Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

joke-bluescree.c

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

joke-bluescree.c

Unread postby harris » July 18th, 2008, 3:09 pm

Hi,

I Please need some help. I cannot get rid of this spyware\virus.... joke-bluescree.c
I use McAfee - but cant get rid of it.

I tried spybot s&d but it didnt help either.

Here is the HiJackThis log.

Please help.

Many Thanks
Harris
----------------->>>>>

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:50:04 PM, on 2008/07/18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Composite Software\CIS 4.5.0\apps\mysql-4_1_10\bin\mysqld.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Documents and Settings\premesh.premji\Desktop\HiJackThis.exe
C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\SqlWb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 152.111.1.29:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
O4 - HKLM\..\Run: [SMrhcg35j0e79e] C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'premesh')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
O4 - Global Startup: SQL Prompt Query Analyzer Integration.lnk = C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCP ... tPrint.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2100693390
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compositesw.webex.com/client/T2 ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O17 - HKLM\Software\..\Telephony: DomainName = za.ds.naspers.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Composite Server 4.5.0 - Unknown owner - C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
O23 - Service: Composite Server Repository 4.5.0 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - MKS Software Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation - C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11915 bytes
harris
Active Member
 
Posts: 5
Joined: July 18th, 2008, 2:58 pm
Advertisement
Register to Remove

Re: joke-bluescree.c

Unread postby Shaba » July 21st, 2008, 2:11 am

Hi harris

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

Post:

- mbam report
- dss logs (taken after mbam run)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: joke-bluescree.c

Unread postby harris » July 21st, 2008, 10:24 am

Hi,

Thanks for helping.

Here is the Malwarebytes' Anti-Malware 1.22 output:

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 2

03:53:14 PM 2008/07/21
mbam-log-7-21-2008 (15-53-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 246040
Time elapsed: 4 hour(s), 54 minute(s), 33 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 11
Files Infected: 18

Memory Processes Infected:
C:\WINDOWS\system32\lphcl35j0e79e.exe (Trojan.Zlob) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcg35j0e79e (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcl35j0e79e (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcg35j0e79e (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\rhcg35j0e79e\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lphcl35j0e79e.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\0xf9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Info\Docs\Downloads\Divx and Codecs\mpeg-2_codec[www.free-codecs.com]\MPEG-2.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Info\Software\Blaze DVD copy\Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP4\A0000546.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmccli.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcl35j0e79e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\premesh.premji\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


------------------------->>>>>>>>>>>>>>>>

Deckard's System Scanner v20071014.68
Main.txt output:

Deckard's System Scanner v20071014.68
Run by premesh.premji on 2008-07-21 16:04:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-07-21 14:05:32 UTC - RP5 - Deckard's System Scanner Restore Point
1: 2008-07-18 12:45:50 UTC - RP4 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 7.72 GiB (less than 15%) free.


-- HijackThis (run as premesh.premji.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:11:10 PM, on 2008/07/21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Composite Software\CIS 4.5.0\apps\mysql-4_1_10\bin\mysqld.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Documents and Settings\premesh.premji\Desktop\dss.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\DOCUME~1\PREMES~1.PRE\Desktop\premesh.premji.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 152.111.1.29:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
O4 - HKLM\..\Run: [SMrhcg35j0e79e] C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'premesh')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
O4 - Global Startup: SQL Prompt Query Analyzer Integration.lnk = C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCP ... tPrint.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2100693390
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compositesw.webex.com/client/T2 ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O17 - HKLM\Software\..\Telephony: DomainName = za.ds.naspers.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Composite Server 4.5.0 - Unknown owner - C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
O23 - Service: Composite Server Repository 4.5.0 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - MKS Software Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation - C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11822 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\PREMES~1.PRE\Desktop\backups\) --------

backup-20080718-150936-876 O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
backup-20080718-151020-565 O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
backup-20080718-151324-226 O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
backup-20080718-151324-266 O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
backup-20080718-151324-474 O4 - HKLM\..\Run: [SMrhcg35j0e79e] C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe
backup-20080718-211049-113 O4 - HKLM\..\Run: [SMrhcg35j0e79e] C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe
backup-20080718-211049-333 O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
backup-20080718-211049-885 O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe

-- File Associations -----------------------------------------------------------

.chm - Compiled Help Module - DefaultIcon - unable to read value
.chm - Compiled Help Module - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
R3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
R3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft(R) Windows NT(R) Operating System>

S3 CdProbe - c:\windows\system32\drivers\cdprobe.sys <Not Verified; Centennial Software Limited; Centennial Discovery(R)>
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CentennialClientAgent - "c:\centenn.ial\audit\cagent32.exe" <Not Verified; Centennial Software Limited; Centennial Discovery(R)>
R2 CentennialIPTransferAgent - "c:\centenn.ial\audit\xferwan.exe" <Not Verified; Centennial Software Limited; Centennial Discovery(R)>
R2 Composite Server 4.5.0 - "c:\program files\composite software\cis 4.5.0\bin\monitor.exe" -s "c:\program files\composite software\cis 4.5.0\conf\monitor\wrapper.conf"
R2 Composite Server Repository 4.5.0 - "c:\program files\composite software\cis 4.5.0\apps\mysql-4_1_10\bin\mysqld" "--defaults-file=c:\program files\composite software\cis 4.5.0\apps\mysql-4_1_10\my.ini" "composite server repository 4.5.0" (file missing)
R2 OliteService (Oracle Lite Multiuser Service) - c:\product\10.1.3.1\oracleas_1\mobile\sdk\bin\olsv2040.exe <Not Verified; Oracle Corporation; Oracle Lite>

S3 Cognos 8 - "c:\program files\cognos\c8\bin\cogbootstrapservice.exe" <Not Verified; Cognos Incorporated; bootstrapservice>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-15 14:31:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 10:54:39 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Malwarebytes
2008-07-21 10:54:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 10:54:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 15:49:03 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 15:48:52 0 d-------- C:\Program Files\SpywareBlaster
2008-07-18 14:39:46 0 d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-07-18 10:27:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 05:37:00 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Apple Computer
2008-07-14 13:13:58 0 d--h----- C:\Documents and Settings\premesh.premji\Recent
2008-07-02 10:04:51 9248 --a------ C:\WINDOWS\system32\drivers\CDProbe.SYS <Not Verified; Centennial Software Limited; Centennial Discovery(R)>
2008-07-01 09:53:32 0 d--hs---- C:\Discovery
2008-07-01 09:53:24 0 d--hs---- C:\CENTENN.IAL
2008-06-26 16:10:56 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\webex
2008-06-25 17:11:09 0 d-------- C:\Program Files\QuickTime
2008-06-25 17:11:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-25 17:10:46 0 d-------- C:\Program Files\Apple Software Update
2008-06-25 17:10:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-06-13 15:23:08 0 d-------- C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC
2008-06-13 14:28:26 0 d--h----- C:\Program Files\Zero G Registry
2008-06-13 14:28:05 466944 --a------ C:\WINDOWS\system32\composite45.dll <Not Verified; Composite Software; Composite 4.5.0 ODBC Driver>
2008-06-13 14:24:29 0 d-------- C:\Program Files\Composite Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004/08/04 02:00 PM C:\WINDOWS\system32\bthprops.cpl]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006/01/05 10:30 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006/02/07 07:39 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006/02/07 07:36 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006/02/07 07:40 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006/01/13 04:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 04:25 AM]
"Resume copy"="copyfstq.exe" [2007/02/09 02:43 PM C:\WINDOWS\copyfstq.exe]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007/01/01 11:22 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007/08/24 07:00 AM]
"NuTCSetupEnviron"="C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe" [2006/09/29 05:37 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008/03/14 04:00 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008/01/24 08:50 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/05/27 10:50 AM]
"RegistryMechanic"="" []
"Discovery User Input"="C:\Discovery\User Input\userin32.exe" [2007/06/04 12:45 PM]
"lphcl35j0e79e"="C:\WINDOWS\system32\lphcl35j0e79e.exe" []
"SMrhcg35j0e79e"="C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 02:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004/10/13 06:24 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006/11/13 01:39 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008/07/07 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005/09/23 10:05:26 PM]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006/04/07 04:37:00 PM]
Microsoft Firewall Client Management.lnk - C:\WINDOWS\Installer\{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}\NewShortcut1_8C7A59A89ABE459A9A9308C281A4A264.exe [2007/02/23 11:36:31 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe [2007/04/10 11:08:12 AM]
SQL Prompt Query Analyzer Integration.lnk - C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe [2007/03/14 04:44:36 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007/02/05 05:40:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007/02/05 05:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-346516054-2126666095-3128096205-32682\Scripts\Logon\0\0]
"Script"=EMWProf.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-346516054-2126666095-3128096205-32682\Scripts\Logon\1\0]
"Script"=outlooknk2.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- Hosts -----------------------------------------------------------------------

10.10.10.10 ZEUS
127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com

8829 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-21 16:12:21 ------------


----------------------------->>>>>>>>>>>>>>>>>


Deckard's System Scanner v20071014.68
Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T2050 @ 1.60GHz
CPU 1: Genuine Intel(R) CPU T2050 @ 1.60GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 2038.11 MiB / 1181.02 MiB
Pagefile Memory (total/avail): 4940.62 MiB / 4084.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.88 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 7.71 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST980811AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec) Disabled
FW: Bitdefender Firewall v8.0 (BitDefender) Disabled
AV: Bitdefender Antivirus v8.0 (BitDefender) Disabled
AV: VirusScan Enterprise + AntiSpyware Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\IBM\\InformationServer\\Clients\\ISC\\isc.exe"="C:\\IBM\\InformationServer\\Clients\\ISC\\isc.exe:*:Enabled:IBM Information Server console"
"C:\\IBM\\InformationServer\\Clients\\Classic\\director.exe"="C:\\IBM\\InformationServer\\Clients\\Classic\\director.exe:*:Enabled:DataStage Director"
"C:\\IBM\\InformationServer\\Clients\\Classic\\DSDesign.exe"="C:\\IBM\\InformationServer\\Clients\\Classic\\DSDesign.exe:*:Enabled:DataStage Designer"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windows® NetMeeting®"
"C:\\Documents and Settings\\premesh.premji\\Local Settings\\Temp\\I1213350196\\Windows\\resource\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\premesh.premji\\Local Settings\\Temp\\I1213350196\\Windows\\resource\\jre\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Documents and Settings\\premesh.premji\\Local Settings\\Temp\\I1213356229\\Windows\\resource\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\premesh.premji\\Local Settings\\Temp\\I1213356229\\Windows\\resource\\jre\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\premesh\\Local Settings\\Temp\\OraInstall2007-10-02_01-46-37PM\\jre\\1.4.2\\bin\\javaw.exe"="C:\\Documents and Settings\\premesh\\Local Settings\\Temp\\OraInstall2007-10-02_01-46-37PM\\jre\\1.4.2\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\premesh.premji\Application Data
CLASSPATH=.;C:\product\10.1.3.1\OracleAS_1\MOBILE\Sdk\bin\OLITE40.JAR;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ZEUS
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
DISPLAY=:0.0
FP_NO_HOST_CHECK=NO
HOME=C:\Documents and Settings\premesh.premji
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\premesh.premji
JAVA_HOME=C:\Program Files\Java\jre1.5.0_07
lib=C:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\02CPT-CDC02
MAN_CHM_INDEX=C:/PROGRA~1/MKSTOO~1/etc/chm/tkutil.idx;C:/PROGRA~1/MKSTOO~1/etc/chm/tkapi.idx;C:/PROGRA~1/MKSTOO~1/etc/chm/tcltk.idx;C:/PROGRA~1/MKSTOO~1/etc/chm/tkcurses.idx
MAN_HTM_PATHS=C:/PROGRA~1/MKSTOO~1/etc/htm/perl;C:/PROGRA~1/MKSTOO~1/etc/htm/perl/pod;C:/PROGRA~1/MKSTOO~1/etc/htm/perl/ext;C:/PROGRA~1/MKSTOO~1/etc/htm/perl/lib
MAN_TXT_INDEX=C:/PROGRA~1/MKSTOO~1/etc/tkutil.idx;C:/PROGRA~1/MKSTOO~1/etc/tkapi.idx;C:/PROGRA~1/MKSTOO~1/etc/tcltk.idx;C:/PROGRA~1/MKSTOO~1/etc/tkcurses.idx
NUMBER_OF_PROCESSORS=2
NUTCROOT=C:\PROGRA~1\MKSTOO~1
OS=Windows_NT
Path=C:\PROGRA~1\MKSTOO~1\mksnt;C:\PROGRA~1\MKSTOO~1\bin;C:\PROGRA~1\MKSTOO~1\bin\X11;C:\PROGRA~1\MKSTOO~1\mksnt;C:\IBM\InformationServer\ASBNode\lib\cpp;C:\IBM\InformationServer\ASBNode\apps\proxy\cpp\vc60\MT_dll\bin;;C:\oracle\product\10.2.0\client_2\bin;C:\oracle\product\10.2.0\client_1;C:\product\10.1.3.1\OracleAS_1\jdk\bin;C:\product\10.1.3.1\OracleAS_1\ant\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\ULTRAE~1;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\product\10.1.3.1\OracleAS_1\MOBILE\sdk\bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.sh;.ksh;.csh;.sed;.awk;.pl
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
ROOTDIR=C:/PROGRA~1/MKSTOO~1
SESSIONNAME=Console
SHELL=C:/PROGRA~1/MKSTOO~1/mksnt/sh.exe
SSIS_CONFIG=Provider=SQLOLEDB.1;Server=02CPT-SQL03;Database=Circ_Sales_Datamart_Cycad;Uid=cycad;Pwd=Dacyc01!;
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\PREMES~1.PRE\LOCALS~1\Temp
TERM=nutc
TERMCAP=C:\PROGRA~1\MKSTOO~1\etc\termcap
TERMINFO=C:\PROGRA~1\MKSTOO~1\usr\lib\terminfo
TMP=C:\DOCUME~1\PREMES~1.PRE\LOCALS~1\Temp
USERDNSDOMAIN=ZA.DS.NASPERS.COM
USERDOMAIN=ZA
USERNAME=premesh.premji
USERPROFILE=C:\Documents and Settings\premesh.premji
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ASPNET (new local)
premesh (admin)
Administrator (admin)
premesh.premji (admin)
administrator.CORP (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Application Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9EEDCCA3-7F43-4891-A2E2-C80F43318E4B}\Setup.exe" -l0x9
Application Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B398D85B-1919-419B-8E06-29A3A51C350B}\Setup.exe" -l0x9
BitDefender Definitions Update --> MsiExec.exe /X{82D2B5FA-7641-46FA-8F51-7896E968B5BB}
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
CloneDVD --> "C:\Program Files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD"
Composite Software 4.5.0 --> "C:\Program Files\Composite Software\CIS 4.5.0\Uninstall_CompositeSoftware4.5.0\Uninstall CompositeSoftware4.5.0.exe"
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -IDW1Ven5a.inf
Debugging Tools for Windows --> MsiExec.exe /I{5C741A01-05D6-4306-BA6A-DC8401285AE8}
GACRegSetup --> MsiExec.exe /I{4EB40A7E-3D36-4723-9DE3-A2C6427E00DE}
GDR 1406 for SQL Server Analysis Services 2005 ENU (KB932557) --> C:\WINDOWS\OLAP9_KB932557_ENU\Hotfix.exe /Uninstall
GDR 1406 for SQL Server Database Services 2005 ENU (KB932557) --> C:\WINDOWS\SQL9_KB932557_ENU\Hotfix.exe /Uninstall
GDR 1406 for SQL Server Integration Services 2005 ENU (KB932557) --> C:\WINDOWS\DTS9_KB932557_ENU\Hotfix.exe /Uninstall
GDR 1406 for SQL Server Notification Services 2005 ENU (KB932557) --> C:\WINDOWS\NS9_KB932557_ENU\Hotfix.exe /Uninstall
GDR 1406 for SQL Server Reporting Services 2005 ENU (KB932557) --> C:\WINDOWS\RS9_KB932557_ENU\Hotfix.exe /Uninstall
GDR 1406 for SQL Server Tools and Workstation Components 2005 ENU (KB932557) --> C:\WINDOWS\SQLTools9_KB932557_ENU\Hotfix.exe /Uninstall
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
High Definition Audio Driver Package - KB888111 -->
HijackThis 2.0.2 --> "C:\Documents and Settings\premesh.premji\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IBM Information Server --> C:\IBM\InformationServer\_uninst\suite\uninstall.exe
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Codec Pack 2.82 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
MKS Platform Components 9.x --> MsiExec.exe /I{10275939-0500-0900-9ABB-000BDB5CF35D}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee Agent --> MsiExec.exe /X{A638557B-1F13-40A0-9627-C892FBCA6960}
McAfee AntiSpyware Enterprise Module --> "C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Firewall Client --> MsiExec.exe /I{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}
Microsoft Firewall Client Service Pack 1 --> msiexec /i {199B7F78-69B7-47C5-8D4B-A3ED1391FB6B} MSIPATCHREMOVE={363A9930-9AFF-4A14-A320-6F14EDE20FB0} /qb
Microsoft FxCop 1.35 --> MsiExec.exe /I{846D9AAD-EA7D-4126-9177-F874FD389BE4}
Microsoft MapPoint Mobile Locator 1.0 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{96308393-19AC-4B32-A3DF-EF11A4B686C3}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007 --> MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server 2000 (ROOT) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL$ROOT\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL$ROOT\sqlsun.dll" -msql.mif i=ROOT
Microsoft SQL Server 2000 Driver for JDBC Service Pack 1 --> MsiExec.exe /X{51567467-8C2C-4B0F-B1AC-3C9A6A290070}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 --> MsiExec.exe /I{2373A92B-1C1C-4E71-B494-5CA97F96AA19}
Microsoft SQL Server 2005 Analysis Services --> MsiExec.exe /I{982DB00A-9C4E-436B-8707-18E113BAA44C}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Integration Services --> MsiExec.exe /I{E0A41F96-7231-4AE8-A654-EEB34F935462}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Notification Services --> MsiExec.exe /I{63A5DC0D-1EDD-4D69-8F31-87FAEB1F7084}
Microsoft SQL Server 2005 Reporting Services --> MsiExec.exe /I{3BDB182E-8371-46BD-AC39-C14A91D5EEF8}
Microsoft SQL Server 2005 Samples --> MsiExec.exe /I{DDF6E319-BCD9-4FE3-9D69-26B2F47BEF7C}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{90032DD0-ABEE-4424-AC1E-B076BDD4E350}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{4BD48CCB-AACD-43CF-8C27-A9D9971DC9C5}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Microsoft Visual Studio 2005 Team Suite - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Team Suite - ENU\setup.exe
Microsoft Visual Studio 2005 Tools for Office Runtime --> C:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Microsoft Windows Software Development Kit for Windows Vista Update (6000.16384.10) --> "C:\Program Files\Microsoft SDKs\Windows\v6.0\Setup\SDKSetup.exe" -x "-source:C:\Program Files\Microsoft SDKs\Windows\v6.0\Setup\1033\;E:\Setup\;E:\Setup"
MySQL Connector/ODBC 3.51 --> MsiExec.exe /I{C0EED196-57F3-46B7-AC3B-B2DD45B01A43}
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Registry Mechanic 5.2 --> "C:\Program Files\Registry Mechanic\unins000.exe"
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung\SS_Uninstall.exe
SQL Prompt 3 --> MsiExec.exe /I{679363E6-6A3D-47DA-8479-EE6FB6D485EB}
SQLXML4 --> MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
Samsung PC Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Samsung PC Studio 3 USB Driver Installer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Samsung Samples Installer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AC15160-A49B-4A89-B181-D4619C025FFF}\setup.exe" -l0x9 -removeonly
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Step By Step Interactive Training (KB898458) -->
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_5045&SUBSYS_152D0755\HXFSETUP.EXE -U -IDW1Venpm.inf
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Striata Reader --> rundll32.exe C:\WINDOWS\system32\keymail.dll,UninstallDll
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
UltraEdit-32 Uninstall --> C:\PROGRA~1\ULTRAE~1\UEDIT32.EXE /UNINSTALL
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Windows Desktop Search 3.01 --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Mobile Resources --> C:\Program Files\Windows Mobile Resources\Windows Mobile Device Handbook\Bin\DHUninstall.exe
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type60123 / Warning
Event Submitted/Written: 07/21/2008 03:55:55 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type60120 / Error
Event Submitted/Written: 07/21/2008 11:23:02 AM
Event ID/Source: 1008 / McLogEvent
Event Description:
The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 15 seconds;

Event Record #/Type60118 / Error
Event Submitted/Written: 07/21/2008 11:20:52 AM
Event ID/Source: 1008 / McLogEvent
Event Description:
The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 10 seconds;

Event Record #/Type60117 / Error
Event Submitted/Written: 07/21/2008 11:20:52 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 9776 (0x2630)

Thread address : 0x7C90EB94

Thread message :

Build VSCORE.13.3.2.125 / 5200.2160
Object being scanned = \Device\HarddiskVolume1\Documents and Settings\premesh.premji\Desktop\cis_win32_8.3.81.4_ml.tar\windows\bundled\install.exe
by C:\Centenn.ial\Audit\CAgent32.exe
4(0)(0)
4(0)(0)
7200(0)(0)
7595(0)(0)
7005(0)(0)
7004(0)(0)
5006(0)(0)
5004(0)(0)

Event Record #/Type60113 / Error
Event Submitted/Written: 07/21/2008 11:12:40 AM
Event ID/Source: 1008 / McLogEvent
Event Description:
The McShield service terminated unexpectedly.

Please review event 5019 or 5051 for details.
The McShield service will be restarted in 5 seconds;



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32746 / Error
Event Submitted/Written: 07/21/2008 04:10:14 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type32745 / Warning
Event Submitted/Written: 07/21/2008 04:10:14 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type32743 / Error
Event Submitted/Written: 07/21/2008 04:01:43 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Event Record #/Type32742 / Warning
Event Submitted/Written: 07/21/2008 04:01:43 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type32741 / Error
Event Submitted/Written: 07/21/2008 04:01:36 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-07-21 16:12:21 ------------



------>>>>>>>>>

Many Thanks for your help
Harris
harris
Active Member
 
Posts: 5
Joined: July 18th, 2008, 2:58 pm

Re: joke-bluescree.c

Unread postby Shaba » July 21st, 2008, 10:34 am

Hi

Have you uninstalled BitDefender?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: joke-bluescree.c

Unread postby harris » July 21st, 2008, 4:29 pm

Hi,

Yes I have.
I do however still have the BitDefender Update component installed.
harris
Active Member
 
Posts: 5
Joined: July 18th, 2008, 2:58 pm

Re: joke-bluescree.c

Unread postby Shaba » July 22nd, 2008, 3:29 am

Hi

Thank you for the info.

Please uninstall it, re-run dss and post back its log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: joke-bluescree.c

Unread postby harris » July 22nd, 2008, 5:30 am

Hi,

Uninstalled BitDefender.
I noticed that 3 registry entries keep on getting added after it gets deleted (even after Malwarebytes deletes it (SpyBot tried to block the entry when I deny the entry update - but it still updates the registry)) under:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lphcl35j0e79e"="C:\WINDOWS\system32\lphcl35j0e79e.exe" []
"SMrhcg35j0e79e"="C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe" []

The third one is under:

[HKEY_CURRENT_USER

C:\WINDOWS\system32\blphcl35j0e79e.scr

Here is the Main.txt from DSS. There was no Extra.txt that came out.

Many Thanks
Harris


------------------->>>>>>>>>>

Deckard's System Scanner v20071014.68
Run by premesh.premji on 2008-07-22 11:15:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 7.63 GiB (less than 15%) free.


-- HijackThis (run as premesh.premji.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:25 AM, on 2008/07/22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Composite Software\CIS 4.5.0\apps\mysql-4_1_10\bin\mysqld.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\premesh.premji\Desktop\dss.exe
C:\DOCUME~1\PREMES~1.PRE\Desktop\PREMES~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 152.111.1.29:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
O4 - HKLM\..\Run: [SMrhcg35j0e79e] C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'premesh')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
O4 - Global Startup: SQL Prompt Query Analyzer Integration.lnk = C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCP ... tPrint.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2100693390
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compositesw.webex.com/client/T2 ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O17 - HKLM\Software\..\Telephony: DomainName = za.ds.naspers.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Composite Server 4.5.0 - Unknown owner - C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
O23 - Service: Composite Server Repository 4.5.0 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - MKS Software Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation - C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11772 bytes

-- Files created between 2008-06-22 and 2008-07-22 -----------------------------

2008-07-21 10:54:39 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Malwarebytes
2008-07-21 10:54:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 10:54:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-18 15:49:03 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 15:48:52 0 d-------- C:\Program Files\SpywareBlaster
2008-07-18 14:39:46 0 d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-07-18 10:27:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 05:37:00 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Apple Computer
2008-07-14 13:13:58 0 d--h----- C:\Documents and Settings\premesh.premji\Recent
2008-07-02 10:04:51 9248 --a------ C:\WINDOWS\system32\drivers\CDProbe.SYS <Not Verified; Centennial Software Limited; Centennial Discovery(R)>
2008-07-01 09:53:32 0 d--hs---- C:\Discovery
2008-07-01 09:53:24 0 d--hs---- C:\CENTENN.IAL
2008-06-26 16:10:56 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\webex
2008-06-25 17:11:09 0 d-------- C:\Program Files\QuickTime
2008-06-25 17:11:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-25 17:10:46 0 d-------- C:\Program Files\Apple Software Update
2008-06-25 17:10:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-06-13 15:23:08 0 d-------- C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC
2008-06-13 14:28:26 0 d--h----- C:\Program Files\Zero G Registry
2008-06-13 14:28:05 466944 --a------ C:\WINDOWS\system32\composite45.dll <Not Verified; Composite Software; Composite 4.5.0 ODBC Driver>
2008-06-13 14:24:29 0 d-------- C:\Program Files\Composite Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004/08/04 02:00 PM C:\WINDOWS\system32\bthprops.cpl]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006/01/05 10:30 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006/02/07 07:39 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006/02/07 07:36 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006/02/07 07:40 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006/01/13 04:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 04:25 AM]
"Resume copy"="copyfstq.exe" [2007/02/09 02:43 PM C:\WINDOWS\copyfstq.exe]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007/01/01 11:22 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007/08/24 07:00 AM]
"NuTCSetupEnviron"="C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe" [2006/09/29 05:37 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008/03/14 04:00 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008/01/24 08:50 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/05/27 10:50 AM]
"RegistryMechanic"="" []
"Discovery User Input"="C:\Discovery\User Input\userin32.exe" [2007/06/04 12:45 PM]
"lphcl35j0e79e"="C:\WINDOWS\system32\lphcl35j0e79e.exe" []
"SMrhcg35j0e79e"="C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 02:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004/10/13 06:24 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006/11/13 01:39 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008/07/07 09:42 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005/09/23 10:05:26 PM]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006/04/07 04:37:00 PM]
Microsoft Firewall Client Management.lnk - C:\WINDOWS\Installer\{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}\NewShortcut1_8C7A59A89ABE459A9A9308C281A4A264.exe [2007/02/23 11:36:31 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe [2007/04/10 11:08:12 AM]
SQL Prompt Query Analyzer Integration.lnk - C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe [2007/03/14 04:44:36 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007/02/05 05:40:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007/02/05 05:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-346516054-2126666095-3128096205-32682\Scripts\Logon\0\0]
"Script"=EMWProf.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-346516054-2126666095-3128096205-32682\Scripts\Logon\1\0]
"Script"=outlooknk2.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-22 11:17:10 ------------
harris
Active Member
 
Posts: 5
Joined: July 18th, 2008, 2:58 pm

Re: joke-bluescree.c

Unread postby Shaba » July 22nd, 2008, 6:17 am

Hi

Yes, TeaTimer needs to be disabled prior trying to fix those entries.

  1. If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  5. On the left hand side, click on Tools.
  6. Check (tick) this box if it is not yet ticked: Resident.
  7. You will notice that Resident is now added under Tools. Click on Resident.
  8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  9. Exit Spybot Search & Destroy.
  10. Restart your computer for the changes to take effect.

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [lphcl35j0e79e] C:\WINDOWS\system32\lphcl35j0e79e.exe
O4 - HKLM\..\Run: [SMrhcg35j0e79e] C:\Program Files\rhcg35j0e79e\rhcg35j0e79e.exe


Close all windows including browser and press fix checked.

Reboot.

Post back a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: joke-bluescree.c

Unread postby harris » July 25th, 2008, 8:56 am

Hi,

I ran AVG and it came up with a backdoor ... someting exe.
it deleted it.

I then went to the registry and deleted those entried manually. It did not create itself automatically again.
I ran DSS - here is the log below.

Do you think its gone?

Thanks
Premesh

Deckard's System Scanner v20071014.68
Run by premesh.premji on 2008-07-25 14:48:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 6.34 GiB (less than 15%) free.


-- HijackThis (run as premesh.premji.exe) --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:49:34 PM, on 2008/07/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Composite Software\CIS 4.5.0\apps\mysql-4_1_10\bin\mysqld.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Composite Software\CIS 4.5.0\jre\bin\java.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\premesh.premji\Desktop\dss.exe
C:\DOCUME~1\PREMES~1.PRE\Desktop\PREMES~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.news24.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 152.111.1.29:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User 'premesh')
O4 - HKUS\S-1-5-21-2957814432-993708720-2358499028-1005\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'premesh')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe
O4 - Global Startup: SQL Prompt Query Analyzer Integration.lnk = C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCP ... tPrint.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2100693390
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/ ... taller.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://compositesw.webex.com/client/T2 ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O17 - HKLM\Software\..\Telephony: DomainName = za.ds.naspers.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = za.ds.naspers.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Cognos 8 - Cognos Incorporated - C:\Program Files\cognos\c8\bin\cogbootstrapservice.exe
O23 - Service: Composite Server 4.5.0 - Unknown owner - C:\Program Files\Composite Software\CIS 4.5.0\bin\monitor.exe
O23 - Service: Composite Server Repository 4.5.0 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - MKS Software Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation - C:\product\10.1.3.1\OracleAS_1\Mobile\Sdk\BIN\olsv2040.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11160 bytes

-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-25 14:42:25 0 dr-h----- C:\Documents and Settings\premesh.premji\Recent
2008-07-25 12:06:39 0 d-------- C:\DWProdFull
2008-07-25 12:05:46 3458079 --a------ C:\FileZilla_2_2_32_setup.exe
2008-07-25 10:28:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-25 10:27:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-25 09:54:50 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-07-25 09:47:13 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-25 09:46:18 0 d-------- C:\Program Files\Real
2008-07-25 09:44:45 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Real
2008-07-25 09:44:00 0 d-------- C:\Program Files\ISL_CD_2007
2008-07-25 09:43:07 0 d-------- C:\Program Files\Common Files\Real
2008-07-22 11:46:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-07-21 10:54:39 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Malwarebytes
2008-07-21 10:54:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-18 15:49:03 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-18 10:27:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 05:37:00 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Apple Computer
2008-07-02 10:04:51 9248 --a------ C:\WINDOWS\system32\drivers\CDProbe.SYS <Not Verified; Centennial Software Limited; Centennial Discovery(R)>
2008-07-01 09:53:32 0 d--hs---- C:\Discovery
2008-07-01 09:53:24 0 d--hs---- C:\CENTENN.IAL
2008-06-26 16:10:56 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\webex
2008-06-25 17:11:09 0 d-------- C:\Program Files\QuickTime
2008-06-25 17:11:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-25 17:10:46 0 d-------- C:\Program Files\Apple Software Update
2008-06-25 17:10:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-07-25 10:27:58 0 d-------- C:\Program Files\Common Files
2008-07-25 10:20:57 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\AdobeUM
2008-07-25 10:20:57 0 d-------- C:\Documents and Settings\premesh.premji\Application Data\Adobe
2008-06-13 15:23:08 0 d-------- C:\Program Files\Microsoft SQL Server 2000 Driver for JDBC
2008-06-13 14:28:26 0 d--h----- C:\Program Files\Zero G Registry
2008-06-13 14:28:05 466944 --a------ C:\WINDOWS\system32\composite45.dll <Not Verified; Composite Software; Composite 4.5.0 ODBC Driver>
2008-06-13 14:24:29 0 d-------- C:\Program Files\Composite Software


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004/08/04 02:00 PM C:\WINDOWS\system32\bthprops.cpl]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006/01/05 10:30 AM C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006/02/07 07:39 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006/02/07 07:36 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006/02/07 07:40 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006/01/13 04:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008/02/22 04:25 AM]
"Resume copy"="copyfstq.exe" [2007/02/09 02:43 PM C:\WINDOWS\copyfstq.exe]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007/01/01 11:22 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007/08/24 07:00 AM]
"NuTCSetupEnviron"="C:\PROGRA~1\MKSTOO~1\bin\ncoeenv.exe" [2006/09/29 05:37 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2008/03/14 04:00 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008/01/24 08:50 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008/05/27 10:50 AM]
"RegistryMechanic"="" []
"Discovery User Input"="C:\Discovery\User Input\userin32.exe" [2007/06/04 12:45 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008/07/25 09:46 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004/08/04 02:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004/10/13 06:24 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006/11/13 01:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008/04/23 03:38:16 AM]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006/04/07 04:37:00 PM]
Microsoft Firewall Client Management.lnk - C:\WINDOWS\Installer\{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}\NewShortcut1_8C7A59A89ABE459A9A9308C281A4A264.exe [2007/02/23 11:36:31 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\binn\sqlmangr.exe [2007/04/10 11:08:12 AM]
SQL Prompt Query Analyzer Integration.lnk - C:\Program Files\Red Gate\SQL Prompt 3\Redgate.SQLPrompt.TrayApp.exe [2007/03/14 04:44:36 PM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007/02/05 05:40:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"=1 (0x1)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007/02/05 05:39 PM 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-346516054-2126666095-3128096205-32682\Scripts\Logon\0\0]
"Script"=EMWProf.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-346516054-2126666095-3128096205-32682\Scripts\Logon\1\0]
"Script"=outlooknk2.bat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-25 14:50:08 ------------
harris
Active Member
 
Posts: 5
Joined: July 18th, 2008, 2:58 pm

Re: joke-bluescree.c

Unread postby Shaba » July 25th, 2008, 11:39 am

Hi

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: joke-bluescree.c

Unread postby Shaba » July 30th, 2008, 1:16 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 363 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware