# Cmd.exe and FTP.exe Difficulties



## SilverBolt (Jul 21, 2009)

Hello there. My computer was recently infected by hwclock.exe. I followed directions on how to remove it, and it has been removed. However, I find that every couple of minutes or so, I'm having cmd.exe and ftp.exe pop up in my task manager. This wouldn't be so much of a problem, but when these processes are running, they lag my ISP. Unfortunately, I'm on dialup, so this lag is extremely bad.

There are, however, problems with the usual methods of diagnosis. I do not have HijackThis, and could probably not download it within any reasonable length of time, due to the aforementioned dialup. Even if I could, this computer is so old that I can barely run what's already on it before the processor start lagging. I'm extremely poor, on a fixed income, and cannot afford to have this unit professionally seen to. Please help, this computer is the only link I have with the outside world.

Thank you in advance for any assistance you may be able to provide.

~*SilverBolt


----------



## Smiles n' grins (Jun 8, 2007)

I'm not all too sure what's going on, but you could check your scheduled tasks to see if it is scheduled to do this (of course). What type antivirus are you running?

Also, even though you are on dial-up, HijackThis is only about 800 kb, which as far as I can tell from dial-up, that will take a little will at a speed of 3 kb/s, but it won't take as long as you think.


----------



## hulkinator (May 4, 2009)

I would second the thought on HJT. Though it may take some time, and let's say it's an obscenely slow 500 bytes/sec average, 800kb will take under half an hour to download. I'd say that's worth it because of the wealth of information that a HijackThis log can provide us- if you still have malware an HJT log will show it at least 90% of the time.


----------



## SilverBolt (Jul 21, 2009)

I actually don't know how to check my scheduled tasks. I admit to being somewhat computer illiterate, at least where the "higher functions" of the computer are concerned.

I know how this is going to sound, and trust me, I have heard every question of my sanity and every insult flung at me for this. I actually don't run an antivirus as such, because every single one I've tried has either not worked, ruined my computer even worse, or lagged the processor to insanely slow speeds. I've tried AVG, AdAware, Avast, and probably lots more that I can't remember...and every one of them has lagged this machine so bad it took several minutes for the processor to accomplish the smallest task.

I did not, however, go in completely unprotected, as it were. I run SpySweeper ALL THE TIME, and it had been working remarkably well for some time. But ever since March, it hasn't been updating the definitions when I ask it to. I figure the build I'm using is out of date, and WebRoot no longer supports the build I have. However, I can't upgrade to a better build, because anything higher than the build I have lags my processor.

Obviously I didn't adequately take care of whatever problem was occurring in my computer, however. I was having different problems aftter deleting hwclock.exe. Even though cmd.exe and ftp.exe were not showing up in my processes anymore, the Internet connection was lagging really, really, REALLY bad. Sites that I know are there, like Hotmail, it would attempt to switch over to the ISP's own search engine on the web when I typed them in. Sometimes it would load, and other times it would just refuse to load entirely and give me the Cannot Find Server page within mere seconds of trying to access it, as if it didn't even TRY to find the page.

I did manage to get some relief from it, it seems...I backed up to a restore point couple of days ago, and it seems to be working just fine. I'm still holding my breath, though, and patroling my task manager like a hawk.

Also, I have been pointed to Comodo (http://www.comodo.com/home/download/download.php?prod=antivirus) as a viable option for a "low overhead" antivirus, since I've tried everything else and everything else lags me insanely. Does anyone else have experience with this program? What do you think of it, if so?

I'll try to download HJT. If this current ISP problem has not been at least temporarily salved by backing up the system, however, it may not be possible. I will attempt to post a log when and if I can download it.

~*SilverBolt

_EDIT:_ I apologize for the continued length of this post, but I didn't want to double-post, as I know that's not allowed on many forums. Though I backed up the computer, it did not repair the problem--I still have cmd.exe and ftp.exe popping up periodically. However, Trend Micro had a .zip of HijackThis that, thankfully, took only a few moments to download. I ran the scan while these two programs were running, and told it to save a log, and this is what it provided me with:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:49 PM, on 7/21/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ftp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...D=1088406000000&I=8.NQ4&N=PL&O=A&UT=companion
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3A5095E-400C-4020-8247-007DF7EBB44C}: NameServer = 64.136.44.74 64.136.52.74
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Hosts Controller - Unknown owner - C:\WINDOWS\Fonts\unwise_.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 4562 bytes


----------



## Smiles n' grins (Jun 8, 2007)

I must relay this message from Silverbolt, who left me a message to post.


> Hi there. I'm the one with the cmd.exe and ftp.exe problems. I don't have those anymore. Now my ISP is lagging something fierce. Matter of fact, I can no longer post on the forums now. Please relay this, will you? Thank you.


Something is still lagging his internet, or his computer one way or the other, and hopefully it can be fixed.

In the meantime, I think clearing the internet history, cookies, cache, and the whatnot might speed up by a bit his internet speed. Am I right?


----------



## SilverBolt (Jul 21, 2009)

Smiles, thank you for relaying my messages. I did manage to wrangle my Internet into letting me post a reply and that HijackThis log. It's still giving me grief, however.

I have been clearing caches and the like, at least I thought I was. I run Window Washer (as the HijackThis log shows), and I thought that was supposed to take care of it.

I don't know if this helps or not, but while patrolling my task manager, I also noticed instances of netsh.exe and wmiprvse.exe running for short periods.

~*SilverBolt


----------



## hulkinator (May 4, 2009)

Hmmm... I'm no malware expert but I don't think you completely wiped out your previous infection. I'd guess that your cmd.exe and ftp.exe programs are infected, and that is why they are running. They don't just do that automatically. I'm also a little uneasy about your Narrator.exe file that runs at startup. Do you have any accessibility features enabled on your computer? If not then that is part of your infection.

I'm going to report this thread to the moderators and see if they will move it to the 'Malware Removal' forum for you.


----------



## SilverBolt (Jul 21, 2009)

Thanks, that would be appreciated, Hulkinator. Any little bit of help is appreciated. 

Yeah, I do use accessibility features; I use StickyKeys and MouseKeys. I share this computer with a guy who has cerebral palsy and can't use his right hand to type. And his hands aren't real steady, so he uses the MouseKeys to move the mouse when he has to make delicate movements with it.

I'm actually concerned about the unwise_.exe thing. Why would there be an executable in the fonts folder? And why can't I find it when I look, despite placing folder options to show hidden files/folders and integral system files? And in my experience (granted, little as it is), when there's an underscore in a name, it tends to be a malicious file masquerading as a safe file. And besides...what's a "Hosts Controller"? I haven't deleted it, because despite these feelings on the matter, I don't know 100% if it really is malicious or not.

Just to make absolutely certain...just deleting the malicious hwclock.exe file wouldn't have been enough to kill the infection, right? Because that's all I saw, was just delete the file. If that's not all that needs to be done, how do I complete the removal process?

~*SilverBolt

_EDIT:_ I was patroling my task manager, and caught a process called "man8.exe" running for a brief moment. Googling seems to indicate that man8.exe and unwise_.exe are connected, and they're both worm files. Does this help any? Also, I managed to find Prevx 3.0 that I'm planning on running. It supposedly has a very small footprint on the computer's processor, and PC Mag has given it one of the best approval ratings. I ran it, and it found the file. However, it requires a lisence key to remove it, and I cannot afford the $30 for the year-long lisence key. I attempted to find the file myself; it's in the fonts folder (c:\windows\fonts). However, despite setting folder options to show hidden files and folders, as well as unchecking the option to hide protected files, I still cannot locate it, either by eye or using the search. It's there...I just can't get it out. I am Googling for more options.


----------



## hulkinator (May 4, 2009)

I can guarantee you have an infection! I'm sure unwise_.exe is not legitimate.

And yes deleting files is usually not enough. They leave other files and registry entries that are difficult to find by just watching Task Manager.


----------



## valis (Sep 24, 2004)

moving to hjt this forum as requested.

thanks, 

v


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.

Also, please do this:

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## valis (Sep 24, 2004)

thanks, cookiegal...


----------



## Cookiegal (Aug 27, 2003)

You're welcome.


----------



## SilverBolt (Jul 21, 2009)

Cookiegal? I think you asked for a couple things. I apologize for not having gotten back here sooner, but dealing with this has been a huge pain in my butt, in addition to having to take care of someone who's disabled. anyway, here's what you wanted, I think.

*Startup List:*

StartupList report, 8/19/2009, 12:11:24 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\MUSHclient\mushclient.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmarque.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250647340937
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash10a.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CSIScanner: "C:\Program Files\Prevx\prevx.exe" /service (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Lucent Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Softex OmniPass Service: C:\Program Files\Softex\OmniPass\Omniserv.exe (autostart)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
pxscan: System32\drivers\pxscan.sys (system)
pxsec: System32\drivers\pxsec.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{DBC49D1F-CE2A-4F95-823A-14394866C90F} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Window Washer Engine: C:\Program Files\Webroot\Washer\WasherSvc.exe (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\System32\_000071_.tmp||C:\WINDOWS\System32\SET21.tmp => C:\WINDOWS\System32\winhttp.dll||s
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 30,320 bytes
Report generated in 0.328 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Have to post the uninstally list in another message, sorry. It was too long with them both up here.

~*SilverBolt


----------



## SilverBolt (Jul 21, 2009)

Here's part two of the information that Cookiegal wanted:

*Uninstall List:*

Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.7
Adobe Type Manager 4.0
AOL Instant Messenger
Core FTP LE 2.1
CyberLink PowerDVD 8
DivX Codec
GetRight
HijackThis 2.0.2
HP Deskjet Preloaded Printer Drivers
HP Instant Support
HP Organize
HP Photo & Imaging 3.0
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Software Update
HPImageZone
HTML TADS Author's Kit
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
KBD
LiveUpdate 1.80 (Symantec Corporation)
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Plus! Digital Media Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
MUSICMATCH® Jukebox
NetZero Internet
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
OmniPass
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Presto! ImageFolio LE
Presto! PageManager
Presto! PageType
Prevx 3.0
PS2
PuTTY version 0.59
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealPlayer
RecordNow!
RM Converter 4.28
RTP 1.32 Add-On for RM2k
S3Display
S3Gamma2
S3Info2
S3Overlay
Sonic Update Manager
Spy Sweeper
toolkit
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Updates from HP
Viewpoint Media Player
VistaShuttle
Weblink
Window Washer
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
Worlds Apart

I hope that's what you were looking for, and that we can figure out what's going on. I should also mention that I downloaded some things from Microsoft, but I haven't had time to restart to fix them yet.

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.


----------



## SilverBolt (Jul 21, 2009)

Downloaded/ran the specified program, and here are the results of the diagnostic:

---------------------------------------------------------------------

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {5EE70314-CAA1-4D82-B53A-B8726311FFA6}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A
WgaER Data-->
ThreatID(s): N/A
Version: N/A
WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 101 Not Activated
Microsoft Word 2002 - 101 Not Activated
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_3E121E02-385-80004005_3E121E02-452-80004005_3E121E02-312-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Prompt
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Prompt
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5EE70314-CAA1-4D82-B53A-B8726311FFA6}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-450399507-511736373-3662135532</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>DM181A-ABA a305w</Model></SYSTEM><BIOS><Manufacturer> </Manufacturer><Version>3.21 </Version><SMBIOSVersion major="2" minor="31"/><Date>20030716******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>DAF23A4F01842042</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{911B0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Word 2002</Name><Ver>10</Ver><Val>153FC3BEC025388</Val><Hash>4AUW43fzMhh1NGLUsnsS7mafRhc=</Hash><Pid>54189-OEM-1690606-45892</Pid><PidType>4</PidType></Product></Products><Applications><App Id="1B" Version="10" Result="101"/></Applications></Office></Software></GenuineResults> 
Licensing Data-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 12E2B:Hewlett-Packard Company|40A0:TriGem Computer Inc
Marker string from OEMBIOS.DAT: HP PAVILION
OEM Activation 2.0 Data-->
N/A

---------------------------------------------------------------------

Was this helpful?

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

Why do you not have any MS critcal updates installed?


----------



## SilverBolt (Jul 21, 2009)

A couple of issues actually, to discuss. Firstly the issue of the missing upgrades, and secondly, a development that has happened in the case of the reappearing virus.

As to the upgrades, this computer is so slow that if we install all those upgrades, it will slow to an absolute crawl. I know because I have done this before. Now, I don't mean it would take a couple more seconds to pop the Start menu. I mean literally five minutes JUST to get the Start menu to appear. This is a really old computer, with very little RAM on it. It barely runs XP as it is. That's why we don't have any of them.

Secondly, as to the virus itself. Apparently, the infected "unwise_.exe" is part of a Win32/Heur virus thing. My s/o found a program through Sandboxie called "Avenger" that claims to have deleted unwise_.exe permanently. According to the site from which my s/o got this program from, the site manager had difficulties with the same virus, and made the program to fix it. He claims that by deleting unwise_, the virus was cured. However, Prevx claimed multiple times that it "cleaned" it, so I have little reason to believe that. To that end, I've been patrolling my Task Manager like a hawk since I got on about an hour ago.

After Avenger killed unwise_, we picked up a crapload of other infected files through Prevx. My s/o thinks unwise_ was blocking the picking up of those files. Some were in system files, though none were critical system files. However, Prevx also picked up Avenger as a virus so I made my s/o delete it. Did we do the right thing? Have any of you had any experience with Avenger?

Currently, I don't know the situation. Our computer is the only way we have to access the outside world, and with being on a fixed income, we have no way to buy another computer to replace this one. We have another one, but it's infected with Windows Vista (yes, I believe Vista is a disease) and we can't use it until we can put XP back on it. Which I have no clue how to do. However, I will continue to patrol my Task Manager. All we can really do now is wait and see how things go.

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

Avenger is fine. It's normal for some security programs to be detected as suspicious by other security programs due to their nature.

How much RAM do you have on this computer?

Not having the updates leaves your system very vulnerable and therefore even cleaning it up is a futile effort as you will undoubtedly get reinfected almost immediately through those holes that are left open.

I'm willing to continue to see if we can get this thing cleaned up as you depend on it and then once it's cleaned, you may be able to do a bit more with it to keep it clean.

For now, please do the following:

Go to *Start *- *Run * type in *cmd *then click OK. The MSDOS window will be displayed. At the prompt type the following exactly as written, including all spaces and the quotation marks:

*SC Stop "Windows Hosts Controller"*

Then press Enter

Then type:
*
SC Delete "Windows Hosts Controller"*

Then press Enter

Type Exit and press Enter.

This should delete the service created by the malware (the unwise_.exe file).

After doing that, please do the following. It's a very small program and you shouldn't have any problem downloading it.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

After doing the above, please post a new HijackThis log.


----------



## SilverBolt (Jul 21, 2009)

Actually, I found out what my partner did. Somehow he restored the computer to a previous point in time, to before we had the infection. He ran Prevx after that, found the crapload of weird files, and cleaned them out. He says he ran Prevx again today -- a full scan -- and it found nothing.

Regarding the instructions you gave me, I typed in *SC Stop "Windows Hosts Controller"* and got the following message:

---------------------------------------

[SC] ControlService FAILED 1062:

The service has not been started.

---------------------------------------

Typing in *SC Delete "Windows Hosts Controller"* gave me the following message:

---------------------------------------

[SC] DeleteService SUCCESS

---------------------------------------

I downloaded the ATF Cleaner and ran it. Is it like Window Washer? If so, is it any more capable? I run Window Washer every day; should I run them both from now on?

And finally, here is the HijackThis log. I hope this is what you wanted. If not, can you refresh my memory on how to obtain the log you're looking for?

---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:59 AM, on 8/24/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\MUSHclient\mushclient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\notepad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...D=1088406000000&I=8.NQ4&N=PL&O=A&UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3A5095E-400C-4020-8247-007DF7EBB44C}: NameServer = 64.136.52.73 64.136.44.73
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 4268 bytes


----------



## Cookiegal (Aug 27, 2003)

I don't know about Window Washer but if it cleans out the temp files, history, etc. then I guess they do about the same thing. You can uninstall ATFCleaner.

Evidently the bad service was still installed although inactive so we've now deleted it.

Download *OTS.exe * to your Desktop and double-click on it to extract the files. It will create a folder named *OTS* on your desktop.

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Open the *OTS* folder and double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## SilverBolt (Jul 21, 2009)

I downloaded and ran the program you requested. I think I attached the right file to the post. I hope this is the right one, anyway.

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

You have a lot of files/folders in System32 that look like this:

C:\WINDOWS\System32\asr_qqtth

They all start with asr_ followed by different combinations of random letters and there are no file extensions so they must be folders.

Do you have any idea what these are for?

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {31FF080D-12A3-439A-A2EF-4BA95A3148E8} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {c95fe080-8f5d-11d2-a20b-00aa003c157a}:%SystemRoot%\web\related.htm [HKLM] -> C:\WINDOWS\web\related.htm [Button: @shdoclc.dll,-866]
YN -> {c95fe080-8f5d-11d2-a20b-00aa003c157a}:%SystemRoot%\web\related.htm [HKLM] -> C:\WINDOWS\web\related.htm [Menu: @shdoclc.dll,-864]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{c95fe080-8f5d-11d2-a20b-00aa003c157a}" [HKLM] -> [@shdoclc.dll,-866]
[Files/Folders - Created Within 30 Days]
NY -> 2 C:\*.tmp files -> C:\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\Owner\Application Data\*.tmp files -> C:\Documents and Settings\Owner\Application Data\*.tmp
NY -> 4 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## SilverBolt (Jul 21, 2009)

Actually, I have no clue what all those files are for. I didn't want to delete them, because I don't know what they're for, and if they're important, I'll be screwing up the computer. I ran the fix you specified, it rebooted the computer, and opened the log. However, wmiprvse.exe, and occasionally HelpSvc.exe, have recently started running when my screen saver pops up, for some reason. Anyway, here are the logs you requested:

*OST Log:*

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
[Files/Folders - Created Within 30 Days]
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\LastGood.Tmp\Twain_32\Lexmark\X5100 Series folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\Twain_32\Lexmark folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\Twain_32 folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\System32\drivers folder deleted successfully.
C:\WINDOWS\LastGood.Tmp\System32 folder deleted successfully.
C:\WINDOWS\LastGood.Tmp folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
[Empty Temp Folders]

User: Administrator
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 82378 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1609900 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 514048 bytes

Total Files Cleaned = 2.10 mb

< End of fix log >
OTS by OldTimer - Version 3.0.10.3 fix logfile created on 09012009_231303
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...

*HJT Log:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:03 PM, on 9/1/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...D=1088406000000&I=8.NQ4&N=PL&O=A&UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 3477 bytes


----------



## Cookiegal (Aug 27, 2003)

Please navigate to one of the folders/files I asked you about and let me know if they are indeed folders or files. If they are folders, please give me the names of some files they contain.


----------



## SilverBolt (Jul 21, 2009)

The "asr_files" are indeed files. But oddly enough, they have no file extensions. There are approximately 85 of these files, to my knowledge they're not doing anything, since they have no file extensions. Though like I said earlier, I have no clue if they really ARE important or not, so I'm a little reluctant to delete them. None have been modified any later than August 20th, though.

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

Please go to the link below and try uploading a few of those files for analysis and let me know what the results are please:

http://virusscan.jotti.org/


----------



## SilverBolt (Jul 21, 2009)

I uploaded a handful of files, and several of the scanners detected it as malware--downloader Bat!IK, downloader BatFTP, downloader BotFTP.gen, etc., etc. I don't want to sit here and upload every file, so I'm going to just try to delete the whole lot of them. I hope it doesn't crash anything, but if it does, you'll know why I haven't responded for a week or more.

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

I suspect they are malware but I would have liked to see a couple of those reports. We could also have one or two uploaded and analyzed by a colleague if necessary.


----------



## SilverBolt (Jul 21, 2009)

Oops! I'm sorry, I deleted them.  None had been accessed or modified since August at the latest, though. My computer seems okay for the most part now. I've been trying to keep things pretty well scanned and cleaned up. But I don't think Prevx actually offers "real-time" protection despite its claims, since I've never gotten any notification that anything was wrong. Anybody know a real-time antivirus with a low footprint that won't ravish my system resources shamelessly? 

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

Avast is a good one.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## SilverBolt (Jul 21, 2009)

Disabling autoruns is going to be a little bit of a problem, but so long as it can be reset to do that manually with relatively little trouble, it shouldn't be too bad. I can imagine why they're disabled, since there's no telling what's on a peripheral you plug into your computer. Though, what we have is a window pops up that asks what we want to do with the CD we put in. I think it calls itself AutoPlay. That's all we need to preserve. How do we go about doing that?

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

We cannot preserve Autoplay but we can reset it after we're finished. All you need to do is click on the media you insert to play it.


----------



## SilverBolt (Jul 21, 2009)

I have a couple more questions. Firstly, how would I go about resetting the Autoplay, I'd like to go ahead and know how to do that before I start fiddling with anything.

Secondly...well, this one's a little odd. My spouse is asking why we're downloading all these programs onto our computer, and seems to be a little frustrated with the having to download a new program every time we check the boards.

I know he's concerned, and I am too, since this is our only computer, and getting another computer is not an option. At all. Ever in a million years. Not just "it would be hard". It will literally be *impossible*. There are a lot of people that I talk to that really, truly don't understand the concept of not being able to get something they want, so I've taken to trying to explain it. It's...not easy. XD

Anyway...my spouse wants to know why all these programs. I'm sorry, I don't mean to offend anybody, but he's concerned. 

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

You asked for help to remove this infection and that's what I was doing. These programs are needed for that. I'm surprised that you're so concerned about them but not so much about running a computer without any anti-virus program or MS updates, thus leaving it a sitting duck in the water.


----------



## SilverBolt (Jul 21, 2009)

I'm sorry this took me forever and a day to get back to. But my online time has decreased drastically in the last couple of weeks, and I rarely have time to work anymore, especially during the week.

I actually pointed out that it was my spouse who was concerned about it, not me. And I do apologize once again if I offended you by asking the question.

We have not had any other trouble with the computer, yet I'm fairly certain there's still something lurking in there. But unfortunately, we cannot know there is a problem until there is a problem.

I do appreciate your efforts; thank you very much! 

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

You're welcome and I wish you the best of luck.


----------



## SilverBolt (Jul 21, 2009)

Whew...looks like we ARE still having problems, though not with the same thing. IE is having problems with Hotmail now. Many times the bar with "Reply" and the like won't load, no matter how long I leave it. Also, when I tried to reply to a message that it claimed was too big to open (and it shouldn't have been), IE closed. However, it was not the typical window. It looked odd. If I could have gotten a screencap of it, I would have, but I didn't think about it 'till after I closed the window.

I'm going to run combofix now, and see what it tells me. Those I'll try to post, along with another HijackThis log. I'm sorry if I offended anyone; I do appreciate your help, and I know you're doing this out of the goodness of your heart. Thank you all so much! I'll hope to post something soon.

~*Silverbolt


----------



## SilverBolt (Jul 21, 2009)

*Here's the ComboFix log:*
------------------------------------------------------

ComboFix 09-10-25.01 - Owner 10/25/2009 16:56.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.247.136 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-2700397627-2277956075-1170964477-1003
c:\recycler\S-1-5-21-450399507-511736373-3662135532-500
c:\recycler\S-1-5-21-716990362-2579666946-2042503000-1003
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\hosts
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected 
Restored copy from - c:\windows\$NtUninstallKB842773$\qmgr.dll 
.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.
2009-10-22 12:47 . 2009-10-22 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NetZero
2009-10-18 06:17 . 2009-10-18 06:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\DNA
2009-10-18 06:17 . 2009-10-18 06:22 -------- d-----w- c:\program files\DNA
2009-10-18 06:17 . 2009-10-18 06:25 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-10-17 03:21 . 2009-10-22 13:46 -------- d-----w- c:\program files\NetZero
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 16:47 . 2009-07-22 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-22 23:34 . 2004-12-20 21:06 -------- d-----w- c:\program files\Dictionary
2009-10-21 04:19 . 2009-03-26 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\CoreFTP
2009-10-13 08:59 . 2004-11-11 17:04 -------- d-----w- c:\program files\MUSHclient
2009-10-04 20:11 . 2009-07-22 07:04 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-10-04 20:11 . 2009-07-22 07:04 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-09-14 05:38 . 2007-02-05 10:36 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-06 08:38 . 2003-08-23 14:12 50088 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 22:40 . 2009-01-13 01:38 522505 ----a-w- c:\documents and settings\All Users\Application Data\phn.dat
2007-06-05 05:56 . 2006-07-20 12:36 15872 --sha-w- c:\program files\Thumbs.db
2001-07-01 22:41 . 2001-07-01 22:41 311 ----a-w- c:\program files\LEGGIMI by RADOX.txt
2004-01-07 01:34 . 2004-02-19 22:02 0 -csha-w- c:\windows\SMINST\HPCD.SYS
.
------- Sigcheck -------

[-] 2002-11-27 09:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
c:\windows\system32\wscntfy.exe ... is missing !!
c:\windows\system32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-10-27 3296256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-29 185872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2002-08-29 51200]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [7/22/2009 1:04 AM 22024]
R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [7/22/2009 11:41 AM 78336]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [8/26/2008 10:13 AM 4064]
R2 PPCLASS;PPCLASS;c:\windows\system32\drivers\ppclass.sys [8/24/2008 8:24 PM 85868]
R2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [8/24/2008 8:24 PM 120544]
S0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [7/22/2009 1:04 AM 27656]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [7/22/2009 1:04 AM 4368952]
S2 mrtRate;mrtRate; [x]
S2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/24/2008 8:16 PM 598856]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
mStart Page = hxxp://us9.hpwis.com/
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://my.netzero.net/s/sp?r=al&cf=sp&mem=kumorikiki&login=cc563de9b9fa9632f563083857072e7d/kumorikiki:netzero.net/1219629547/30/sss.5.30383/&ts=48b211eb&A=0&B=1157698800000&C=1157698800000&D=1088406000000&I=8.NQ4&N=PL&O=A&UT=companion
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - c:\documents and settings\Owner\My Documents\HiJackThis\HijackThis.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 17:12
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(464)
c:\windows\System32\ODBC32.dll
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(520)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\combo-fix\CF14025.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 23:19
Pre-Run: 2,663,686,144 bytes free
Post-Run: 2,644,774,912 bytes free
- - End Of File - - A3B0D2CDAC0156B29CDD45678300DEBD

------------------------------------------------------
*And here's the HijackThis Log:*
------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:04 PM, on 10/25/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Prevx\prevx.exe
C:\Documents and Settings\Owner\My Documents\compstuff\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...D=1088406000000&I=8.NQ4&N=PL&O=A&UT=companion
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 3827 bytes

------------------------------------------------------

See anything weird?

~*Silverbolt


----------



## Cookiegal (Aug 27, 2003)

The best thing to do would be to reformat the machine and start fresh. Be sure to back up anything important first and then go directly to MS to get ALL SP3 and then all critical updates immediately. Then install a good anti-virus and firewall program.

Be sure to change all of your passwords as well.


----------



## SilverBolt (Jul 21, 2009)

Oh no...I was hoping it wouldn't come to that. Is the problem that bad? You can tell from the logs I posted that it's completely and totally beyond all hope? I can't really do that because 1) I don't know how, 2) I have no other way to access the Internet except this computer, and 3) if I screw it up, I am completely and utterly screwed, because I do not have another computer.

*sigh* Oh well...I guess I'll use this one 'till it explodes. Since Prevx caught all that weird stuff, I haven't really had any other extremely bad problems with the machine other than the problems I've had with every PC I've ever owned. Thanks so much for all your help! 

~*SilverBolt


----------



## Cookiegal (Aug 27, 2003)

Yes, you really should reformat and start fresh.


----------

