Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Bufferoverflow 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Bufferoverflow 2

Unread postby abu » June 17th, 2008, 11:27 am

Hi people,

i alreaDY have posted abt the problem.. when i open my internet exploerer my anti virus software pops up to alert me on BUFFEROVERFLOW (bo;heap)..
so i did the a KASPERSKY ONLINE sacn.. herer is the report... i aslo did a hijack this scan.. the report is also added.. could anyone help me with this porblm..
thank you!!!


KASPERSKY ONLINE SCANNER REPORT
Thursday, 22 May, 2008 4:43:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/05/2008
Kaspersky Anti-Virus database records: 792789


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
P:\

Scan Statistics
Total number of scanned objects 230258
Number of viruses found 3
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 03:27:37

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080522_Time-081550078_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080522_Time-081550078_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DET-NB0800086.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DET-NB0800086.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\p0800086\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped

C:\Documents and Settings\p0800086\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped

C:\Documents and Settings\p0800086\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\History\History.IE5\MSHist012008052220080523\index.dat Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Temp\hsperfdata_p0800086\3676 Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Temp\jar_cache16682.tmp Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Temp\~DF554A.tmp Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\p0800086\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\p0800086\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\p0800086\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Screensavers.com\SSSInstaller\bin\screensavers.exe Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\Program Files\Screensavers.com\SSSInstaller\bin\sinstaller3.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\Program Files\Screensavers.com\SSSInstaller\bin\sinstaller3.exe NSIS: infected - 1 skipped

C:\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\Program Files\Starware316\bin\Starware316.dll Infected: not-a-virus:AdWare.Win32.Comet.bu skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8AB9F13D-E492-4C1E-A3BF-17CB7A12A6DD}\RP19\A0002669.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\System Volume Information\_restore{8AB9F13D-E492-4C1E-A3BF-17CB7A12A6DD}\RP19\A0002669.exe/data0003/data0002 Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\System Volume Information\_restore{8AB9F13D-E492-4C1E-A3BF-17CB7A12A6DD}\RP19\A0002669.exe/data0003 Infected: not-a-virus:AdWare.Win32.Comet.bl skipped

C:\System Volume Information\_restore{8AB9F13D-E492-4C1E-A3BF-17CB7A12A6DD}\RP19\A0002669.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{8AB9F13D-E492-4C1E-A3BF-17CB7A12A6DD}\RP26\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{DD886D05-8AD5-4F6B-9BBD-787B557BB354}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PatchInstall.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\00000004.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\00000004.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\0000000E.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\0000000E.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000006.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000006.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\00000007.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\00000007.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000004.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000004.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000000G.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000000G.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000006.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000006.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000000I.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000000I.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\00000008.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\00000008.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000003.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\00000003.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000000F.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000000F.que Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\etc\hosts.fpo Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{8AB9F13D-E492-4C1E-A3BF-17CB7A12A6DD}\RP26\change.log Object is locked skipped

P:\batch\iee.bak Object is locked skipped

P:\batch\initroute.exe Object is locked skipped

P:\batch\kill.exe Infected: not-a-virus:NetTool.Win32.PsKill.a skipped

Scan process completed.







[color=#FF0000][b]Logfile of Trend Micro HijackThis v2.0.2[/b][/color]
Scan saved at 9:34:02 AM, on 22-05-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\lkads.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Salaat Time\SalaatTime.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\National Instruments\Circuit Design Suite 10.0\multisim.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sp.edu.sg:8888
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} - C:\Program Files\Starware316\bin\Starware316.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Starware Screensavers Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - C:\Program Files\Starware316\bin\Starware316.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [startupmessage] "C:\FY08-NB Startup Message v2.htm"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ANTI LITE TITLE DEBUG] C:\Documents and Settings\All Users\Application Data\Okay meta anti lite\Joy Media.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SalaatTime] C:\Program Files\Salaat Time\SalaatTime.exe
O4 - HKCU\..\Run: [signitch] C:\DOCUME~1\p0800086\APPLIC~1\MULTIW~1\Link Mp3 Idle.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: MapToPDrive.bat
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2779762734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2782968140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = sd.sp.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 13430 bytes
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm
Advertisement
Register to Remove

Re: Bufferoverflow 2

Unread postby Rodav » June 18th, 2008, 11:13 am

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Bufferoverflow 2

Unread postby abu » June 19th, 2008, 12:26 am

hi,
I amvery glad there is someone to help me so thank you very much for the help rendered...
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby Rodav » June 19th, 2008, 6:22 am

Step 1:
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\DOCUME~1\p0800086\APPLIC~1\MULTIW~1\Link Mp3 Idle.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
If Jotti is busy try the same at Virustotal


Step 2:
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    (your computer will now be scanned for infected files)
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log later.
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.


Step 3:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.


Logs to Post:
Please copy and paste the following into your next reply:
  • The Jotti/Virustotal results
  • The NoLop report (C:\NoLop.log)
  • main.txt and extra.txt from the DSS scan
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Bufferoverflow 2

Unread postby abu » June 20th, 2008, 2:57 am

viruscan result
File: Link_Mp3_Idle.exe
Status: INFECTED/MALWARE
MD5: f92d52631378c24e32fd5d2646746346
Packers detected: -

Scanner results
Scan taken on 20 Jun 2008 06:32:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Swizzor.based
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing






main text result
Deckard's System Scanner v20071014.68
Run by p0800086 on 2008-06-20 14:48:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
31: 2008-06-20 06:48:08 UTC - RP31 - Deckard's System Scanner Restore Point
30: 2008-06-16 04:51:54 UTC - RP30 - Software Distribution Service 3.0
29: 2008-06-15 11:57:52 UTC - RP29 - Software Distribution Service 3.0
28: 2008-06-01 04:51:09 UTC - RP28 - Installed Python 2.4.1
27: 2008-05-24 06:06:23 UTC - RP27 - System Checkpoint


-- First Restore Point --
1: 2008-04-05 02:54:55 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as p0800086.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:48 PM, on 20-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Salaat Time\SalaatTime.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\p0800086\Local Settings\Temporary Internet Files\Content.IE5\83LZHH8I\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\p0800086.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} - C:\Program Files\Starware316\bin\Starware316.dll
O2 - BHO: XMLDP Class - {72A128E0-2240-40c8-9E92-5387D64F839E} - C:\WINDOWS\xml2u32c.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Starware Screensavers Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - C:\Program Files\Starware316\bin\Starware316.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [startupmessage] "C:\FY08-NB Startup Message v2.htm"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ANTI LITE TITLE DEBUG] C:\Documents and Settings\All Users\Application Data\Okay meta anti lite\Joy Media.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SalaatTime] C:\Program Files\Salaat Time\SalaatTime.exe
O4 - HKCU\..\Run: [signitch] C:\DOCUME~1\p0800086\APPLIC~1\MULTIW~1\Link Mp3 Idle.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: MapToPDrive.bat
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2779762734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2782968140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = sd.sp.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 12814 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R1 NTGDT - c:\windows\system32\drivers\ntgdt.sys
R2 cvintdrv - c:\windows\system32\drivers\cvintdrv.sys
R2 XAudio - c:\windows\system32\drivers\xaudio.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>

S3 HSXHWAZL - c:\windows\system32\drivers\hsxhwazl.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

S2 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe
S2 XAudioService - c:\windows\system32\drivers\xaudio.exe <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 NILM License Manager - "c:\program files\national instruments\shared\license manager\bin\lmgrd.exe" <Not Verified; Macrovision Corporation; >


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-20 14:28:00 260 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-06-18 14:38:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-20 14:44:46 106 --a------ C:\delete.bat
2008-06-20 14:37:46 0 d-------- C:\NoLopBackups
2008-06-15 20:19:27 0 d-------- C:\WINDOWS\Prefetch
2008-06-15 20:08:51 0 d-------- C:\WINDOWS\system32\scripting
2008-06-15 20:08:51 0 d-------- C:\WINDOWS\system32\bits
2008-06-15 20:08:51 0 d-------- C:\WINDOWS\l2schemas
2008-06-15 20:05:55 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-15 19:32:24 0 d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-06-15 19:32:15 0 d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-06-15 19:31:52 0 d-------- C:\Documents and Settings\p0800086\Application Data\Canon
2008-06-15 19:28:54 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-15 19:24:10 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-15 19:23:51 0 d--h----- C:\Program Files\CanonBJ
2008-06-01 12:52:50 0 d-------- C:\Documents and Settings\p0800086\.idlerc
2008-06-01 12:51:09 0 d-------- C:\Python24
2008-05-22 15:08:37 52224 --a------ C:\WINDOWS\xml2u32c.dll <Not Verified; Microsoft Corporation; XML parser library>
2008-05-22 13:05:42 0 d-------- C:\Documents and Settings\p0800086\Application Data\Help
2008-05-22 09:33:19 0 d-------- C:\Program Files\Trend Micro
2008-05-22 09:08:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-22 09:08:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 14:15:30 0 d-------- C:\Program Files\Microsoft Games


-- Find3M Report ---------------------------------------------------------------

2008-06-20 14:40:50 0 d-------- C:\Documents and Settings\p0800086\Application Data\Starware316
2008-06-20 14:40:28 0 d-------- C:\Documents and Settings\p0800086\Application Data\Skype
2008-06-19 15:22:39 0 d-------- C:\Program Files\ZwCAD 2006i
2008-06-15 20:18:54 0 d-------- C:\Program Files\Messenger
2008-06-15 20:08:50 0 d-------- C:\Program Files\Movie Maker
2008-06-15 20:05:41 0 d-------- C:\Program Files\Windows NT
2008-05-22 08:21:57 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-20 11:41:16 0 d-------- C:\Program Files\National Instruments
2008-05-15 13:24:26 0 d-------- C:\Program Files\Sony Ericsson
2008-05-12 17:03:44 0 d-------- C:\Program Files\MSECache
2008-05-12 16:19:20 0 d-------- C:\Documents and Settings\p0800086\Application Data\multi wipe load
2008-05-12 16:17:41 0 d-------- C:\Program Files\multi wipe load
2008-05-12 16:17:06 0 d-------- C:\Program Files\Circle Developement
2008-05-12 16:17:05 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-12 14:14:01 0 d-------- C:\Documents and Settings\p0800086\Application Data\Media Player Classic
2008-05-12 14:12:48 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-05-08 22:08:42 0 d-------- C:\Program Files\FreeMind
2008-04-28 14:25:04 0 d-------- C:\Documents and Settings\p0800086\Application Data\National Instruments
2008-04-28 14:18:01 0 d-------- C:\Program Files\HI-TECH Software
2008-04-28 14:17:29 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-04-27 23:29:17 0 d-------- C:\Documents and Settings\p0800086\Application Data\CyberLink
2008-04-24 15:47:31 0 d-------- C:\Program Files\Pixologic
2008-04-24 15:34:42 0 d-------- C:\Program Files\Salaat Time
2008-04-24 15:21:17 0 d-------- C:\Program Files\DivineIslam
2008-04-24 14:40:59 0 d-------- C:\Program Files\GameShadow
2008-04-24 14:37:46 0 d-------- C:\Program Files\Eidos
2008-04-24 14:37:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-24 13:54:45 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 13:54:41 0 d-------- C:\Program Files\AutoCAD 2006
2008-04-24 13:54:23 0 d-------- C:\Program Files\AnswerWorks 4.0
2008-04-24 13:50:28 0 d-------- C:\Documents and Settings\p0800086\Application Data\Autodesk
2008-04-24 13:50:00 0 d-------- C:\Program Files\Common Files
2008-04-24 13:49:56 0 d-------- C:\Program Files\Autodesk
2008-04-22 10:34:50 0 --a------ C:\WINDOWS\system32\UTSCSI.EXE
2008-04-22 10:34:21 0 d-------- C:\Documents and Settings\p0800086\Application Data\PLAux
2008-04-22 10:34:17 0 d-------- C:\Documents and Settings\p0800086\Application Data\OTi
2008-04-14 05:41:52 276992 --a------ C:\WINDOWS\system32\comdlg32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e}]
22-09-2007 04:48 AM 803328 --a------ C:\Program Files\Starware316\bin\Starware316.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72A128E0-2240-40c8-9E92-5387D64F839E}]
22-05-2008 03:08 PM 52224 --a------ C:\WINDOWS\xml2u32c.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [25-07-2007 03:02 PM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03-10-2007 03:15 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22-09-2004 08:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06-08-2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07-10-2003 09:48 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [31-01-2008 11:13 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12-02-2008 03:55 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05-09-2007 05:13 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05-09-2007 05:13 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05-09-2007 05:13 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04-08-2004 08:00 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [04-08-2004 08:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04-08-2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04-08-2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04-08-2004 08:00 PM]
"startupmessage"="C:\FY08-NB Startup Message v2.htm" [16-02-2008 11:13 AM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [08-02-2005 04:38 PM]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26-10-2005 05:17 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 10:16 PM]
"ANTI LITE TITLE DEBUG"="C:\Documents and Settings\All Users\Application Data\Okay meta anti lite\Joy Media.exe" [20-06-2008 02:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14-04-2008 05:42 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [22-01-2007 03:23 PM]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [24-04-2008 10:10 AM]
"SalaatTime"="C:\Program Files\Salaat Time\SalaatTime.exe" [26-08-2007 05:38 PM]
"signitch"="C:\DOCUME~1\p0800086\APPLIC~1\MULTIW~1\Link Mp3 Idle.exe" [12-05-2008 04:17 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [05-03-2005 9:18:22 PM]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [12-05-2006 1:33:22 PM]
MapToPDrive.bat [01-03-2006 1:02:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49c7c7c8-0575-11dd-8599-001e37a53354}]
AutoRun\command- j.cmd
explore\Command- j.cmd
open\Command- j.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d5df9ba-0529-11dd-8598-806d6172696f}]
Auto\command- F:\tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{754f5b05-0647-11dd-859a-001e37a53354}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cbe4ed-1012-11dd-85a9-001e37a53354}]
AutoRun\command- h1ahxi.bat
explore\Command- h1ahxi.bat
open\Command- h1ahxi.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cbe4ee-1012-11dd-85a9-001e37a53354}]
AutoRun\command- G:\USBNB.exe




-- End of Deckard's System Scanner: finished at 2008-06-20 14:53:12 ------------

Extra text result
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 3062.29 MiB / 2344.5 MiB
Pagefile Memory (total/avail): 4947.48 MiB / 4363.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1873.91 MiB

C: is Fixed (NTFS) - 80 GiB total, 46.55 GiB free.
D: is Fixed (NTFS) - 24.05 GiB total, 23.97 GiB free.
E: is CDROM (No Media)
P: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - FUJITSU MHY2160BH - 149.05 GiB - 3 partitions
\PARTITION0 (bootable) - Unknown - 45 GiB
\PARTITION1 - Installable File System - 80 GiB - C:
\PARTITION2 - Installable File System - 24.05 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ADSKFLEX_LICENSE_FILE=@SSDLC630;@SSDLC640;@SSDLC650;@SSDLC530;@SSDLC540;@SSDLC550
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\p0800086\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DET-NB0800086
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
FULL_NAME=Abdul Azeez Mohamed Abuthaheer
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\p0800086
KMP_DUPLICATE_LIB_OK=TRUE
LOGONSERVER=\\SSDDC500
MKL_SERIAL=YES
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Common Files\Autodesk Shared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\p0800086\LOCALS~1\Temp
TMP=C:\DOCUME~1\p0800086\LOCALS~1\Temp
USERDNSDOMAIN=SD.SP.EDU.SG
USERDOMAIN=SD
USERNAME=p0800086
USERPROFILE=C:\Documents and Settings\p0800086
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

common (admin)
Administrator (admin)
p0800086 (admin)
u000011 (new local, update central, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Conexant\SmartAudio\SETUP.EXE -U -ISmartAudio -SM=SMAUDIO.EXE,1801
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe AIR --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Media Player --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.amp 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Adobe Media Player --> MsiExec.exe /I{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AutoCAD 2006 - English --> MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Canon MP160 --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009
Championship Manager 2008 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F4E2C8A-B886-418E-BE49-0B867CBDA959}\Setup.exe" -l0x9 -removeonly
Combined Community Codec Pack 2008-01-24 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -I*.INF
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DVD Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Forest Waterfall Screensaver Demo 0.7 --> "C:\Program Files\ForestWaterfallScreensaverDemo\unins000.exe"
FreeMind --> "C:\Program Files\FreeMind\unins000.exe"
GameShadow --> MsiExec.exe /I{6AEAD38B-383B-46FF-8A5D-00A822ADA77A}
getPlus(R)_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_HERMOSA_HSF\UIU32m.exe -U -IHPQHER5m.inf
HI-TECH C51-lite V9.60PL0 --> "C:\Program Files\HI-TECH Software\HC51\lite\9.60\resources\setup.exe"
HI-TECH PICC lite V9.60PL0 --> "C:\Program Files\HI-TECH Software\PICC\lite\9.60\resources\setup.exe"
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP Wireless Assistant --> MsiExec.exe /I{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}
Intel(R) Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager --> C:\WINDOWS\system32\imsmudlg.exe -uninstall -nodrv
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LabelPrint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\setup.exe" -uninstall
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Messenger Plus! Live & Sponsor (CiD) --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Monster Truck Madness 2 Trial --> C:\Program Files\Microsoft Games\Monster Truck Madness 2 Trial\UNINSTAL.EXE
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
National Instruments Software --> "C:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe"
NetWaiting --> C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Power2Go --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDirector --> "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" /z-uninstall
Python 2.4.1 --> MsiExec.exe /I{4D4F5346-7E4A-40B5-9387-FDB6181357FC}
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Qur'an Viewer 2.9 --> "C:\Program Files\DivineIslam\Qur'an Viewer 2\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Respondus LockDown Browser --> C:\Program Files\InstallShield Installation Information\{C0E5147E-C9F3-4360-9ED0-2E875F11766C}\setup.exe -runfromtemp -l0x0009 -removeonly
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Salaat Time 1.9 --> C:\PROGRA~1\SALAAT~1\Setup.exe /remove /q0
Screensavers Installer Version 3 --> "C:\Program Files\Screensavers.com\SSSUninst.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {94E2AAC1-CAE5-4F73-B0D1-C471BA1F8E2A} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Sony Ericsson PC Suite --> MsiExec.exe /I{26B5D684-75D6-44B9-BBFF-D4100F43092A}
Starware Screensavers Toolbar --> C:\Program Files\Starware316\Starware316Uninstall.exe
Update Service --> C:\Program Files\Sony Ericsson\Update Service\uninst.exe
Windows Driver Package - Intel (NETw4x32) net (02/25/2007 11.1.0.86) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4x32_6BCDD85873491234C1BCE1A995B7FEDD88433F15\netw4x32.inf
Windows Driver Package - Intel (w29n51) net (02/08/2007 9.0.4.33) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\w29n51_3219C3E9682004CC6857361A4203A8986CCEB210\w29n51.inf
Windows Driver Package - Intel net (02/25/2007 11.1.0.86) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4k32_1BDC0713EC2AE134FC858C6F7F20C87410E6BA5C\netw4k32.inf
Windows Driver Package - Intel net (02/25/2007 11.1.0.86) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4x64_4222030BCE046C58A302D849F8E5584EF0C7D11B\netw4x64.inf
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
ZBrush3 --> MsiExec.exe /I{6084D038-3401-4C9D-A216-86E6EEA25AFB}
ZwCAD 2006i Standard --> C:\Program Files\ZwCAD 2006i\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2509 / Warning
Event Submitted/Written: 06/20/2008 02:52:55 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DET-NB0800086 IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type2508 / Warning
Event Submitted/Written: 06/20/2008 02:52:55 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DET-NB0800086 IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type2507 / Error
Event Submitted/Written: 06/20/2008 02:49:57 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\Documents and Settings\p0800086\Local Settings\Temp\jar_cache55962.tmp\JAR_CACHE55962.TMP is infected with the Exploit-ByteVerify Trojan. Undetermined clean error, deleted successfully. Detected using Scan engine version 5200 DAT version 5319.(from DET-NB0800086 IP 127.0.0.1 user DET-NB0800086 running VirusScan Enter 8.0 OAS)

Event Record #/Type2506 / Warning
Event Submitted/Written: 06/20/2008 02:47:28 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DET-NB0800086 IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type2505 / Warning
Event Submitted/Written: 06/20/2008 02:44:38 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DET-NB0800086 IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6776 / Warning
Event Submitted/Written: 06/20/2008 02:40:23 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/sspwb100.sp.edu.sg. No authentication protocol was available.

Event Record #/Type6775 / Warning
Event Submitted/Written: 06/20/2008 02:40:23 PM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/sspwb100.sp.edu.sg. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

Event Record #/Type6752 / Error
Event Submitted/Written: 06/20/2008 02:39:33 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The XAudioService service failed to start due to the following error:
%%193

Event Record #/Type6751 / Error
Event Submitted/Written: 06/20/2008 02:39:33 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The CLCV0 service failed to start due to the following error:
%%193

Event Record #/Type6750 / Error
Event Submitted/Written: 06/20/2008 02:39:33 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-06-20 14:53:12 ------------
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby Rodav » June 21st, 2008, 3:18 pm

Hi abu,

Do you know anything about this file Link_Mp3_Idle.exe it is located in C:\DOCUMENTS AND SETTINGS\p0800086\APPLICATION DATA\MULTIW~<<<I am not sure what the folder name is, but it should begin with the letters MULTIW.

You have a number of infections that can infect other drives on your machine, please make sure that every device that you connect to this computer (eg. any USB drives, external hardrives, ipod, phone.... etc) is connected to it before running the following steps. There is a good chance if you have used any of these on this machine that they are infected and if they are not cleaned now, you will probably get reinfected.

There is quite a lot to do here, so if you have any difficulty please let me know.

Step 1:
c:\windows\system32\drivers\ntgdt.sys
C:\FY08-NB Startup Message v2.htm

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please


Step 2:
  • Click here to go to Spykiller.
  • In the Name box, type in your name.
  • In the Email box, type in your email address.
  • In the Subject box, copy and paste in File for analysis.
  • In the big text box, copy and paste this in: Link to log: viewtopic.php?p=312423
  • Type in the Visual Verification.
  • In the first Attach box, copy and paste this in: C:\DOCUME~1\p0800086\APPLIC~1\MULTIW~1\Link Mp3 Idle.exe
  • Click on Post.


Step 3:
Please go to Start > Control Panel and double click on Add/Remove Programs. Uninstall the following programs if they are present:

Bitgrabber
BitRoll
Bitdownload
Browser Enhancer
CiD Help
CiD Manager
DivoCodec
Download Plugin for Internet Explorer
Get-Torrent version 2.1.0.0
Lop.com
LOP SEARCH
Messenger Plus or Messenger Plus and Client
Netpumper
Search Plugin
Torrent101
Ultimate Browser Enhancer
Window Search
Window Searching
WinZix
W3player
Zone Media
Screensavers Installer Version 3
Starware Screensavers Toolbar


In case, during the uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. Important!

After rebooting please rerun NoLop:
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    (your computer will now be scanned for infected files)
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log later.
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.


Step 4:
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.


Step 5:
Backup Your Registry with ERUNT
  • Please use the following link to download ERUNT
  • Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe


Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\delete.bat
C:\Documents and Settings\p0800086\Application Data\Starware316
C:\Program Files\Starware316
C:\Program Files\Screensavers.com
C:\j.cmd
F:\tel.xls.exe
C:\tel.xls.exe
C:\h1ahxi.bat
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72A128E0-2240-40c8-9E92-5387D64F839E}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49c7c7c8-0575-11dd-8599-001e37a53354}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d5df9ba-0529-11dd-8598-806d6172696f}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{754f5b05-0647-11dd-859a-001e37a53354}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cbe4ed-1012-11dd-85a9-001e37a53354}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\@

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2


Step 6:
Please make sure DSS is saved directly to your desktop.
Click start/ run and copy and paste the following:

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries in case they appear:

    .cpl
    .scr
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt
  • I'll need that log later.
If everything is ok again, it should display the "all associations ok message"

Post back with the contents of daft.txt.


Step 7:
Go to Start -> Run, copy and paste the following command and click OK:

CMD /C Dir "C:\Program Files\multi wipe load">"%Userprofile%\Desktop\Report.txt"

That should produce a report on your desktop, Report.txt. Post its contents in your next reply.

Step 8:
Run DSS normally and in your next reply, please post:
  • The Jotti/Virustotal resilts
  • The NoLop report
  • The OTMovit2 results
  • The Report.txt from Step 7
  • daft.txt and the DSS log.
Also let me know if you know anything about the file I mentioned earlier.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Bufferoverflow 2

Unread postby abu » June 23rd, 2008, 8:47 am

hi,

thaanks for the help so far..
for the reason post , i am not able to carry out step 6onwrds
Step 6:
Please make sure DSSi s saved directly to your desktop.
Click start/ run and copy and paste the following:

"%userprofile%\desktop\dss.exe" /daft

Read the disclaimer and click OK.
Click on the Scan button.
Place a checkmark next to the following entries in case they appear:


.cpl
.scr

Click the Fix button.
Re-scan and save a logfile. By default, it will save as daft.txt
I'll need that log later.
If everything is ok again, it should display the "all associations ok message"

Post back with the contents of daft.txt.

when i copy paste it to run windows pop n says it can'y find such a thin..

and i also don get what is DSS? what is it actually..
i have done the other test n have ther reports.
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby abu » June 23rd, 2008, 9:05 am

hi there,
i have anothe problem.
wen i open my internet it says error found hence have to close...
can help me wit that..
thaanks...
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby Rodav » June 23rd, 2008, 1:57 pm

Hi,

DSS (Deckard System Scanner) is a scanner that I asked you to download in Step 3 from my second post to you: viewtopic.php?p=312066#p312066

The reason I asked to make sure it was on your desktop as it seemed to be running from your temporary internet files previously. You may need to download the program again from here. Make sure the file DSS.exe is saved directly to your desktop, the icon will look like this: Image

If you can do this, you should be able to carry out the rest of the instructions. When you have this done, please post all the information that I asked for in my last post, I will then look into your internet problems.

Information I will need to see:
  • The Jotti/Virustotal resilts
  • The NoLop report
  • The OTMovit2 results
  • The Report.txt that was created on your desktop from Step 7 earlier.
  • daft.txt and a new DSS (Deckard System Scanner, which can be run by double clicking it) log
Also let me know if you know anything about the file I mentioned earlier: Link_Mp3_Idle.exe
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Bufferoverflow 2

Unread postby abu » June 24th, 2008, 6:32 am

here are the test..
1)Jotti/Virustotal resilts
File ntgdt.sys received on 06.23.2008 13:40:29 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.22.0 2008.06.23 -
AntiVir 7.8.0.59 2008.06.23 -
Authentium 5.1.0.4 2008.06.21 -
Avast 4.8.1195.0 2008.06.23 -
AVG 7.5.0.516 2008.06.22 -
BitDefender 7.2 2008.06.23 -
CAT-QuickHeal 9.50 2008.06.20 -
ClamAV 0.93.1 2008.06.23 -
DrWeb 4.44.0.09170 2008.06.23 -
eSafe 7.0.15.0 2008.06.23 -
eTrust-Vet 31.6.5897 2008.06.23 -
Ewido 4.0 2008.06.23 -
F-Prot 4.4.4.56 2008.06.21 -
F-Secure 7.60.13501.0 2008.06.20 -
Fortinet 3.14.0.0 2008.06.23 -
GData 2.0.7306.1023 2008.06.23 -
Ikarus T3.1.1.26.0 2008.06.23 -
Kaspersky 7.0.0.125 2008.06.23 -
McAfee 5322 2008.06.20 -
Microsoft 1.3604 2008.06.23 -
NOD32v2 3208 2008.06.23 -
Norman 5.80.02 2008.06.20 -
Panda 9.0.0.4 2008.06.22 -
Prevx1 V2 2008.06.23 -
Rising 20.50.02.00 2008.06.23 -
Sophos 4.30.0 2008.06.23 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.23 -
TheHacker 6.2.92.358 2008.06.21 -
TrendMicro 8.700.0.1004 2008.06.23 -
VBA32 3.12.6.7 2008.06.22 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.23 -
Additional information
File size: 18144 bytes
MD5...: e80cf42bff8c19893451bcf2435145ba
SHA1..: 4ac2015b47e006ec5a0a65ef6b8363a853618322
SHA256: ac5f74cbdb6edcb784b07bc326e8fb2330266c5319288cd3596f8cd791ad30aa
SHA512: 4fe08af0d2e20401e835991cdbebb375274d442cc74213f2738367c5ae3c35bd
5b77b166c41d9083e7c40da688f6fa74d3603054760a958a97eab6e5ad13768b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11a78
timedatestamp.....: 0x449105d7 (Thu Jun 15 07:01:43 2006)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x280 0x3e84 0x3ea0 6.40 89cc08f23cdc470fc57334d1b21c4c77
_LTEXT 0x4120 0x2f 0x40 3.09 5b979fc6151e77b4bd852bdf6672eb31
.data 0x4160 0x1 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51
INIT 0x4180 0x3a8 0x3c0 4.93 5e240d4ea420834a2af76ac488f20cef
.reloc 0x4540 0x182 0x1a0 4.71 096e23e065a7e7cc779895a228b25282

( 2 imports )
> NTOSKRNL.EXE: ZwReadFile, ZwWriteFile, _strlwr, wcslen, KeTickCount, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, RtlTimeToTimeFields, KeQuerySystemTime, ZwQueryInformationFile, KeWaitForSingleObject, IofCallDriver, ObfDereferenceObject, IoBuildSynchronousFsdRequest, KeInitializeEvent, IoGetDeviceObjectPointer, RtlInitString, ExFreePool, ExAllocatePoolWithTag, ZwClose, RtlInitUnicodeString, IofCompleteRequest, ZwOpenKey, KeSetEvent, KeRemoveQueueDpc, KeCancelTimer, KeSetTimerEx, RtlConvertLongToLargeInteger, KeInitializeTimerEx, KeInitializeDpc, ExQueueWorkItem, ObfReferenceObject, ZwCreateFile
> HAL.DLL: KfLowerIrql, KfRaiseIrql, KeGetCurrentIrql

( 0 exports )





File FY08-NB_Startup_Message_v2.htm received on 06.23.2008 13:42:14 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.22.0 2008.06.23 -
AntiVir 7.8.0.59 2008.06.23 -
Authentium 5.1.0.4 2008.06.21 -
Avast 4.8.1195.0 2008.06.23 -
AVG 7.5.0.516 2008.06.22 -
BitDefender 7.2 2008.06.23 -
CAT-QuickHeal 9.50 2008.06.20 -
ClamAV 0.93.1 2008.06.23 -
DrWeb 4.44.0.09170 2008.06.23 -
eSafe 7.0.15.0 2008.06.23 -
eTrust-Vet 31.6.5897 2008.06.23 -
Ewido 4.0 2008.06.23 -
F-Prot 4.4.4.56 2008.06.21 -
F-Secure 7.60.13501.0 2008.06.20 -
Fortinet 3.14.0.0 2008.06.23 -
GData 2.0.7306.1023 2008.06.23 -
Ikarus T3.1.1.26.0 2008.06.23 -
Kaspersky 7.0.0.125 2008.06.23 -
McAfee 5322 2008.06.20 -
Microsoft 1.3604 2008.06.23 -
NOD32v2 3208 2008.06.23 -
Norman 5.80.02 2008.06.20 -
Panda 9.0.0.4 2008.06.22 -
Prevx1 V2 2008.06.23 -
Rising 20.50.02.00 2008.06.23 -
Sophos 4.30.0 2008.06.23 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.23 -
TheHacker 6.2.92.358 2008.06.21 -
TrendMicro 8.700.0.1004 2008.06.23 -
VBA32 3.12.6.7 2008.06.22 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.23 -
Additional information
File size: 5306 bytes
MD5...: c24af3e34dbfef6fbe35f11783982cc6
SHA1..: e40fee03cea40452cd19acdaf6fadd2717ebdb6a
SHA256: bac1a6c467c2f336f5ad70239e1cbfc1ee7891dc371022727d9b72816186f61a
SHA512: 7653ac7ce12facbcb3920fe43c14d8c0d6646ed0af6d30313ef18df361cfe720
a62da3752783e7858e70bcdc56e0ffbf63b004e3d733e970701d8d4d55706f62
PEiD..: -
PEInfo: -


2)OTMovit2 results
C:\delete.bat moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Weather moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\TravelSearch moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\ToolbarSearch moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\ToolbarLogo moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Toolbar moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Screensavers moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Ringtones moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\RelatedSearch moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Reference moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Manager moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Layouts moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Free_Music moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Free_Credit_Score moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\ErrorSearch moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\Configurator moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316\BrowserSearch moved successfully.
C:\Documents and Settings\p0800086\Application Data\Starware316 moved successfully.
C:\Program Files\Starware316\icons moved successfully.
C:\Program Files\Starware316\bin moved successfully.
C:\Program Files\Starware316 moved successfully.
File/Folder C:\Program Files\Screensavers.com not found.
File/Folder C:\j.cmd not found.
File/Folder F:\tel.xls.exe not found.
File/Folder C:\tel.xls.exe not found.
File/Folder C:\h1ahxi.bat not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72A128E0-2240-40c8-9E92-5387D64F839E} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72A128E0-2240-40c8-9E92-5387D64F839E}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49c7c7c8-0575-11dd-8599-001e37a53354} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49c7c7c8-0575-11dd-8599-001e37a53354}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d5df9ba-0529-11dd-8598-806d6172696f} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d5df9ba-0529-11dd-8598-806d6172696f}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{754f5b05-0647-11dd-859a-001e37a53354} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{754f5b05-0647-11dd-859a-001e37a53354}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cbe4ed-1012-11dd-85a9-001e37a53354} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cbe4ed-1012-11dd-85a9-001e37a53354}\\ deleted successfully.
< HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\@ >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\@ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06232008_203549


3)lume in drive C is WinXP
Volume Serial Number is B809-B5F3

Directory of C:\Program Files

4)
Deckard's System Scanner v20071014.68
Run by p0800086 on 2008-06-24 17:55:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as p0800086.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:05 PM, on 24-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Salaat Time\SalaatTime.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\p0800086\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\p0800086.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)
O2 - BHO: XMLDP Class - {72A128E0-2240-40c8-9E92-5387D64F839E} - C:\WINDOWS\xml2u32c.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Starware Screensavers Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [startupmessage] "C:\FY08-NB Startup Message v2.htm"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SalaatTime] C:\Program Files\Salaat Time\SalaatTime.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: MapToPDrive.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2779762734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2782968140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = sd.sp.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sd.sp.edu.sg
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 12748 bytes

-- Files created between 2008-05-24 and 2008-06-24 -----------------------------

2008-06-23 20:31:13 0 drahs---- C:\autorun.inf
2008-06-20 14:37:46 0 d-------- C:\NoLopBackups
2008-06-15 20:19:27 0 d-------- C:\WINDOWS\Prefetch
2008-06-15 20:08:51 0 d-------- C:\WINDOWS\system32\scripting
2008-06-15 20:08:51 0 d-------- C:\WINDOWS\system32\bits
2008-06-15 20:08:51 0 d-------- C:\WINDOWS\l2schemas
2008-06-15 20:05:55 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-15 19:32:24 0 d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir
2008-06-15 19:32:15 0 d-------- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-06-15 19:31:52 0 d-------- C:\Documents and Settings\p0800086\Application Data\Canon
2008-06-15 19:28:54 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-15 19:24:10 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-15 19:23:51 0 d--h----- C:\Program Files\CanonBJ
2008-06-01 12:52:50 0 d-------- C:\Documents and Settings\p0800086\.idlerc


-- Find3M Report ---------------------------------------------------------------

2008-06-24 17:38:27 0 d-------- C:\Documents and Settings\p0800086\Application Data\Skype
2008-06-19 15:22:39 0 d-------- C:\Program Files\ZwCAD 2006i
2008-06-15 20:18:54 0 d-------- C:\Program Files\Messenger
2008-06-15 20:08:50 0 d-------- C:\Program Files\Movie Maker
2008-06-15 20:05:41 0 d-------- C:\Program Files\Windows NT
2008-05-22 15:08:37 52224 --a------ C:\WINDOWS\xml2u32c.dll <Not Verified; Microsoft Corporation; XML parser library>
2008-05-22 13:05:42 0 d-------- C:\Documents and Settings\p0800086\Application Data\Help
2008-05-22 09:33:19 0 d-------- C:\Program Files\Trend Micro
2008-05-22 08:21:57 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-20 14:15:30 0 d-------- C:\Program Files\Microsoft Games
2008-05-20 11:41:16 0 d-------- C:\Program Files\National Instruments
2008-05-15 13:24:26 0 d-------- C:\Program Files\Sony Ericsson
2008-05-12 17:03:44 0 d-------- C:\Program Files\MSECache
2008-05-12 16:17:05 0 d-------- C:\Program Files\Messenger Plus! Live
2008-05-12 14:14:01 0 d-------- C:\Documents and Settings\p0800086\Application Data\Media Player Classic
2008-05-12 14:12:48 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-05-08 22:08:42 0 d-------- C:\Program Files\FreeMind
2008-04-28 14:25:04 0 d-------- C:\Documents and Settings\p0800086\Application Data\National Instruments
2008-04-28 14:18:01 0 d-------- C:\Program Files\HI-TECH Software
2008-04-28 14:17:29 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-04-27 23:29:17 0 d-------- C:\Documents and Settings\p0800086\Application Data\CyberLink
2008-04-24 15:47:31 0 d-------- C:\Program Files\Pixologic
2008-04-24 15:34:42 0 d-------- C:\Program Files\Salaat Time
2008-04-24 15:21:17 0 d-------- C:\Program Files\DivineIslam
2008-04-24 14:40:59 0 d-------- C:\Program Files\GameShadow
2008-04-24 14:37:46 0 d-------- C:\Program Files\Eidos
2008-04-24 14:37:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-24 13:54:45 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-24 13:54:41 0 d-------- C:\Program Files\AutoCAD 2006
2008-04-24 13:54:23 0 d-------- C:\Program Files\AnswerWorks 4.0
2008-04-24 13:50:28 0 d-------- C:\Documents and Settings\p0800086\Application Data\Autodesk
2008-04-24 13:50:00 0 d-------- C:\Program Files\Common Files
2008-04-24 13:49:56 0 d-------- C:\Program Files\Autodesk
2008-04-22 10:34:50 0 --a------ C:\WINDOWS\system32\UTSCSI.EXE
2008-04-14 05:41:52 276992 --a------ C:\WINDOWS\system32\comdlg32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e}]
C:\Program Files\Starware316\bin\Starware316.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72A128E0-2240-40c8-9E92-5387D64F839E}]
22-05-2008 03:08 PM 52224 --a------ C:\WINDOWS\xml2u32c.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [25-07-2007 03:02 PM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03-10-2007 03:15 PM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22-09-2004 08:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06-08-2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07-10-2003 09:48 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [31-01-2008 11:13 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12-02-2008 03:55 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [05-09-2007 05:13 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [05-09-2007 05:13 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [05-09-2007 05:13 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04-08-2004 08:00 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [04-08-2004 08:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04-08-2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04-08-2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04-08-2004 08:00 PM]
"startupmessage"="C:\FY08-NB Startup Message v2.htm" [16-02-2008 11:13 AM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [08-02-2005 04:38 PM]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26-10-2005 05:17 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14-04-2008 05:42 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [22-01-2007 03:23 PM]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [24-04-2008 10:10 AM]
"SalaatTime"="C:\Program Files\Salaat Time\SalaatTime.exe" [26-08-2007 05:38 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14-04-2008 05:42 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18-10-2007 11:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [05-03-2005 9:18:22 PM]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [12-05-2006 1:33:22 PM]
MapToPDrive.bat [01-03-2006 1:02:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80cbe4ee-1012-11dd-85a9-001e37a53354}]
AutoRun\command- G:\USBNB.exe




-- End of Deckard's System Scanner: finished at 2008-06-24 17:58:04 ------------



thanks for the help.
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby Rodav » June 24th, 2008, 10:05 am

When you ran NoLop it should have produced a report which I will need to see. The report is located at C:\NoLop.log please post this in your next reply.


Step 1:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: (no name) - {5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)
    O2 - BHO: XMLDP Class - {72A128E0-2240-40c8-9E92-5387D64F839E} - C:\WINDOWS\xml2u32c.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Starware Screensavers Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - C:\Program Files\Starware316\bin\Starware316.dll (file missing)


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.

Step 2:
    Older versions of Java have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version Java components.
    • Close any programs you may have running, ESPECIALLY your web browser
    • Click Start > Control Panel > Add/Remove Programs.
    • Check Java(TM) 6 Update 3
    • Click the Remove or Change/Remove button.
    • Reboot your computer once all Java components are removed.
    Then download the latest version of Java Runtime Environment(JRE) and install it to your computer.


Step 3:
    Please download ATF cleaner
    Make sure that all browser windows are closed.
      Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Deselect Cookies
      Click the Empty Selected button.
      You can select cookies but you will have to re enter your login details to websites you frequent.
    If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Deselect Firefox Cookies
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
      Click Opera at the top and choose: Select All
      Deselect Opera Cookies
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.


Step 4:
    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location.
    • The log can also be found here:
      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    • Post that log back here.


Step 5:
    Please go to Kaspersky website and perform an online antivirus scan.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan and then put the kettle on!
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Copy and paste the report into your next reply.


Step 6:
Run DSS (Deckard System Scanner) and in your next reply please post:
  • The NoLop report that I asked you about earlier
  • The online Kaspersky scan results
  • The Malwarebytes report
  • The new DSS log
Also please let me know how your computer is running.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Bufferoverflow 2

Unread postby Rodav » June 27th, 2008, 10:00 am

Hi abu,

Do you still need any help?
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Bufferoverflow 2

Unread postby abu » June 27th, 2008, 10:30 am

hi
i am fine.. jus was caught up s will post u the reply real soon..
thks...
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby abu » June 29th, 2008, 5:59 am

hi ter,.
i am not able to download the java software..
and i am not sure abt the rest of the steps..there is no prompt to download in step 3 and 4..
it opens a webpage in which i am not sure which one to download...

thanks..
abu
Regular Member
 
Posts: 23
Joined: May 21st, 2008, 9:27 pm

Re: Bufferoverflow 2

Unread postby Rodav » June 29th, 2008, 11:10 am

Hi abu,

You can download Java by going to: http://java.sun.com/javase/downloads/index.jsp then scroll down the page and find Java Runtime Environment (JRE) 6 Update 6, click the download button beside it, then follow the instructions to install it. If you are still having problems let me know.

You can download ATF cleaner directly from here
You can then proceed with Step 3: from my previous post.

You can download Malwarebytes directly from here
You can then proceed with Step 4: from my previous post.


Status Check
Run DSS (Deckard System Scanner) and in your next reply please post:
  • The NoLop report that I asked you about earlier
  • The online Kaspersky scan results
  • The Malwarebytes report
  • The new DSS log
Also please let me know how your computer is running.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware