Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - donna4909

Pages: [1]

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 15, 2008, 09:11:47 PM »

I did uninstall the two tweak ui entries. But I still have a TweakUIXP icon in my control panel.

The hard drive is 32GB. When I first posted, I was very low on HD space. Less than a gig. But I couldn't figure out what was taking up all my extra space. I finally found the hidden folder when I ran a HD space anylizer. Anyway, it had like 11 gig of movie and tv show exe files. No clue how they got there. I certainly didn't put them there. It looked to be just an empty shared folder (no icons showing), but in it's properties I could see the 11GB of space it was using, and during the AV scan I saw it go through all the filenames in that directory. I eventually just deleted the folder.

After deleting that folder, I had about 12 gig of space. After the AV proggy & scanners, I came down to 10 gig or so, but sufficient to dl the update. I just installed service pack 2. It has like 89 more downloads listed for me to get...

I really thought I already had SP2. I thought I installed it a long time ago, like shortly after it became available. I thought I'd had it already installed this whole time... I even bugged my hubby like 2 months ago to get it because I noticed he didn't have it updated on his computer. *lol*

So, I currently have 7.59 gig of HD space left. I do have some pics and songs on here, but not more than 3 or 4 gig combined. I also have a few larger programs that I use, and don't want to get rid of. A couple graphics programs, web page builders, and The Sims game. I've uninstalled pretty much every program I don't use at this point, and even some I didn't want to get rid of. But that was before I found the hidden folder, and I was so low on space I was getting errors. Had to do something.

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 15, 2008, 03:04:17 PM »

Ok, I removed the Win 32 & uninstalled TweakUI. I hardly ever used it anyway. Rebooted, but it seems TweakUI is still installed.

Haven't defragged in a long time. Maybe a year or so. I'll set it up to defrag when we go out for dinner tonight.

Yes, my XP is a legitimate copy. I don't have the disc for it, but it came preinstalled on this computer (HP) when I bought it.

I'll go check Microsoft and see what updates I need to get.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:17 PM, on 6/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4453 bytes

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 14, 2008, 06:15:20 PM »

SafeCast Shared Components wasn't in the add/remove programs list. Win32 BI Application says:
Error: could not locate the INF file 'C:\WINDOWS\INF\payload.inf'.

The only programs I need on startup are Outpost & Avira. System is still running sluggish. Has been since I installed Avira. I knew it would be though. That's why I uninstalled previous AV software. I had Panda at one point. I was hoping to just be able to run a firewall, but I guess I need both. Ah well...

Here's the new DSS log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 19:17:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:18 PM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4760 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 19:09:18 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-14 04:19:02 0 d-------- C:\Program Files\Java
2008-06-14 04:18:27 0 d-------- C:\Program Files\Common Files\Java
2008-06-14 04:08:02 0 d-------- \_OTMoveIt
2008-06-12 17:29:23 0 d-------- C:\Program Files\Avira
2008-06-12 17:29:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 17:05:40 0 d--hs---- \RECYCLER
2008-06-12 16:18:01 0 d-------- \QooBox
2008-06-12 16:18:00 68096 --a------ C:\WINDOWS\zip.exe
2008-06-12 16:18:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-12 16:18:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-12 16:18:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 16:18:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-12 16:18:00 98816 --a------ C:\WINDOWS\sed.exe
2008-06-12 16:18:00 80412 --a------ C:\WINDOWS\grep.exe
2008-06-12 16:18:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 15:55:14 534827008 --ahs---- \hiberfil.sys
2008-06-11 20:07:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 20:07:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:07:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:58:53 0 d-------- C:\WINDOWS\ERUNT
2008-06-11 18:58:17 0 d-------- \SDFix
2008-06-11 17:54:23 0 d-------- \Deckard
2008-06-11 16:26:23 0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10 0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10 0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08 0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52 0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:29:34 0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35 0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:27 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-14 19:10:33 786432000 --ahs---- \pagefile.sys
2008-06-14 04:18:27 0 d-a------ C:\Program Files\Common Files
2008-06-13 19:31:19 0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-12 17:46:59 0 d-------- C:\Documents and Settings\Owner\Application Data\ield
2008-06-11 16:11:17 0 d-------- C:\Program Files\hp
2008-06-11 15:21:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07 0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 16:57:37 0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06 0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35 0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16 0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02 0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32 0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [04/09/2004 05:18 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 08:36 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 06:13 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"Tweak UI"="TWEAKUI.CPL" [06/18/2000 02:03 PM C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"S3TRAY2"="S3tray2.exe" [10/04/2001 03:06 PM C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 07:34 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 01:04 PM]
"FastUser"="C:\WINDOWS\System32\fast.exe" [10/08/2001 01:59 PM]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [10/08/2001 01:59 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Washer"="C:\Program Files\Washer\washer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"IMEKRMIG6.1"=108209130520750479696720982160565757815579836
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=1 (0x1)

-- End of Deckard's System Scanner: finished at 2008-06-14 19:18:43 ------------

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 14, 2008, 03:13:36 AM »

File/Folder C:\WINDOWS\system32\ltimg80n.exe not found.
File/Folder C:\Program Files\NoAds not found.
File/Folder C:\Program Files\Comet Systems not found.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\whla32dd.dll
C:\WINDOWS\SYSTEM32\whla32dd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\whla32dd.dll moved successfully.
C:\WINDOWS\Tasks\TASK20030402041953.job moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06142008_040802

----------------

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 04:22:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:45 AM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Generic Host Process for Win32 Services] scvhost.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4921 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 04:19:02 0 d-------- C:\Program Files\Java
2008-06-14 04:18:27 0 d-------- C:\Program Files\Common Files\Java
2008-06-14 04:08:53 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-14 04:08:02 0 d-------- \_OTMoveIt
2008-06-12 17:29:23 0 d-------- C:\Program Files\Avira
2008-06-12 17:29:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 17:05:40 0 d--hs---- \RECYCLER
2008-06-12 16:18:01 0 d-------- \QooBox
2008-06-12 16:18:00 68096 --a------ C:\WINDOWS\zip.exe
2008-06-12 16:18:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-12 16:18:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-12 16:18:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 16:18:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-12 16:18:00 98816 --a------ C:\WINDOWS\sed.exe
2008-06-12 16:18:00 80412 --a------ C:\WINDOWS\grep.exe
2008-06-12 16:18:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 15:55:14 534827008 --ahs---- \hiberfil.sys
2008-06-11 20:07:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 20:07:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:07:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:58:53 0 d-------- C:\WINDOWS\ERUNT
2008-06-11 18:58:17 0 d-------- \SDFix
2008-06-11 17:54:23 0 d-------- \Deckard
2008-06-11 16:26:23 0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10 0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10 0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08 0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52 0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:29:34 0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35 0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:27 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-14 04:18:27 0 d-a------ C:\Program Files\Common Files
2008-06-14 04:09:59 786432000 --ahs---- \pagefile.sys
2008-06-13 19:31:19 0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-12 17:46:59 0 d-------- C:\Documents and Settings\Owner\Application Data\ield
2008-06-11 16:11:17 0 d-------- C:\Program Files\hp
2008-06-11 15:21:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07 0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 16:57:37 0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06 0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35 0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16 0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02 0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32 0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [04/09/2004 05:18 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/07/2001 09:25 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 08:36 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 06:13 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"Tweak UI"="TWEAKUI.CPL" [06/18/2000 02:03 PM C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"S3TRAY2"="S3tray2.exe" [10/04/2001 03:06 PM C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 07:34 PM]
"NvCplDaemon"="NvQTwk" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 01:04 PM]
"Generic Host Process for Win32 Services"="scvhost.exe" []
"FastUser"="C:\WINDOWS\System32\fast.exe" [10/08/2001 01:59 PM]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [10/08/2001 01:59 PM]
"1A:Stardock TrayMonitor"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" []
"Washer"="C:\Program Files\Washer\washer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"IMEKRMIG6.1"=108209130520750479696720982160565757815579836
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate Engine Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate VPN Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

-- End of Deckard's System Scanner: finished at 2008-06-14 04:23:14 ------------

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 14, 2008, 01:26:43 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:36 AM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetg\services.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Generic Host Process for Win32 Services] scvhost.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ltimg80n] C:\WINDOWS\system32\ltimg80n.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6099 bytes

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 14, 2008, 12:05:17 AM »

Downloaded and ran the new Spybot. It found the coolwwwsearch.aff.winshow again, but was able to delete this time. System is running a little slow, but I'm pretty positive it's the antivirus program. Here's the new DSS log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-14 01:10:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:35 AM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal â€“ Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3957 bytes

-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 01:02:00 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-12 17:29:23 0 d-------- C:\Program Files\Avira
2008-06-12 17:29:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 17:05:40 0 d--hs---- \RECYCLER
2008-06-12 16:18:01 0 d-------- \QooBox
2008-06-12 16:18:00 68096 --a------ C:\WINDOWS\zip.exe
2008-06-12 16:18:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-12 16:18:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-12 16:18:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-12 16:18:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-12 16:18:00 98816 --a------ C:\WINDOWS\sed.exe
2008-06-12 16:18:00 80412 --a------ C:\WINDOWS\grep.exe
2008-06-12 16:18:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 15:55:14 534827008 --ahs---- \hiberfil.sys
2008-06-11 20:07:03 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-11 20:07:00 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-11 20:07:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-11 18:58:53 0 d-------- C:\WINDOWS\ERUNT
2008-06-11 18:58:17 0 d-------- \SDFix
2008-06-11 17:54:23 0 d-------- \Deckard
2008-06-11 16:26:23 0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10 0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10 0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08 0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52 0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:29:34 0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35 0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:27 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-14 01:03:28 786432000 --ahs---- \pagefile.sys
2008-06-13 19:31:19 0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-12 17:46:59 0 d-------- C:\Documents and Settings\Owner\Application Data\ield
2008-06-12 16:19:00 0 d-a------ C:\Program Files\Common Files
2008-06-11 16:11:17 0 d-------- C:\Program Files\hp
2008-06-11 15:21:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07 0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-10 16:57:37 0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06 0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35 0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16 0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02 0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32 0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [04/09/2004 05:18 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/07/2001 09:25 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/07/2001 08:36 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [07/03/2001 06:13 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"IMEKRMIG6.1"=108209130520750479696720982160565757815579836
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)
"NoNetworkConnections"=01000000
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk
backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate Engine Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]
backup=C:\WINDOWS\pss\WinGate VPN Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
C:\WINDOWS\System32\taskswitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastUser]
C:\WINDOWS\System32\fast.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Generic Host Process for Win32 Services]
scvhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keymgrldr]
rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ltimg80n]
C:\WINDOWS\system32\ltimg80n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoAds]
"C:\Program Files\NoAds\NoAds.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDLL]
RunDll16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Washer]
C:\Program Files\Washer\washer.exe /1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_system]
C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)

-- End of Deckard's System Scanner: finished at 2008-06-14 01:11:05 ------------

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 13, 2008, 06:28:11 PM »

PM'd you the link.

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 13, 2008, 04:56:56 PM »

File is too big to attach. 7 MB.

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 12, 2008, 11:56:49 PM »

Ok, I ran the anti-virus. It found and quarantined like 14,000 infected files. Seems most of it was a worm (WORM/Rbot.155648) in the C:\System Volume Information directory. That report log is soooooo long. I'm not sure if you want me to post it here.

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 12, 2008, 03:30:48 PM »

ComboFix 08-06-11.1 - Owner 2008-06-12 16:18:51.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.310 [GMT -4:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\37591283.exe

C:\57062596.exe

C:\Program Files\Common Files\SLMSS

C:\Program Files\internet explorer\setup.exe

C:\setup.exe

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\SYSTEM32\stwvw.bak1

C:\WINDOWS\SYSTEM32\stwvw.bak2

.

((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))

.

2008-06-11 20:07 . 2008-06-11 20:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-06-11 20:07 . 2008-06-11 20:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-06-11 20:07 . 2008-06-11 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-11 20:07 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\drivers\mbamcatchme.sys

2008-06-11 20:07 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\drivers\mbam.sys

2008-06-11 18:58 . 2008-06-11 18:59 <DIR> d-------- C:\WINDOWS\ERUNT

2008-06-11 18:58 . 2008-06-12 16:14 <DIR> d-------- C:\SDFix

2008-06-11 17:54 . 2008-06-11 17:54 <DIR> d-------- C:\Deckard

2008-06-11 16:26 . 2008-06-11 16:26 <DIR> d-------- C:\Program Files\InterMute

2008-06-11 15:48 . 2008-06-11 15:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software

2008-06-11 15:38 . 2008-06-11 15:38 <DIR> d-------- C:\Program Files\SpaceAnylizer

2008-06-11 15:38 . 2008-06-11 15:38 <DIR> d-------- C:\Program Files\Common Files\Key Metric Software

2008-06-11 15:38 . 2008-06-11 15:38 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}

2008-06-11 00:48 . 2008-06-11 00:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$

2008-06-11 00:48 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe

2008-06-11 00:29 . 2008-06-11 00:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits

2008-06-11 00:23 . 2004-07-01 18:08 361,984 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\qmgr.dll

2008-06-11 00:23 . 2004-07-01 18:08 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll

2008-06-11 00:23 . 2004-07-01 18:08 331,776 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\winhttp.dll

2008-06-11 00:23 . 2004-06-30 19:59 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll

2008-06-11 00:23 . 2004-07-01 18:08 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll

2008-06-11 00:23 . 2004-07-01 18:08 17,408 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\qmgrprxy.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,680 -----c--- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,168 -----c--- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll

2008-06-11 00:23 . 2004-07-01 18:08 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll

2008-06-11 00:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui

2008-06-11 00:19 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui

2008-06-11 00:19 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui

2008-06-11 00:19 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui

2008-06-10 05:19 . 2008-06-10 05:19 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared

2008-06-10 05:19 . 2008-06-10 05:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-06-10 05:18 . 2007-11-26 14:47 194,888 --a------ C:\WINDOWS\Unwash6.exe

2008-05-16 15:27 . 2001-11-16 10:30 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-16 15:27 . 2001-11-16 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

2008-05-16 15:27 . 2001-11-16 10:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel

2008-05-16 15:27 . 2008-05-16 15:27 <DIR> d-------- C:\Documents and Settings\Administrator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-12 06:45 --------- d-----w C:\Program Files\Full Tilt Poker.Net

2008-06-11 20:11 --------- d-----w C:\Program Files\hp

2008-06-11 19:22 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!

2008-06-11 19:21 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-06-11 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-11 06:12 --------- d-----w C:\Program Files\Visual Labels

2008-06-11 06:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire

2008-06-10 20:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\GlobalSCAPE

2008-06-10 09:22 --------- d-----w C:\Program Files\Winamp

2008-06-10 09:19 --------- d-----w C:\Program Files\Webroot

2008-06-10 09:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Webroot

2008-06-05 02:26 --------- d-----w C:\Program Files\SoapMaker

2008-05-14 18:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-05-14 17:36 --------- d-----w C:\Program Files\Common Files\ACD Systems

2008-05-14 17:36 --------- d-----w C:\Program Files\ACD Systems

2008-05-14 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems

2008-04-30 07:13 --------- d-----w C:\Program Files\Common Files\Motive

2008-04-30 07:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive

2007-01-25 19:20 24,192 -c--a-w C:\Documents and Settings\Owner\usbsermptxp.sys

2007-01-25 19:20 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys

2004-01-20 15:11 125 -c--a-w C:\Program Files\I.HTM

2004-01-09 04:48 107,008 -c--a-w C:\Program Files\CWShredder.exe

2003-09-04 02:21 16,384 -c--a-w C:\Program Files\msfind.exe

2003-08-08 20:43 154,624 -c--a-w C:\Program Files\uninstcp.exe

2003-02-19 02:16 61,900,782 -c--a-w C:\Program Files\2-18.reg

2001-11-09 22:44 8 -c--a-w C:\Program Files\USER

1998-05-31 04:00 295,696 -c--a-w C:\Program Files\Common Files\MSJTOR35.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Outpost Firewall"="C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe" [2004-04-09 17:18 87040]

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 21:25 143360]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 20:36 90112]

"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 18:13 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2003-07-16 16:37 51200 C:\WINDOWS\SYSTEM32\narrator.exe]

"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2003-07-16 16:48 40960]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

AutoPlay.exe [2001-09-17 15:22:52 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"IMEKRMIG6.1"= 108209130520750479696720982160565757815579836

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoSMHelp"= 01000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3acm"= L3codecp.acm

"vidc.XVID"= xvid.dll

"vidc.DIV3"= DivXc32.dll

"vidc.DIV4"= DivXc32f.dll

"msacm.divxa32"= DivXa32.acm

"vidc.3ivx"= 3ivxVfWCodec.dll

"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Virtual Assistant.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk

backup=C:\WINDOWS\pss\Virtual Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate Engine Monitor.lnk]

backup=C:\WINDOWS\pss\WinGate Engine Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinGate VPN Monitor.lnk]

backup=C:\WINDOWS\pss\WinGate VPN Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]

backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]

--a--c--- 2001-10-08 13:59 45632 C:\WINDOWS\System32\taskswitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]

C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\explore]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FastUser]

--a--c--- 2001-10-08 13:59 49216 C:\WINDOWS\System32\fast.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FSW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Generic Host Process for Win32 Services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2001-08-07 20:36 90112 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

--a--c--- 1998-05-07 13:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2001-08-07 21:25 143360 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]

C:\PROGRA~1\INCRED~1\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inet Delivery]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inmr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keymgrldr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ltimg80n]

--a--c--- 2004-03-15 21:02 50042 C:\WINDOWS\system32\ltimg80n.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryMeter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPeeker]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoAds]

C:\Program Files\NoAds\NoAds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]

C:\Program Files\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

--a------ 2001-07-03 18:13 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSwitch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a--c--- 2006-12-16 03:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDLL]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

--a--c--- 2001-06-15 19:34 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

--a--c--- 2004-08-04 00:41 27136 C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]

--a--c--- 2001-10-04 15:06 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanInicio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVMD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]

--a--c--- 2000-06-18 14:03 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateStats]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VB_run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Washer]

C:\Program Files\Washer\washer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherCast]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xp_system]

--a--c--- 2004-08-04 00:41 27136 C:\WINDOWS\inetg\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Messenger"=2 (0x2)

"wuauserv"=2 (0x2)

R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Firewall\OUTPOS~1\kernel\2000\FILTNT.SYS [2004-04-09 17:16]

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2008-02-21 14:36]

R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]

R3 EPPSCSIx;EPPSCSI Driver;C:\WINDOWS\System32\DRIVERS\EPPSCAN.sys [2000-04-08 16:14]

S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\ADBLOCK.DLL [2004-04-09 17:16]

S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\CONTENT.DLL [2004-04-09 17:16]

S3 DCamUSBVeo532;Veo Web Camera;C:\WINDOWS\System32\Drivers\ubVeo532.sys [2002-07-01 19:30]

S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\DNSCACHE.DLL [2004-04-09 17:16]

S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\FTPFILT.DLL [2004-04-09 17:17]

S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\HTMLFILT.DLL [2004-04-09 17:16]

S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\HTTPFILT.DLL [2004-04-09 17:16]

S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\IMAPFILT.DLL [2004-04-09 17:17]

S3 KBCAM;JamC@m USB service;C:\WINDOWS\System32\Drivers\KBCAM.sys []

S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\MAILFILT.DLL [2004-04-09 17:16]

S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2008-02-21 14:36]

S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []

S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2008-02-21 14:36]

S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []

S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\NNTPFILT.DLL [2004-04-09 17:17]

S3 PCDRDRV;Pcdr Helper Driver;C:\WINDOWS\System32\drivers\PCDRDRV.sys []

S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\POP3FILT.DLL [2004-04-09 17:16]

S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Firewall\OUTPOS~1\kernel\PROTECT.DLL [2004-04-09 17:17]

.

Contents of the 'Scheduled Tasks' folder

"2003-08-11 21:11:37 C:\WINDOWS\Tasks\TASK20030402041953.job"

- C:\Documents and Settings\Owner\Application Data\Ipswitch\WS_FTP\Scheduler\sch1D.tmp

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-12 16:20:21

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

Completion time: 2008-06-12 16:24:00

ComboFix-quarantined-files.txt 2008-06-12 20:22:57

Pre-Run: 11,881,594,880 bytes free

Post-Run: 11,877,179,392 bytes free

262 --- E O F --- 2008-06-11 04:49:05

-----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:21 PM, on 6/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Firewall\Outpost Firewall\outpost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3603 bytes

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 11, 2008, 10:06:30 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:59 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--

Malwarebytes' Anti-Malware 1.17

Database version: 849

11:14:55 PM 6/11/2008

mbam-log-6-11-2008 (23-14-55).txt

Scan type: Full Scan (C:\|)

Objects scanned: 147546

Time elapsed: 59 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------

SDFix: Version 1.191

Run by Administrator on Wed 06/11/2008 at 07:09 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe - Deleted

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe - Deleted

C:\t.rar - Deleted

C:\WINDOWS\didduid.ini - Deleted

C:\WINDOWS\hosts - Deleted

C:\WINDOWS\system32\drivers\etc\hosts.bho - Deleted

C:\WINDOWS\system32\scvhost.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-11 19:21:49

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 28 Feb 2007 10,240 A..H. --- "C:\WINDOWS\xntq-v92o4agkyf.exe"

Wed 11 Oct 2006 502,395 ..SH. --- "C:\WINDOWS\SYSTEM32\stwvw.bak1"

Sat 14 Oct 2006 501,391 ..SH. --- "C:\WINDOWS\SYSTEM32\stwvw.bak2"

Sun 10 Feb 2002 2,045 A..H. --- "C:\WINDOWS\SYSTEM32\whla32dd.dll"

Tue 22 Apr 2003 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Tue 22 Apr 2003 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"

Fri 12 Dec 2003 36,352 ...H. --- "C:\Documents and Settings\All Users\Application Data\X0ff\X0ff.dll"

Wed 11 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\BIT1.tmp"

Finished!

Everything looks clean now? I think... I hope. Thank you so so much for taking the time to help! Let me know if I need to do anything else.

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 11, 2008, 04:48:12 PM »

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:52:05 PM, on 6/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\ps2.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\RunServices: [Generic Host Process for Win32 Services] scvhost.exe

O4 - HKLM\..\RunOnce: [RegisterHPDeviceDetectionDll] regsvr32.exe /s "C:\Program Files\HP\Common\HPDeviceDetection.dll"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')

O4 - Global Startup: svchost.exe

O4 - Global Startup: taskmgr.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe

O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-11 17:54:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
11: 2008-06-11 21:54:37 UTC - RP509 - Deckard's System Scanner Restore Point
10: 2008-06-11 19:20:46 UTC - RP508 - Configured CuteFTP 6 Professional
9: 2008-06-11 08:04:39 UTC - RP507 - Spybot-S&D Spyware removal
8: 2008-06-11 08:03:06 UTC - RP506 - Spybot-S&D Spyware removal
7: 2008-06-11 04:48:52 UTC - RP505 - Installed Windows XP KB898461.

-- First Restore Point --
1: 2008-06-11 00:07:20 UTC - RP499 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

[color=\"red\"]Total Physical Memory: 510 MiB (512 MiB recommended).[/color]
[color=\"red\"]System Drive C: has 1.56 GiB (less than 15%) free.[/color]

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:42 PM, on 6/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\RunServices: [Generic Host Process for Win32 Services] scvhost.exe
O4 - HKLM\..\RunOnce: [RegisterHPDeviceDetectionDll] regsvr32.exe /s "C:\Program Files\HP\Common\HPDeviceDetection.dll"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: svchost.exe
O4 - Global Startup: taskmgr.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3748 bytes

-- File Associations -----------------------------------------------------------

[color=\"red\"].bat - batfile - shell\edit\command - unable to read value[/color]
[color=\"red\"].cmd - cmdfile - shell\edit\command - unable to read value[/color]
[color=\"red\"].inf - inffile - shell\open\command - unable to read value[/color]
[color=\"red\"].ini - inifile - shell\open\command - unable to read value[/color]
[color=\"red\"].reg - regfile - shell\edit\command - unable to read value[/color]
[color=\"red\"].txt - txtfile - shell\open\command - unable to read value[/color]
[color=\"red\"].vbs - VBSFile - shell\edit\command - unable to read value[/color]

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 VFILT (Outpost Firewall Kernel Driver) - c:\program files\firewall\outpost firewall\kernel\2000\filtnt.sys <Not Verified; Agnitum; Virtual Firewall>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R3 ADBLOCK.DLL (Outpost Firewall PlugIn (ADBLOCK.DLL)) - c:\program files\firewall\outpost firewall\kernel\adblock.dll <Not Verified; Agnitum; Outpost Firewall>
R3 CONTENT.DLL (Outpost Firewall PlugIn (CONTENT.DLL)) - c:\program files\firewall\outpost firewall\kernel\content.dll <Not Verified; Agnitum; Outpost Firewall>
R3 DNSCACHE.DLL (Outpost Firewall PlugIn (DNSCACHE.DLL)) - c:\program files\firewall\outpost firewall\kernel\dnscache.dll <Not Verified; Agnitum; Outpost Firewall>
R3 EPPSCSIx (EPPSCSI Driver) - c:\windows\system32\drivers\eppscan.sys <Not Verified; EPPSCAN WDM Driver; EPPSCAN Parallel Port Device Driver>
R3 FTPFILT.DLL (Outpost Firewall PlugIn (FTPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\ftpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 HTMLFILT.DLL (Outpost Firewall PlugIn (HTMLFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\htmlfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 HTTPFILT.DLL (Outpost Firewall PlugIn (HTTPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\httpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel® Corporation; Intel® Graphics Accelerator Drivers for Windows NT®>
R3 IMAPFILT.DLL (Outpost Firewall PlugIn (IMAPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\imapfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 MAILFILT.DLL (Outpost Firewall PlugIn (MAILFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\mailfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 NNTPFILT.DLL (Outpost Firewall PlugIn (NNTPFILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\nntpfilt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 POP3FILT.DLL (Outpost Firewall PlugIn (POP3FILT.DLL)) - c:\program files\firewall\outpost firewall\kernel\pop3filt.dll <Not Verified; Agnitum; Outpost Firewall>
R3 PROTECT.DLL (Outpost Firewall PlugIn (PROTECT.DLL)) - c:\program files\firewall\outpost firewall\kernel\protect.dll <Not Verified; Agnitum; Outpost Firewall>

S3 Freedom (FREEDOM Miniport) - c:\windows\system32\drivers\freedom.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 KBCAM (JamC@m USB service) - c:\windows\system32\drivers\kbcam.sys (file missing)
S3 MREMP50 (MREMP50 NDIS Protocol Driver) - c:\program files\common files\motive\mremp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MREMP50a64 (MREMP50a64 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mremp50a64.sys (file missing)
S3 MRESP50 (MRESP50 NDIS Protocol Driver) - c:\program files\common files\motive\mresp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 MRESP50a64 (MRESP50a64 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mresp50a64.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\windows\system32\drivers\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys (file missing)
S3 S3SavageNB - c:\windows\system32\drivers\s3gnbm.sys <Not Verified; S3 Graphics, Inc.; S3 ProSavage & Twister Miniport Driver>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McciCMService - "c:\program files\common files\motive\mccicmservice.exe" <Not Verified; Motive Communications, Inc.; >
R2 OutpostFirewall (Outpost Firewall Service) - c:\progra~1\firewall\outpos~1\outpost.exe /service <Not Verified; Agnitum; Outpost Firewall>

S4 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Lucent Win Modem
Device ID: PCI\VEN_11C1&DEV_044E&SUBSYS_044E1235&REV_02\4&24AB0D93&0&58F0
Manufacturer: Lucent
Name: Lucent Win Modem
PNP Device ID: PCI\VEN_11C1&DEV_044E&SUBSYS_044E1235&REV_02\4&24AB0D93&0&58F0
Service: Modem

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Standard Modem
Device ID: ROOT\MODEM\0000
Manufacturer: (Standard Modem Types)
Name: Standard Modem
PNP Device ID: ROOT\MODEM\0000
Service: Modem

-- Scheduled Tasks -------------------------------------------------------------

2003-08-11 17:11:37 495 --a------ C:\WINDOWS\Tasks\TASK20030402041953.job

-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2008-06-11 17:54:23 0 d-------- \Deckard
2008-06-11 16:26:23 0 d-------- C:\Program Files\InterMute
2008-06-11 15:48:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Key Metric Software
2008-06-11 15:38:10 0 d-------- C:\Program Files\SpaceAnylizer
2008-06-11 15:38:10 0 d-------- C:\Program Files\Common Files\Key Metric Software
2008-06-11 15:38:08 0 d--h----- C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}
2008-06-11 00:48:52 0 d-------- C:\WINDOWS\System32\PreInstall
2008-06-11 00:48:44 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-11 00:42:15 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-06-11 00:29:34 0 d-------- C:\WINDOWS\System32\bits
2008-06-10 05:19:35 0 d-------- C:\Program Files\Common Files\Webroot Shared
2008-06-10 05:19:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-16 15:38:56 534827008 --ahs---- \hiberfil.sys
2008-05-16 15:27:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-16 15:27:28 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-16 15:27:28 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-16 15:27:28 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-16 15:27:28 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-16 15:27:28 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-16 15:27:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-05-16 15:27:27 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

-- Find3M Report ---------------------------------------------------------------

2008-06-11 17:49:51 0 d-------- C:\Program Files\Full Tilt Poker.Net
2008-06-11 16:26:08 313283 --a------ C:\Program Files\cwshredder.zip
2008-06-11 16:11:17 0 d-------- C:\Program Files\hp
2008-06-11 15:38:10 0 d-a------ C:\Program Files\Common Files
2008-06-11 15:21:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 02:12:07 0 d-------- C:\Program Files\Visual Labels
2008-06-11 02:12:07 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-06-11 00:43:19 786432000 --ahs---- \pagefile.sys
2008-06-10 16:57:37 0 d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE
2008-06-10 05:22:06 0 d-------- C:\Program Files\Winamp
2008-06-10 05:19:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-06-10 05:19:35 0 d-------- C:\Program Files\Webroot
2008-06-04 22:26:16 0 d-------- C:\Program Files\SoapMaker
2008-05-14 14:03:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 13:36:03 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-14 13:36:02 0 d-------- C:\Program Files\ACD Systems
2008-04-30 03:13:32 0 d-------- C:\Program Files\Common Files\Motive
2008-04-28 22:54:35 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

Unable to run batchfile; The process cannot access the file because it is being used by another process.
ComSpec: C:\WINDOWS\system32\cmd.exe

-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-06-11 17:56:53 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron(tm) CPU 1200MHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 509.98 MiB / 257.39 MiB
Pagefile Memory (total/avail): 1229.61 MiB / 1075.78 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.89 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 32.64 GiB total, 1.56 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - SAMSUNG SV4002H - 37.3 GiB - 2 partitions
\PARTITION0 - Unknown - 4.66 GiB
\PARTITION1 (bootable) - Installable File System - 32.64 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.

-- Environment Variables -------------------------------------------------------

Unable to get environment variables; The process cannot access the file because it is being used by another process.
ComSpec: C:\WINDOWS\system32\cmd.exe

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Agnitum Outpost Firewall Pro 2.1 --> "C:\Program Files\Firewall\Outpost Firewall\uninst.exe"
hp center --> C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
SafeCast Shared Components --> C:\WINDOWS\CDAC13BA.EXE /uninstall
Win32 BI Application --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\payload.inf, Uninstall
FolderSizes 4 --> "C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}\FolderSizes4-Setup.exe" REMOVE=TRUE MODIFY=FALSE
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
Internet Explorer Q822925 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q822925.inf
DesignPro 5.0 Limited Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{97AE00A8-1336-410F-B467-1C6623127BD6}
Windows XP Hotfix - KB833680 --> C:\WINDOWS\$NtUninstallKB833680$\spuninst\spuninst.exe
Windows XP Hotfix - KB842773 --> C:\WINDOWS\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803) --> "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Update for Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
Mozilla Firefox (1.0) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0 (en-US)"
Network Play System (Patching) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Electronic Arts\Network Play System\NPSPatch.isu"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
Outlook Express Update Q330994 --> C:\WINDOWS\Q330994.exe C:\WINDOWS\INF\Q330994.inf
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Real Alternative 1.21 --> "C:\Program Files\Real Alternative\unins000.exe"
S3 Gamma --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3 Gamma'
S3 Savage4 Family Display Switch2 Utility --> S3Uninst.exe -reg 5 HKLM\SOFTWARE\S3\S3Uninst\S3Switch2
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SuperCleaner --> "C:\Program Files\SuperCleaner\Uninst.exe" C:\Program Files\SuperCleaner\Uninst.ini
Visual Labels --> C:\PROGRA~1\VISUAL~1\UNWISE.EXE C:\PROGRA~1\VISUAL~1\INSTALL.LOG
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Window Washer --> C:\WINDOWS\Unwash6.exe
Windows Media Format Runtime Beta --> C:\Program Files\Windows Media Player\Setup_wm.exe /UninstallAll
Windows Media Player 10 Beta --> C:\Program Files\Windows Media Player\Setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XviD MPEG-4 Codec --> "C:\Program Files\XviD\UninstXviD.exe"
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
FolderSizes 4 --> C:\Documents and Settings\All Users\Application Data\{2523FC71-7736-4A2A-B0C7-8D36B58E4800}\FolderSizes4-Setup.exe
ACDSee 6.0 PowerPack --> MsiExec.exe /I{271B64EE-3E1B-4381-A8FE-012390050492}
Java(tm) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Veo Digital Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45AEEA61-04F8-11D6-8B35-0080C8F5C4AA}\SETUP.EXE" -l0x9
SoapMaker --> MsiExec.exe /X{500FB6E8-7127-11D8-9EFC-00B0D083537B}
Powertoys For Windows XP --> MsiExec.exe /I{6C31E111-96BB-4ADC-9C81-E6D3EEDDD8D3}
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
The Sims Makin' Magic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}\setup.exe" -l0009
Veo Stingray --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD88E6DF-A288-4E09-A59B-68E94373BAC7}\SETUP.EXE" -l0x9
Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Namo WebEditor 5.5 Trial --> C:\Program Files\InstallShield Installation Information\{D73B1505-58C4-4CEA-BD95-A6A768D69A0D}\setup.exe -UninstallAll
Full Tilt Poker.Net --> "C:\Program Files\InstallShield Installation Information\{E07B7A31-E160-466D-A003-3BB7B8989D52}\setup.exe" -runfromtemp -l0x0009 -removeonly
MiraScan V3.20 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Twain_32\Mira3_20\Uninst.isu

-- Application Event Log -------------------------------------------------------

Event Record #/Type5474 / Error
Event Submitted/Written: 06/10/2008 04:57:46 PM
Event ID/Source: 11711 / MsiInstaller
Event Description:
Product: CuteFTP 6 Professional -- Error 1711.An error occurred while writing installation information to disk. Check to make sure enough disk space is available, and click Retry, or Cancel to end the installation.

Event Record #/Type5473 / Error
Event Submitted/Written: 06/10/2008 04:57:45 PM
Event ID/Source: 11711 / MsiInstaller
Event Description:
Product: CuteFTP 6 Professional -- Error 1711.An error occurred while writing installation information to disk. Check to make sure enough disk space is available, and click Retry, or Cancel to end the installation.

Event Record #/Type5470 / Error
Event Submitted/Written: 06/10/2008 04:56:44 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Tweakui Powertoy for Windows XP -- Internal Error 2502.

Event Record #/Type5469 / Error
Event Submitted/Written: 06/10/2008 04:56:44 PM
Event ID/Source: 11711 / MsiInstaller
Event Description:
Product: Tweakui Powertoy for Windows XP -- Error 1711.An error occurred while writing installation information to disk. Check to make sure enough disk space is available, and click Retry, or Cancel to end the installation.

Event Record #/Type5467 / Error
Event Submitted/Written: 06/10/2008 04:42:35 PM
Event ID/Source: 1512 / Userenv
Event Description:
Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.

DETAIL - There is not enough space on the disk.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type57506 / Warning
Event Submitted/Written: 06/11/2008 02:22:42 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type57420 / Error
Event Submitted/Written: 06/11/2008 00:22:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type57419 / Error
Event Submitted/Written: 06/11/2008 00:22:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type57418 / Error
Event Submitted/Written: 06/11/2008 00:22:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type57415 / Error
Event Submitted/Written: 06/11/2008 00:18:51 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

-- End of Deckard's System Scanner: finished at 2008-06-11 17:56:53 ------------

Tech Clinic / Can't get rid of coolwwwsearch

« on: June 11, 2008, 03:29:27 PM »

This thing is driving me nuts. I can't seem to get rid of it. Spybot finds it as -coolwwwsearch.aff.winshow. It tries to delete, but can't because the program is running in the memory. Asks to run again on restart, but is still unable to remove it.

Hijack this log:

Logfile of HijackThis v1.98.1

Scan saved at 4:37:56 PM, on 6/11/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Washer\WasherSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\ps2.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Firewall\OUTPOS~1\outpost.exe /waitservice

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\RunServices: [Generic Host Process for Win32 Services] scvhost.exe

O4 - HKLM\..\RunOnce: [RegisterHPDeviceDetectionDll] regsvr32.exe /s "C:\Program Files\HP\Common\HPDeviceDetection.dll"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: svchost.exe

O4 - Global Startup: taskmgr.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213061818452

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

--------------------------------------------------------------------

CWShredder:

CWShredder v1.44.2 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (4218 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\System32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (975 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (274 bytes, A)

- END OF REPORT -

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - donna4909

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch

Tech Clinic / Can't get rid of coolwwwsearch