:38 62516 --a------ C:\WINDOWS\system32\gwuljatw.dll
2007-06-26 04:14:09 0 d-------- C:\Program Files\MSXML 4.0
2007-05-16 10:12:02 683520 --a------ C:\WINDOWS\system32\inetcomm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [06/12/2007 01:18 PM]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [06/01/2007 03:14 PM]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [06/01/2007 03:14 PM]
"@"="" []
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [06/01/2007 03:07 PM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [05/09/2007 08:17 AM]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe" [07/18/2007 12:56 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/22/2006 09:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [07/05/2007 01:31 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

C:\Documents and Settings\roger logan\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{AC8AA27C-0A62-1033-1202-030512200001}"="C:\Program Files\Common Files\{AC8AA27C-0A62-1033-1202-030512200001}\Update.exe" mc-110-12-0000103

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-08-08 at 00:04:18 ---------

#4 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 08 August 2007 - 12:09 AM

Hi Hapworth,

You have Kazaa Lite, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.
You can remove Kazaa Lite via Add/Remove Programs.

Please download ComboFix to your desktop
  • Double click combofix.exe and follow the prompts.
  • Note: Do not click ComboFix's window while it's running - it may cause it to stall!
  • When finished, it shall produce a log for you, please post it in your next response.
Once complete, please post the ComboFix log and another HijackThis log.
ASAP & UNITE Member

#5 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 09 August 2007 - 12:28 PM

Here is the additional information! Also, when I check email (outlook 6) the program stops with an error message in the middle of receiving email....
Thanks again for all of your help!!!!!

ComboFix 07-08-09.3 - "roger logan" 2007-08-09 12:40:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.46 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\KOURTN~1\APPLIC~1\..\err.log
C:\DOCUME~1\ROGERL~1\APPLIC~1.\ecurit~1
C:\DOCUME~1\ROGERL~1\APPLIC~1\..\err.log
C:\Program Files\Common Files\{AC8AA~1
C:\Program Files\Common Files\ystem~1
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive.dll
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\gwuljatw.dll
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\SYSTEM32\sttss.bak1
C:\WINDOWS\SYSTEM32\sttss.bak2
C:\WINDOWS\SYSTEM32\sttss.ini
C:\WINDOWS\SYSTEM32\sttss.ini2
C:\WINDOWS\system32\win
C:\WINDOWS\system32\X1
C:\WINDOWS\system32\X2
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X4
C:\WINDOWS\system32\X5
C:\WINDOWS\system32\X9
C:\WINDOWS\xhelper.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 12:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 23:58 <DIR> d-------- C:\Deckard
2007-08-06 15:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-06 15:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 13:59 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-30 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 16:29 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-07-28 15:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-07-23 05:38 879,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-07-23 05:38 108,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-07-16 00:57 99,904 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-07-16 00:57 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-07-16 00:57 75,280 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-07-16 00:57 32,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-07-16 00:57 26,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-07-16 00:57 21,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-07-16 00:57 21,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-07-16 00:56 9,187,744 --a------ C:\Program Files\av_en_32.exe
2007-07-16 00:36 218,112 --a------ C:\Program Files\HijackThis.exe
2007-07-15 22:02 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-07-15 18:00 2,097,152 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-15 18:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-07-15 18:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-15 18:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-07-15 17:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 17:34 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-14 14:19 <DIR> d-------- C:\DOCUME~1\KOURTN~1\APPLIC~1\Uniblue
2007-07-14 13:49 <DIR> d--hs---- C:\WINDOWS\a291cnRuZXkgaGFycmlz
2007-07-10 15:22 <DIR> d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\Smart PC Solutions
2007-07-09 19:45 <DIR> d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\System Tweaker
2007-07-09 19:26 <DIR> d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\Uniblue
2007-07-09 19:25 <DIR> d-------- C:\Program Files\Uniblue


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-08-09 12:49 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-08-09 12:49 225406 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-08-07 11:32 --------- d-------- C:\Program Files\BFG
2007-07-22 09:41 --------- d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\AdobeUM
2007-07-16 00:39 --------- d-------- C:\Program Files\_ArcadeDownloadFolder
2007-07-16 00:38 212849 --a------ C:\Program Files\hijackthis.zip
2007-07-15 22:02 --------- d-------- C:\Program Files\CA
2007-07-11 13:38 --------- d-------- C:\Program Files\Real
2007-07-10 15:19 --------- d-------- C:\Program Files\RegistryFix
2007-07-06 15:51 --------- d-------- C:\Program Files\LimeWire
2007-07-01 18:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-01 16:27 --------- d-------- C:\Program Files\Kazaa Lite K++
2007-06-26 04:14 --------- d-------- C:\Program Files\MSXML 4.0
2007-05-31 14:47 256784 --a------ C:\WINDOWS\system32\UmxSbxw.dll
2007-05-31 14:47 117520 --a------ C:\WINDOWS\system32\UmxSbxExw.dll
2007-05-18 15:30 79368 --a------ C:\WINDOWS\system32\UmxWNP.dll
2007-05-16 10:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-06-15 16:37 48216 --a------ C:\DOCUME~1\ROGERL~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-01-20 20:22:58 475 --sh--w C:\WINDOWS\SYSTEM32\ucoihree.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-12 13:18]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-01 15:14]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-01 15:14]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-01 15:07]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-09 08:17]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe" [2007-07-18 12:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-22 21:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-07-05 13:31]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

C:\Documents and Settings\roger logan\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 SaiMini;SaiMini;C:\WINDOWS\system32\DRIVERS\SaiMini.sys
R3 SaiNtBus;SaiNtBus;C:\WINDOWS\system32\drivers\SaiNtBus.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 SaiH0109;SaiH0109;C:\WINDOWS\system32\DRIVERS\SaiH0109.sys
S3 SaiU0109;SaiU0109;C:\WINDOWS\system32\DRIVERS\SaiU0109.sys


Contents of the 'Scheduled Tasks' folder
2007-08-08 05:00:35 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 14:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 15:00:00 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-09 18:00:25 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At16.job
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At18.job
2007-08-07 23:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 06:00:00 C:\WINDOWS\Tasks\At2.job
2007-08-08 00:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 01:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 02:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 03:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-08 04:00:00 C:\WINDOWS\Tasks\At24.job
2007-08-07 07:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 08:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 09:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 10:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 11:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 12:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32AS3w5M2.exe
2007-08-07 13:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32AS3w5M2.exe
2007-07-16 04:02:57 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as roger logan at 9 02 PM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
2004-04-08 18:40:06 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-08-07 20:44:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-07-10 00:25:54 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-07-22 16:25:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-07-14 19:42:55 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 12:54:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 13:10:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 13:09

--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 1:23:58 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 09 August 2007 - 07:00 PM

Hi hapworth,

I'm not sure what's causing the Outlook problem, but we'll have a look at it once your machine is clean of malware.

Please upload a file for scanning:
Open http://virusscan.jotti.org/
Copy/paste this file and path into the white box at the top:

C:\WINDOWS\SYSTEM32\ucoihree.dll

Press Submit - this will submit the file for testing.
Please copy and paste the results in your next response.

Note: If Jotti is busy, you can use VirusTotal instead.

Next, please use Windows Explorer and see if this file is present:

C:\WINDOWS\system32AS3w5M2.exe

If it is present, then please upload it for scanning to Jotti also.

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:

cmd /c dir C:\WINDOWS\a291cnRuZXkgaGFycmlz /a >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop, please post the contents in your next response.

Once complete, please post the Jotti scan results, the look.txt output and a new HijackThis log.
ASAP & UNITE Member

#7 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 10 August 2007 - 02:05 AM

I hope I got this right!!!!


Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.57 2007.08.09 -
Authentium 4.93.8 2007.08.09 -
Avast 4.7.1029.0 2007.08.09 -
AVG 7.5.0.476 2007.08.09 -
BitDefender 7.2 2007.08.10 -
CAT-QuickHeal 9.00 2007.08.09 -
ClamAV 0.91 2007.08.10 -
DrWeb 4.33 2007.08.10 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5047 2007.08.10 -
Ewido 4.0 2007.08.09 -
FileAdvisor 1 2007.08.10 -
Fortinet 2.91.0.0 2007.08.10 -
F-Prot 4.3.2.48 2007.08.09 -
F-Secure 6.70.13030.0 2007.08.10 -
Ikarus T3.1.1.12 2007.08.10 -
Kaspersky 4.0.2.24 2007.08.10 -
McAfee 5094 2007.08.09 -
Microsoft 1.2704 2007.08.10 -
NOD32v2 2448 2007.08.10 -
Norman 5.80.02 2007.08.09 -
Panda 9.0.0.4 2007.08.09 -
Prevx1 V2 2007.08.10 -
Rising 19.35.41.00 2007.08.10 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.10 -
Symantec 10 2007.08.10 -
TheHacker 6.1.7.166 2007.08.10 -
VBA32 3.12.2.2 2007.08.10 -
VirusBuster 4.3.26:9 2007.08.09 -
Webwasher-Gateway 6.0.1 2007.08.10 -
Additional information
File size: 475 bytes
MD5: 3f275ce49f5d90a221f790c19792f163
SHA1: 789be7c3d565622752c3b659d1a9a621bc799688




Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.57 2007.08.09 -
Authentium 4.93.8 2007.08.09 -
Avast 4.7.1029.0 2007.08.09 -
AVG 7.5.0.476 2007.08.09 -
BitDefender 7.2 2007.08.10 -
CAT-QuickHeal 9.00 2007.08.09 -
ClamAV 0.91 2007.08.10 -
DrWeb 4.33 2007.08.10 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5047 2007.08.10 -
Ewido 4.0 2007.08.09 -
FileAdvisor 1 2007.08.10 -
Fortinet 2.91.0.0 2007.08.10 -
F-Prot 4.3.2.48 2007.08.09 -
F-Secure 6.70.13030.0 2007.08.10 -
Ikarus T3.1.1.12 2007.08.10 -
Kaspersky 4.0.2.24 2007.08.10 -
McAfee 5094 2007.08.09 -
Microsoft 1.2704 2007.08.10 -
NOD32v2 2448 2007.08.10 -
Norman 5.80.02 2007.08.09 -
Panda 9.0.0.4 2007.08.09 -
Prevx1 V2 2007.08.10 -
Rising 19.35.41.00 2007.08.10 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.10 -
Symantec 10 2007.08.10 -
TheHacker 6.1.7.166 2007.08.10 -
VBA32 3.12.2.2 2007.08.09 -
VirusBuster 4.3.26:9 2007.08.09 -
Webwasher-Gateway 6.0.1 2007.08.10 -
Additional information
File size: 475 bytes
MD5: 3f275ce49f5d90a221f790c19792f163
SHA1: 789be7c3d565622752c3b659d1a9a621bc799688



Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.10 -
AntiVir 7.4.0.57 2007.08.09 -
Authentium 4.93.8 2007.08.09 -
Avast 4.7.1029.0 2007.08.09 -
AVG 7.5.0.476 2007.08.09 -
BitDefender 7.2 2007.08.10 -
CAT-QuickHeal 9.00 2007.08.09 -
ClamAV 0.91 2007.08.10 -
DrWeb 4.33 2007.08.10 -
eSafe 7.0.15.0 2007.08.10 -
eTrust-Vet 31.1.5047 2007.08.10 -
Ewido 4.0 2007.08.09 -
FileAdvisor 1 2007.08.10 -
Fortinet 2.91.0.0 2007.08.10 -
F-Prot 4.3.2.48 2007.08.09 -
F-Secure 6.70.13030.0 2007.08.10 -
Ikarus T3.1.1.12 2007.08.10 -
Kaspersky 4.0.2.24 2007.08.10 -
McAfee 5094 2007.08.09 -
Microsoft 1.2704 2007.08.10 -
NOD32v2 2448 2007.08.10 -
Norman 5.80.02 2007.08.09 -
Panda 9.0.0.4 2007.08.09 -
Prevx1 V2 2007.08.10 -
Rising 19.35.41.00 2007.08.10 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.10 -
Symantec 10 2007.08.10 -
TheHacker 6.1.7.166 2007.08.10 -
VBA32 3.12.2.2 2007.08.09 -
VirusBuster 4.3.26:9 2007.08.09 -
Webwasher-Gateway 6.0.1 2007.08.10 -
Additional information
File size: 475 bytes
MD5: 3f275ce49f5d90a221f790c19792f163
SHA1: 789be7c3d565622752c3b659d1a9a621bc799688

Volume in drive C has no label.
Volume Serial Number is AC8A-A27C

Directory of C:\WINDOWS\a291cnRuZXkgaGFycmlz

07/21/2007 11:13 PM <DIR> .
07/21/2007 11:13 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 21,224,636,416 bytes free
Volume in drive C has no label.
Volume Serial Number is AC8A-A27C

Directory of C:\WINDOWS\a291cnRuZXkgaGFycmlz

07/21/2007 11:13 PM <DIR> .
07/21/2007 11:13 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 21,224,636,416 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 2:50:58 AM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\hello.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 11 August 2007 - 06:09 AM

Hi hapworth,

Everything in your post was fine apart from the Jotti scans which don't look right so please try them again - I've added some further info to the instructions:

Please open http://virusscan.jotti.org/
Copy/paste this file and path into the white box at the top:

C:\WINDOWS\SYSTEM32\ucoihree.dll

Press Submit - this will submit the file for testing
Once the file has been uploaded, the screen will show a heading called Scanner Results
There will initially be no results, then one by one next to each scanner it will either say Found nothing or Infected
Once the scanners have finished running, please copy and paste all the results - starting with the filename down to the last scanner VBA32

If you have trouble with this please let me know what happened.

Next, is the file C:\WINDOWS\system32AS3w5M2.exe present?

If so, please upload that to Jotti and post results also. If not, let me know.

Once complete, please post the Jotti results.
ASAP & UNITE Member

#9 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 11 August 2007 - 01:21 PM

I cannot find the other file that you suggested. However, I have received and error message that may be the same file. I am not sure if it is the exact file name, but it is very familiar. The error mentions something about "not found, re install or something like that" Is this the correct report? thanks!!!! File: ucoihree.dll Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: 3f275ce49f5d90a221f790c19792f163 Packers detected: - Bit9 reports: File not found Scanner results Scan taken on 11 Aug 2007 18:45:32 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing

#10 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 11 August 2007 - 09:31 PM

Hi hapworth,

That's all fine, let's continue:
  • Check that combofix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad:
    File::
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\system32AS3w5M2.exe
    C:\Program Files\Common Files\{AC8AA27C-0A62-1033-1202-030512200001}\Update.exe
    
    Folder::
    C:\WINDOWS\a291cnRuZXkgaGFycmlz
    
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
    "{AC8AA27C-0A62-1033-1202-030512200001}"=-
  • Save this to your Desktop as CFScript.

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Then, please do an online scan with Kaspersky:

Open Kaspersky Online Scanner in Internet Explorer

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Once complete, please post the ComboFix report, the Kaspersky report and a new HijackThis log.
ASAP & UNITE Member

    Advertisements

Register to Remove


#11 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 12 August 2007 - 01:47 PM

Here are the reports that you requested! Thank you!!!

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 2:38:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/08/2007
Kaspersky Anti-Virus database records: 379021
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 76217
Number of viruses found: 8
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 01:15:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\roger logan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\~DF2438.tmp Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\~DF7124.tmp Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\~DFD97.tmp Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\~DFE5C1.tmp Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temp\~DFE614.tmp Object is locked skipped
C:\Documents and Settings\roger logan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\roger logan\ntuser.dat Object is locked skipped
C:\Documents and Settings\roger logan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\SharedComponents\PPRT\logs\2007-08-12.csv Object is locked skipped
C:\Program Files\hijackthis\backups\backup-20070715-235135-971.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\Program Files\hijackthis\backups\backup-20070807-233853-570.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe Infected: Virus.Win32.Agent.ab skipped
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Infected: Virus.Win32.Agent.ab skipped
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe Infected: Virus.Win32.Agent.ab skipped
C:\Program Files\Saitek\Software\Profiler.exe Infected: Virus.Win32.Agent.ab skipped
C:\Program Files\Saitek\Software\SaiSmart.exe Infected: Virus.Win32.Agent.ab skipped
C:\QooBox\Quarantine\C\Program Files\ISM\BndDrive.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gwuljatw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\QooBox\Quarantine\C\WINDOWS\xhelper.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.db skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1165\A0150306.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1165\A0150306.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1192\A0165712.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1192\A0166036.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1192\A0166036.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1194\A0166362.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1194\A0166363.dll Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1194\A0166380.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1219\A0171339.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1221\A0172392.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1221\A0172394.dll Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1221\A0172395.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1224\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\hkcmd.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\SYSTEM32\igfxtray.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\SYSTEM32\NeroCheck.exe Infected: Virus.Win32.Agent.ab skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


ComboFix 07-08-09.3 - "roger logan" 2007-08-12 12:34:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.59 [GMT -5:00]
Command switches used :: C:\Documents and Settings\roger logan\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\system32AS3w5M2.exe
C:\Program Files\Common Files\{AC8AA27C-0A62-1033-1202-030512200001}\Update.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\a291cnRuZXkgaGFycmlz
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))


2007-08-09 12:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 23:58 <DIR> d-------- C:\Deckard
2007-08-06 15:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-06 15:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 13:59 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-07-30 13:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-29 16:29 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-07-28 15:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-07-23 05:38 879,832 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-07-23 05:38 108,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-07-16 00:57 99,904 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-07-16 00:57 79,424 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-07-16 00:57 75,280 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-07-16 00:57 32,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-07-16 00:57 26,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-07-16 00:57 21,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-07-16 00:57 21,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-07-16 00:56 9,187,744 --a------ C:\Program Files\av_en_32.exe
2007-07-16 00:36 218,112 --a------ C:\Program Files\HijackThis.exe
2007-07-15 22:02 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-07-15 18:00 2,097,152 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-15 18:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-07-15 18:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-15 18:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-07-15 17:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-15 17:34 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-14 14:19 <DIR> d-------- C:\DOCUME~1\KOURTN~1\APPLIC~1\Uniblue


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-08-10 03:12 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-08-10 03:12 225406 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-08-07 11:32 --------- d-------- C:\Program Files\BFG
2007-07-22 09:41 --------- d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\AdobeUM
2007-07-20 13:23 --------- d-------- C:\Program Files\Uniblue
2007-07-20 13:23 --------- d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\Uniblue
2007-07-16 00:39 --------- d-------- C:\Program Files\_ArcadeDownloadFolder
2007-07-16 00:38 212849 --a------ C:\Program Files\hijackthis.zip
2007-07-15 22:02 --------- d-------- C:\Program Files\CA
2007-07-11 13:38 --------- d-------- C:\Program Files\Real
2007-07-10 15:31 --------- d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\Smart PC Solutions
2007-07-10 15:19 --------- d-------- C:\Program Files\RegistryFix
2007-07-09 19:51 --------- d-------- C:\DOCUME~1\ROGERL~1\APPLIC~1\System Tweaker
2007-07-06 15:51 --------- d-------- C:\Program Files\LimeWire
2007-07-01 18:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-01 16:27 --------- d-------- C:\Program Files\Kazaa Lite K++
2007-06-26 04:14 --------- d-------- C:\Program Files\MSXML 4.0
2007-05-31 14:47 256784 --a------ C:\WINDOWS\system32\UmxSbxw.dll
2007-05-31 14:47 117520 --a------ C:\WINDOWS\system32\UmxSbxExw.dll
2007-05-18 15:30 79368 --a------ C:\WINDOWS\system32\UmxWNP.dll
2007-05-16 10:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-06-15 16:37 48216 --a------ C:\DOCUME~1\ROGERL~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-01-20 20:22:58 475 --sh--w C:\WINDOWS\SYSTEM32\ucoihree.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-06-12 13:18]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-06-01 15:14]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-06-01 15:14]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-06-01 15:07]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-09 08:17]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe" [2007-07-18 12:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-22 21:10]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

C:\Documents and Settings\roger logan\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 SaiMini;SaiMini;C:\WINDOWS\system32\DRIVERS\SaiMini.sys
R3 SaiNtBus;SaiNtBus;C:\WINDOWS\system32\drivers\SaiNtBus.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 SaiH0109;SaiH0109;C:\WINDOWS\system32\DRIVERS\SaiH0109.sys
S3 SaiU0109;SaiU0109;C:\WINDOWS\system32\DRIVERS\SaiU0109.sys


Contents of the 'Scheduled Tasks' folder
2007-07-16 04:02:57 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as roger logan at 9 02 PM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
2004-04-08 18:40:06 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-08-07 20:44:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-07-10 00:25:54 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
2007-08-11 15:25:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-07-14 19:42:55 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 12:42:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 12:46:58
C:\ComboFix-quarantined-files.txt ... 2007-08-12 12:46
C:\ComboFix2.txt ... 2007-08-09 13:10

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 2:41:44 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\hello.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.17.0\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

#12 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 12 August 2007 - 08:22 PM

Hi hapworth,

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:

cmd /c dir c:\*.ex_ /s >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop, please post the contents in your next response.
ASAP & UNITE Member

#13 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 12 August 2007 - 10:56 PM

Silver, when I pasted your last command, I received a black screen that read "C:\WINDOWS\system32\cmd.exe" in the header of the window. The entire inner part of the window is black. Also, my computer had started running much better, however, it seems to be regressing as of this logon.... Also, my wife an I each have our own user accounts on this computer. When my side was running good recently, hers was still horrible. Does what you are helping me with take care of the computer as a whole or will I need to address our accounts individually? Thanks!!!!!!!!!!!!

#14 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 13 August 2007 - 12:26 AM

Hi hapworth,

If your wife's computer has a problem, it's best to post a new thread for it so we don't get confused, and if they share an internet connection via a router/LAN, it's best to have only one machine connected at a time, because they could infect each other and we would then be chasing our tail!

Your machine is still infected but we're getting close to resolving the problems.

The black box appearing is normal and expected, and it might take a while to finish, that's OK - please let it finish and once the black box has closed, then open the file look.txt and post the contents.

Edited by _silver_, 13 August 2007 - 12:26 AM.

ASAP & UNITE Member

#15 hapworth

hapworth

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 13 August 2007 - 01:25 AM

Hey Silver! I am so glad to hear that we are close! What I meant previously was that we share the same computer, but we each have our own user account. We each have our own account on this computer. I was wondering if all of your work would alleviate all problems on the system for BOTH of us as separate users. Thanks so much, Silver!!!! Volume in drive C has no label. Volume Serial Number is AC8A-A27C Directory of c:\I386 08/29/2002 05:00 AM 30,309 AUUPDATE.EX_ 08/29/2002 05:00 AM 18,337 BCKGZM.EX_ 08/29/2002 05:00 AM 5,107 CHANGE.EX_ 08/29/2002 05:00 AM 7,231 CHGLOGON.EX_ 08/29/2002 05:00 AM 8,686 CHGPORT.EX_ 08/29/2002 05:00 AM 7,751 CHGUSR.EX_ 08/29/2002 05:00 AM 19,031 CHKRZM.EX_ 08/29/2002 05:00 AM 2,054 CLEANRI.EX_ 08/29/2002 05:00 AM 30,748 COPYMAR.EX_ 08/29/2002 05:00 AM 9,925 CPROFILE.EX_ 08/29/2002 05:00 AM 149,075 DIALER.EX_ 08/29/2002 05:00 AM 101,407 DLIMPORT.EX_ 08/29/2002 05:00 AM 80,545 DW.EX_ 08/29/2002 05:00 AM 8,458 EVNTCMD.EX_ 08/29/2002 05:00 AM 33,340 EVNTWIN.EX_ 08/29/2002 05:00 AM 351,603 EXPLORER.EX_ 08/29/2002 05:00 AM 10,359 FAXPATCH.EX_ 08/29/2002 05:00 AM 7,655 FLATTEMP.EX_ 08/29/2002 05:00 AM 53,454 FXSCLNT.EX_ 08/29/2002 05:00 AM 73,715 FXSCOVER.EX_ 08/29/2002 05:00 AM 5,206 FXSSEND.EX_ 08/29/2002 05:00 AM 106,735 FXSSVC.EX_ 08/29/2002 05:00 AM 278,178 HELPCTR.EX_ 08/29/2002 05:00 AM 43,537 HELPHOST.EX_ 08/29/2002 05:00 AM 249,716 HELPSVC.EX_ 08/29/2002 05:00 AM 3,659 HH.EX_ 08/29/2002 05:00 AM 18,749 HRTZZM.EX_ 08/29/2002 05:00 AM 4,045 HSCUPD.EX_ 08/29/2002 05:00 AM 15,527 HYPERTRM.EX_ 08/29/2002 05:00 AM 36,925 IEXPLORE.EX_ 08/29/2002 05:00 AM 6,449 MEDCTRRO.EX_ 08/29/2002 05:00 AM 18,240 MIGISOL.EX_ 08/29/2002 05:00 AM 3,101 MIGREGDB.EX_ 08/29/2002 05:00 AM 338,442 MOVIEMK.EX_ 08/29/2002 05:00 AM 1,285 MPLAYER2.EX_ 08/29/2002 05:00 AM 56,259 MSCONFIG.EX_ 08/29/2002 05:00 AM 12,891 MSIREGMV.EX_ 08/29/2002 05:00 AM 36,665 MSN6.EX_ 08/29/2002 05:00 AM 10,404 MSNUNIN.EX_ 08/29/2002 05:00 AM 43,055 MTSTOCOM.EX_ 08/29/2002 05:00 AM 35,881 MUISETUP.EX_ 08/29/2002 05:00 AM 4,601 NMPGMGRP.EX_ 08/29/2002 05:00 AM 16,589 NOTIFLAG.EX_ 08/29/2002 05:00 AM 891,521 NTKRNLMP.EX_ 08/29/2002 05:00 AM 79,853 OSCHOICE.EX_ 08/29/2002 05:00 AM 110,109 OSLOADER.EX_ 08/29/2002 05:00 AM 37,035 PEER.EX_ 08/29/2002 05:00 AM 48,530 PORTMON.EX_ 08/29/2002 05:00 AM 5,106 QUERY.EX_ 08/29/2002 05:00 AM 8,886 QUSER.EX_ 08/29/2002 05:00 AM 7,869 REGISTER.EX_ 08/29/2002 05:00 AM 17,997 RVSEZM.EX_ 08/29/2002 05:00 AM 114,519 SETUPLDR.EX_ 08/29/2002 05:00 AM 75,991 SETUP_WM.EX_ 08/29/2002 05:00 AM 18,013 SHVLZM.EX_ 08/29/2002 05:00 AM 78,183 SMI2SMIR.EX_ 08/29/2002 05:00 AM 1,898 SNCHK.EX_ 08/29/2002 05:00 AM 15,239 SNMP.EX_ 08/29/2002 05:00 AM 3,937 SNMPTRAP.EX_ 08/29/2002 05:00 AM 9,340 TFTPD.EX_ 08/29/2002 05:00 AM 3,100,174 TOURP.EX_ 08/29/2002 05:00 AM 98,195 TOURSTRT.EX_ 08/29/2002 05:00 AM 7,453 TSPROF.EX_ 08/29/2002 05:00 AM 17,001 TWUNK_16.EX_ 08/29/2002 05:00 AM 10,359 TWUNK_32.EX_ 08/29/2002 05:00 AM 58,468 UPLOADM.EX_ 08/29/2002 05:00 AM 17,822 WATCHER.EX_ 08/29/2002 05:00 AM 33,531 WCOM32.EX_ 08/29/2002 05:00 AM 122,546 WINHELP.EX_ 08/29/2002 05:00 AM 3,372 WINHSTB.EX_ 08/29/2002 05:00 AM 216,859 WMPLAYER.EX_ 08/29/2002 05:00 AM 74,426 WORDPAD.EX_ 08/29/2002 05:00 AM 7,203 XCCIHELP.EX_ 08/29/2002 05:00 AM 16,903 ZCLIENTM.EX_ 74 File(s) 7,663,267 bytes Directory of c:\I386\LANG 08/29/2002 05:00 AM 168,827 CINTSETP.EX_ 08/29/2002 05:00 AM 19,465 CPLEXE.EX_ 08/29/2002 05:00 AM 24,627 IMEKRMIG.EX_ 08/29/2002 05:00 AM 103,857 IMEPADSV.EX_ 08/29/2002 05:00 AM 20,793 IMJPDADM.EX_ 08/29/2002 05:00 AM 108,584 IMJPDCT.EX_ 08/29/2002 05:00 AM 57,925 IMJPDSVR.EX_ 08/29/2002 05:00 AM 76,711 IMJPINST.EX_ 08/29/2002 05:00 AM 78,004 IMJPMIG.EX_ 08/29/2002 05:00 AM 88,135 IMJPRW.EX_ 08/29/2002 05:00 AM 12,270 IMJPUEX.EX_ 08/29/2002 05:00 AM 90,210 IMJPUTY.EX_ 08/29/2002 05:00 AM 32,633 IMKRINST.EX_ 08/29/2002 05:00 AM 28,139 IMSCINST.EX_ 08/29/2002 05:00 AM 34,535 PINTLPHR.EX_ 08/29/2002 05:00 AM 20,507 TINTLPHR.EX_ 08/29/2002 05:00 AM 9,231 TINTSETP.EX_ 17 File(s) 974,453 bytes Directory of c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729} 06/01/2005 11:35 AM 49,152 hphupd08.ex_ 1 File(s) 49,152 bytes Directory of c:\Program Files\HP\HP Software Update 05/11/2005 11:12 PM 49,152 HPWuSchd2.ex_ 1 File(s) 49,152 bytes Directory of c:\Program Files\Intel\Modem Event Monitor 09/03/2003 08:12 PM 221,184 IntelMEM.ex_ 1 File(s) 221,184 bytes Directory of c:\Program Files\Lexmark 1200 Series\Drivers 01/19/2001 02:50 AM 20,116 instmon.ex_ 04/17/2006 12:42 PM 152,569 lexbces.ex_ 02/08/2000 07:35 PM 91,727 lexdrvin.ex_ 05/09/2002 01:25 AM 11,340 lexgo.ex_ 04/17/2006 12:45 PM 86,038 lexping.ex_ 04/17/2006 12:41 PM 99,954 lexpps.ex_ 07/13/2006 12:33 AM 298,295 lxczaiox.ex_ 07/13/2006 12:33 AM 24,924 lxczbmon.ex_ 01/17/2006 02:45 AM 37,852 lxczjswx.ex_ 01/16/2006 09:26 PM 56,875 lxczpswx.ex_ 07/13/2006 12:44 AM 27,057 lxczweb.ex_ 05/30/2002 12:36 AM 46,569 powermgr.ex_ 12 File(s) 953,316 bytes Directory of c:\Program Files\Lexmark 1200 Series\Drivers\English 07/13/2006 12:22 AM 27,510 lxczbmgr.ex_ 07/13/2006 12:22 AM 266,423 lxczvb.ex_ 07/30/2002 11:00 AM 305,870 wavs.ex_ 10/15/1997 10:39 PM 322,026 _inst32i.ex_ 4 File(s) 921,829 bytes Directory of c:\Program Files\Saitek\Software 01/28/2004 09:19 AM 159,744 Profiler.ex_ 01/28/2004 09:19 AM 98,304 SaiSmart.ex_ 2 File(s) 258,048 bytes Directory of c:\Program Files\TurboTax\Basic 2003\DlInst 02/23/1999 11:45 AM 296,674 _inst32i.ex_ 1 File(s) 296,674 bytes Directory of c:\WINDOWS\SYSTEM32 04/07/2003 12:07 AM 114,688 hkcmd.ex_ 04/07/2003 12:19 AM 155,648 igfxtray.ex_ 07/09/2001 11:50 AM 155,648 NeroCheck.ex_ 3 File(s) 425,984 bytes Total Files Listed: 116 File(s) 11,813,059 bytes 0 Dir(s) 21,777,424,384 bytes free

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users