Was informed DriveCleaner sign of malware

Jacey2 · 08-27-2007, 01:14 PM

Have gotten results from DSS.exe scan and told to continue posting here. Was able to copy and paste..but just following instructions..not knowing where it would go. Maybe

you can redirect me

tetonbob · 08-27-2007, 01:34 PM

Are main.txt and extra.txt still open?

tetonbob · 08-27-2007, 01:52 PM

Just paste the contents of those two text files into a reply window in this thread, and click on Submit Reply.

If they are no longer open, they should be located at C:\Deckard\System Scanner.

Open a reply window in this thread.

Locate the files, open them by double clicking....

On the menu bar of each text file, go to Edit >choose Select All ; Go to Edit> Choose Copy

In the reply window, right click and choose Paste.

Do this for each file....

C:\Deckard\System Scanner\main.txt

C:\Deckard\System Scanner\extra.txt

Jacey2 · 08-27-2007, 02:34 PM

Quote:

Originally Posted by tetonbob

Are main.txt and extra.txt still open?

I have them minimized waiting to hear from you.

Jacey2 · 08-27-2007, 02:36 PM

Deckard's System Scanner v20070826.66
Run by Owner on 2007-08-27 13:39:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
87: 2007-08-27 18:39:27 UTC - RP368 - Deckard's System Scanner Restore Point
86: 2007-08-26 18:43:20 UTC - RP367 - System Checkpoint
85: 2007-08-25 17:32:36 UTC - RP366 - System Checkpoint
84: 2007-08-24 17:18:09 UTC - RP365 - System Checkpoint
83: 2007-08-23 16:07:35 UTC - RP364 - System Checkpoint

-- First Restore Point --
1: 2007-05-30 17:09:10 UTC - RP282 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 367 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:40 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BigFix\bigfix.exe
C:\Corel\Suite8\Programs\DAD8.EXE
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Corel Desktop Application Director 8.LNK = C:\Corel\Suite8\Programs\DAD8.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156339312078
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7554 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-08-21 08:25:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-07-27 and 2007-08-27 -----------------------------

2007-08-27 13:41:20 0 d-------- C:\Program Files\Trend Micro

-- Find3M Report ---------------------------------------------------------------

2007-08-27 08:33:33 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-08-27 08:00:04 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-08-24 16:03:55 0 d-------- C:\Program Files\Picasa2
2007-08-05 09:31:26 0 d-------- C:\Program Files\Java
2007-07-15 11:27:02 0 d-------- C:\Program Files\QuickTime
2007-07-15 11:21:41 0 d-------- C:\Program Files\Apple Software Update
2007-07-12 21:51:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [08/16/2007 09:19 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/17/2007 08:21 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [7/14/2006 10:26:34 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [5/18/2006 8:21:47 PM]
Corel Desktop Application Director 8.LNK - C:\Corel\Suite8\Programs\DAD8.EXE [8/21/2006 3:37:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2273231-e6d2-11da-8f08-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

-- End of Deckard's System Scanner: finished at 2007-08-27 13:43:11 ------------

Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) D CPU 3.20GHz
Percentage of Memory in Use: 82%
Physical Memory (total/avail): 366.91 MiB / 65 MiB
Pagefile Memory (total/avail): 885.04 MiB / 547.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1958.16 MiB

C: is Fixed (NTFS) - 70.1 GiB total, 58.6 GiB free.
D: is Fixed (FAT32) - 4.42 GiB total, 2.67 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (FAT)
M: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-00JHC0 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 70.1 GiB - C:
\PARTITION1 - Unknown - 4.43 GiB - D:

\\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE6 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE7 - Generic STORAGE DEVICE USB Device - 980.53 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 982.38 MiB - L:

\\.\PHYSICALDRIVE8 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.484 v7.5.484 (GRISOFT)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1148001726\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1148001726\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-F47FE0285B
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-F47FE0285B
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Outlook Express;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-F47FE0285B
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

-- User Profiles ---------------------------------------------------------------

Owner (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat Reader 3.01 --> C:\WINDOWS\uninst.exe -fC:\Acrobat3\Reader\DeIsL2.isu
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Advanced CD Ripper Pro 2.61 --> "C:\Program Files\Advanced CD Ripper Pro\unins000.exe"
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Browser Address Error Redirector --> regsvr32 /u /s "c:\windows\system32\BAE.dll"
Clear Cache feature for Internet Explorer --> MsiExec.exe /I{4E901875-0F15-44BA-89DE-94AA41A7F507}
Corel WordPerfect Suite 8 --> C:\Corel\Suite8\AppMan\Setup\REMOVELAUNCHER.EXE
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875} /l1033
Dream House 3D --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Dream House 3D\DeIsL2.isu"
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Free Download Manager 2.1 - Free Downloads Center Edition --> "C:\Program Files\Free Download Manager\unins000.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Mozilla Firefox (2.0.0.6) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
OpenOffice.org 2.0 --> MsiExec.exe /I{75852F49-2CAF-443F-B7C2-53DE5847DE56}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
REALTEK GbE & FE Ethernet PCI NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x9 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458) -->
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Visual Home version 1.1 --> C:\BTW\Vh\REGCLEAR.EXE
VNC 4.0 Beta 4 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Volutive 1 --> C:\Binarema\VLT1\Uninstall.exe
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type2083 / Error
Event Submitted/Written: 07/31/2007 08:49:33 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 470407700.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type2082 / Error
Event Submitted/Written: 07/31/2007 08:49:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20070.5781, faulting module js3250.dll, version 4.0.0.0, fault address 0x00009026.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2078 / Error
Event Submitted/Written: 07/30/2007 03:20:07 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 470296297.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type2077 / Error
Event Submitted/Written: 07/30/2007 03:19:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20070.5781, faulting module js3250.dll, version 4.0.0.0, fault address 0x00020a71.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2076 / Error
Event Submitted/Written: 07/30/2007 08:25:46 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 470723799.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type16489 / Error
Event Submitted/Written: 08/27/2007 08:33:10 AM
Event ID/Source: 23 / Print
Event Description:
Printer HP OfficeJet T Series Printer (Copy 1) failed to initialize because a suitable HP OfficeJet T Series Printer driver could not be found.

Event Record #/Type16472 / Error
Event Submitted/Written: 08/27/2007 07:58:39 AM
Event ID/Source: 23 / Print
Event Description:
Printer HP OfficeJet T Series Printer (Copy 1) failed to initialize because a suitable HP OfficeJet T Series Printer driver could not be found.

Event Record #/Type16453 / Error
Event Submitted/Written: 08/26/2007 06:50:12 PM
Event ID/Source: 23 / Print
Event Description:
Printer HP OfficeJet T Series Printer (Copy 1) failed to initialize because a suitable HP OfficeJet T Series Printer driver could not be found.

Event Record #/Type16436 / Error
Event Submitted/Written: 08/26/2007 10:13:05 AM
Event ID/Source: 23 / Print
Event Description:
Printer HP OfficeJet T Series Printer (Copy 1) failed to initialize because a suitable HP OfficeJet T Series Printer driver could not be found.

Event Record #/Type16432 / Warning
Event Submitted/Written: 08/25/2007 11:19:33 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00167665F6B8. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

-- End of Deckard's System Scanner: finished at 2007-08-27 13:43:11 ------------

tetonbob · 08-27-2007, 03:22 PM

I'm not seeing any signs of infection in those logs. Are you experiencing popups still?

There are some items we need to address:

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 2 alone, as it is the most recent..

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

I'd like you to try to run an online scan again....if Panda won't work, try this one:

Online Scanner

Post the results of the online scan when it's complete.

Jacey2 · 08-27-2007, 03:43 PM

On the ATF..went thru selected all but saved password but none of the files emptied. What now?

tetonbob · 08-27-2007, 03:55 PM

Please give me more detail...what do you mean, none were removed?

Did you click on the Empty Selected button? Did a small popup window appear telling you how much had been removed?

Read the instructions again and repeat.

tetonbob · 08-27-2007, 04:05 PM

Jacey2 · 08-27-2007, 04:06 PM

I selected all and then unchecked the save password..but the bottom box needed to be unchecked as well. Cleaned out alot of stuff. I am stalling out with Online Scanner..I clicked accept but it just sat there. Maybe a conflict with the browser. Thought i'd try Panda again, but will wait for your advice.

tetonbob · 08-27-2007, 04:11 PM

Are you using Internet Explorer?

Jacey2 · 08-27-2007, 04:14 PM

Motzilla Firefox

08-27-2007, 01:14 PM	#1 (permalink)
Jacey2 Registered User Join Date: Oct 2006 Posts: 84 OS: XP	Was informed DriveCleaner sign of malware Have gotten results from DSS.exe scan and told to continue posting here. Was able to copy and paste..but just following instructions..not knowing where it would go. Maybe you can redirect me

08-27-2007, 01:34 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,435 OS: 2000 Pro; XP Pro; XP Home	Re: Was informed DriveCleaner sign of malware Are main.txt and extra.txt still open? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2007, 01:52 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,435 OS: 2000 Pro; XP Pro; XP Home	Re: Was informed DriveCleaner sign of malware Just paste the contents of those two text files into a reply window in this thread, and click on Submit Reply. If they are no longer open, they should be located at C:\Deckard\System Scanner. Open a reply window in this thread. Locate the files, open them by double clicking.... On the menu bar of each text file, go to Edit >choose Select All ; Go to Edit> Choose Copy In the reply window, right click and choose Paste. Do this for each file.... C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2007, 03:22 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,435 OS: 2000 Pro; XP Pro; XP Home	Re: Was informed DriveCleaner sign of malware I'm not seeing any signs of infection in those logs. Are you experiencing popups still? There are some items we need to address: Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 2 J2SE Runtime Environment 5.0 Update 9 Java(TM) SE Runtime Environment 6 Update 1 These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should. Leave Java(TM) 6 Update 2 alone, as it is the most recent.. --------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- I'd like you to try to run an online scan again....if Panda won't work, try this one: Online Scanner Post the results of the online scan when it's complete. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2007, 03:43 PM	#7 (permalink)
Jacey2 Registered User Join Date: Oct 2006 Posts: 84 OS: XP	Re: Was informed DriveCleaner sign of malware On the ATF..went thru selected all but saved password but none of the files emptied. What now?

08-27-2007, 03:55 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,435 OS: 2000 Pro; XP Pro; XP Home	Re: Was informed DriveCleaner sign of malware Please give me more detail...what do you mean, none were removed? Did you click on the Empty Selected button? Did a small popup window appear telling you how much had been removed? Read the instructions again and repeat. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2007, 04:05 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,435 OS: 2000 Pro; XP Pro; XP Home	Re: Was informed DriveCleaner sign of malware __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2007, 04:06 PM	#10 (permalink)
Jacey2 Registered User Join Date: Oct 2006 Posts: 84 OS: XP	Re: Was informed DriveCleaner sign of malware I selected all and then unchecked the save password..but the bottom box needed to be unchecked as well. Cleaned out alot of stuff. I am stalling out with Online Scanner..I clicked accept but it just sat there. Maybe a conflict with the browser. Thought i'd try Panda again, but will wait for your advice.

08-27-2007, 04:11 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 26,435 OS: 2000 Pro; XP Pro; XP Home	Re: Was informed DriveCleaner sign of malware Are you using Internet Explorer? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-27-2007, 04:14 PM	#12 (permalink)
Jacey2 Registered User Join Date: Oct 2006 Posts: 84 OS: XP	Re: Was informed DriveCleaner sign of malware Motzilla Firefox