wicked23 log

Status
Not open for further replies.
wicked23

wicked23

I know things...
Messages
398
Location
Pennsylvania
I have a pc that think's the C:\windows folder is 35.9 gb and giving me a low disk space message. I copied folder to anther pc and it's only 3.59gb.

Logfile of HijackThis v1.99.1
Scan saved at 1:40:32 PM, on 6/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\mmc.exe
G:\ronny\analyze.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://03/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: net use printer.lnk = C:\printer.bat
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = afg.com
O17 - HKLM\Software\..\Telephony: DomainName = afg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = afg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = afg.com
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
 
As soon as I get home, I will create your instructions. Sadly, I don't have my libraries here with me.
 
Hello Wicked23, :)

I am now at home, and I can assist you with your computer. Follow all of my steps to the best of your ability, and every time I post up a fix it would probably be best to save it to notepad or print it out since you will not be able to access the page during the fixing process.

Step1 | Deckard System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Step2 | Jotti File Submission

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\printer.bat
  • Click on the submit button
  • Please post the results in your next reply.

Logs Required In Next Post
-----------------------------

DSS Log
Jotti Log
 
Here are the two from step one. I deleted the usernames and domain for security reaseons.

Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Professional (build 2600) SP 3.0Architecture: X86; Language: EnglishCPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHzPercentage of Memory in Use: 35%Physical Memory (total/avail): 1014.48 MiB / 658.57 MiBPagefile Memory (total/avail): 1674.64 MiB / 1422.23 MiBVirtual Memory (total/avail): 2047.88 MiB / 1914.15 MiBA: is Removable (No Media)C: is Fixed (NTFS) - 37.26 GiB total, 0.81 GiB free. D: is CDROM (No Media)E: is Network (NTFS)F: is Network (NTFS)L: is Network (NTFS)N: is Network (NTFS)\\.\PHYSICALDRIVE0 - HDS728040PLA320 40Y9027LEN - 37.27 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:-- Security Center -------------------------------------------------------------AUOptions is scheduled to auto-install.-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\qua-optim\Application DataCLASSPATH=C:\PVSW\BIN\PVJDBC2X.JAR;C:\PVSW\BIN\PVJDBC2.JARCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=QUA_OPTIM01ComSpec=C:\WINDOWS\system32\cmd.exeCUR=11FP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\qua-optimLOGONSERVER=\\NUMBER_OF_PROCESSORS=2OS=Windows_NTPath=C:\PVSW\BIN;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\Downloaded Program Files;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPMCBED="T1S|"PMCCFG=n:\PMCSYS\PMCDEV=1PMCMENU=SETMEPMCWS=1PROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntelPROCESSOR_LEVEL=15PROCESSOR_REVISION=0401ProgramFiles=C:\Program FilesPROMPT=$P$GSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\QUA-OP~1\LOCALS~1\TempTMP=C:\DOCUME~1\QUA-OP~1\LOCALS~1\TempUSERDNSDOMAIN=AUSERDOMAIN=AUSERNAME=qUSERPROFILE=C:\Documents and Settings\qVSL=C:\PVSW\BINwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------Deleted-- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infCCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"HijackThis 1.99.1 --> G:\ronny\HijackThis.exe /uninstallHotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"Microsoft Virtual PC 2004 --> MsiExec.exe /X{CCCAFDDE-ECEC-4AE4-BD97-047076BBD4A9}MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}Pervasive.SQL 2000i Workstation v7.94 --> C:\WINDOWS\IsUninst.exe -fC:\PVSW\DeIsL1.isu -c"C:\PVSW\W32PTKUN.DLL" -mpsql.mifPMCSyncMate --> MsiExec.exe /I{24EEF338-24BC-4993-AED7-0172CD0E9638}PrintKey2000 --> C:\PROGRA~1\PRINTK~1\UNWISE.EXE C:\PROGRA~1\PRINTK~1\INSTALL.LOGRMRptBRp --> C:\WINDOWS\st6unst.exe -n "C:\PMCSoft\ST6UNST.LOG" Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}VNC 4.0 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"Windows Desktop Search 3.01 --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"XML Paper Specification Shared Components Pack 1.0 --> Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLLYahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe-- Application Event Log -------------------------------------------------------Event Record #/Type12356 / WarningEvent Submitted/Written: 06/03/2008 08:17:25 AMEvent ID/Source: 63 / WinMgmtEvent Description:A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, ROOT\ccm\policy\S_1_5_21_3159313733_352247347_3953735146_1003, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.Event Record #/Type12355 / WarningEvent Submitted/Written: 06/03/2008 08:17:25 AMEvent ID/Source: 63 / WinMgmtEvent Description:A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, ROOT\ccm\policy\S_1_5_21_3159313733_352247347_3953735146_1003, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.Event Record #/Type12354 / ErrorEvent Submitted/Written: 06/03/2008 08:10:08 AMEvent ID/Source: 3024 / Windows Search ServiceEvent Description:The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.Context: Windows Application, SystemIndex CatalogEvent Record #/Type12353 / WarningEvent Submitted/Written: 06/03/2008 08:10:08 AMEvent ID/Source: 3036 / Windows Search ServiceEvent Description:The content source cannot be accessed.Context: Windows Application, SystemIndex CatalogDetails: (0x81270005)Event Record #/Type12345 / WarningEvent Submitted/Written: 06/02/2008 02:27:32 PMEvent ID/Source: 63 / WinMgmtEvent Description:A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, ROOT\ccm\policy\S_1_5_21_701462823_513570533_11539462_18901, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type9203 / WarningEvent Submitted/Written: 06/02/2008 03:41:12 PMEvent ID/Source: 20 / PrintEvent Description:printer Driver Kyocera Mita KM-3035 KX for Windows NT x86 Version-3 was added or updated. Files:- KMUC31EO.DLL, KMUU31EO.DLL, KMK00610.MDX, KMFS31EO.DLL, KMRG31EO.DLL, KMRC31EO.DLL, KM3D31EO.DLL, KMPE31EO.DLL, KCMV3D.INI, KMWM31EO.DLL, KMPF31EO.DLL, KMWTEN20.HLP, KMXL31EO.DLL, KM5E31EO.DLL, KM5C31EO.DLL, KMPS31EO.DLL, KMAGFA1.FDF, KMPRE2.FDF, KM321710.DAT, KMKHEN20.CHM.Event Record #/Type9202 / WarningEvent Submitted/Written: 06/02/2008 03:41:09 PMEvent ID/Source: 20 / PrintEvent Description:printer Driver HP LaserJet 8000 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPLJ8000.GPD, UNIDRV.HLP, hpmopyui.ini, hpoemui.dll, HPCFONT.DLL, ttfsub.gpd, STDNAMES.GPD, hpcljx.hlp, pcl5eres.dll, UNIRES.DLL.Event Record #/Type9099 / WarningEvent Submitted/Written: 06/02/2008 11:17:11 AMEvent ID/Source: 20 / PrintEvent Description:printer Driver HP LaserJet 1200 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- %4.Event Record #/Type9098 / WarningEvent Submitted/Written: 06/02/2008 11:17:11 AMEvent ID/Source: 20 / PrintEvent Description:printer Driver HP LaserJet 8000 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- %4.Event Record #/Type9097 / WarningEvent Submitted/Written: 06/02/2008 11:17:11 AMEvent ID/Source: 20 / PrintEvent Description:printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- %4.-- End of Deckard's System Scanner: finished at 2008-06-03 08:28:03 -----------


-Deckard's System Scanner v20071014.68Run by q on 2008-06-03 08:21:43Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 2 Restore Point(s) --2: 2008-06-03 12:21:46 UTC - RP805 - Deckard's System Scanner Restore Point1: 2008-06-02 19:24:24 UTC - RP804 - System CheckpointBacked up registry hives.Performed disk cleanup.System Drive C: has 0.81 GiB (less than 15%) free.-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2008-06-03 08:25:49Platform: Windows XP Service Pack 3 (5.01.2600)MSIE: Internet Explorer (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\system32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\RealVNC\VNC4\winvnc4.exeC:\WINDOWS\system32\searchindexer.exeC:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exeC:\WINDOWS\system32\CCM\CcmExec.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\ctfmon.exeC:\PVSW\Bin\W3DBSMGR.EXEC:\Program Files\PrintKey2000\Printkey2000.exeC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\Documents and Settings\qua-optim\Desktop\dss.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://03/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')O4 - Startup: net use printer.lnk = C:\printer.batO4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXEO4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO17 - HKLM\Software\..\Telephony: DomainName = aO17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = aO17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = aO17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = aO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe--End of file - 3464 bytes-- File Associations -----------------------------------------------------------.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R2 PMEM - c:\windows\system32\drivers\pmemnt.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 WinVNC4 (VNC Server Version 4) - "c:\program files\realvnc\vnc4\winvnc4.exe" -service -- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Files created between 2008-05-03 and 2008-06-03 -----------------------------2008-06-03 08:17:35 0 d-------- C:\Documents and Settings\a\Application Data\Windows Desktop Search2008-06-03 08:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion2008-06-02 14:28:08 0 d-------- C:\Documents and Settings\r\Application Data\Windows Desktop Search2008-06-02 14:27:47 0 d-------- C:\Documents and Settings\r\Application Data\Identities2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\Templates2008-06-02 14:27:19 0 dr------- C:\Documents and Settings\r\Start Menu2008-06-02 14:27:19 0 dr-h----- C:\Documents and Settings\r\SendTo2008-06-02 14:27:19 0 dr-h----- C:\Documents and Settings\r\Recent2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\PrintHood2008-06-02 14:27:19 786432 --ah----- C:\Documents and Settings\r\NTUSER.DAT2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\NetHood2008-06-02 14:27:19 0 dr------- C:\Documents and Settings\r\My Documents2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\Local Settings2008-06-02 14:27:19 0 dr------- C:\Documents and Settings\r\Favorites2008-06-02 14:27:19 0 d-------- C:\Documents and Settings\r\Desktop2008-06-02 14:27:19 0 d---s---- C:\Documents and Settings\r\Cookies2008-06-02 14:27:19 0 dr-h----- C:\Documents and Settings\r\Application Data2008-06-02 14:27:19 0 d---s---- C:\Documents and Settings\r\Application Data\Microsoft2008-06-02 14:21:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-06-02 14:18:22 0 dr-h----- C:\Documents and Settings\q\Recent2008-06-02 14:17:24 0 d-------- C:\Program Files\Yahoo!2008-06-02 14:17:17 0 d-------- C:\Program Files\CCleaner2008-06-02 14:00:46 0 d-------- C:\VundoFix Backups2008-06-02 13:59:55 414 --a------ C:\WINDOWS\system32\tmp.reg2008-06-02 13:59:19 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe2008-06-02 13:59:19 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-06-02 13:59:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-06-02 13:59:19 53248 --a------ C:\WINDOWS\system32\Process.exe 2008-06-02 13:59:19 77824 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-06-02 13:59:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe2008-06-02 13:59:17 0 d-------- C:\Documents and Settings\qua-optim\SmitfraudFix2008-06-02 11:15:58 0 d-------- C:\WINDOWS\Prefetch2008-06-02 11:10:02 0 d-------- C:\WINDOWS\system32\scripting2008-06-02 11:10:02 0 d-------- C:\WINDOWS\system32\en2008-06-02 11:10:02 0 d-------- C:\WINDOWS\system32\bits2008-06-02 11:10:02 0 d-------- C:\WINDOWS\l2schemas2008-06-02 11:07:34 0 d-------- C:\WINDOWS\ServicePackFiles2008-06-02 11:04:56 0 d-------- C:\WINDOWS\network diagnostic2008-06-02 11:02:56 0 d-------- C:\WINDOWS\system32\ReinstallBackups-- Find3M Report ---------------------------------------------------------------2008-06-02 11:10:17 0 d-------- C:\Program Files\Messenger2008-06-02 11:10:02 0 d-------- C:\Program Files\Movie Maker2008-06-02 11:07:13 0 d-------- C:\Program Files\Windows NT2008-06-02 10:33:13 0 d-------- C:\Program Files\Common Files-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/08/2004 11:31 AM]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/08/2004 11:27 AM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 05:42 AM][HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"C:\Documents and Settings\q\Start Menu\Programs\Startup\net use printer.lnk - C:\printer.bat [3/23/2006 3:57:42 PM]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workstation Engine.lnk - C:\PVSW\Bin\W3DBSMGR.EXE [4/12/2006 2:40:16 PM]Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [6/10/2005 8:38:51 AM]Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"MaxGPOScriptWait"=60 (0x3c)"RunLogonScriptSync"=1 (0x1)"HideStartupScripts"=0 (0x0)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"HideLegacyLogonScripts"=0 (0x0)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]@="Volume shadow copy"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]eapsvcs eaphostdot3svc dot3svcHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsnapagenthkmsvc[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AEB9D4A0-199B-4dfa-A18D-E2DD5D989EDF}]rundll32.exe advpack.dll,LaunchINFSectionEx %SystemDrive%\DOCUME~1\AFGADM~1.AFG\LOCALS~1\Temp\winmesrm.inf,RemoveReg-- End of Deckard's System Scanner: finished at 2008-06-03 08:28:03 ------------


Step two is gonna be an issue. This pc does not have internet access.
 
It seems that your word wrap is turned on. Can you please do the following and then run DSS again:

- Open a Notepad
- Click Format
- Uncheck Word Wrap

It makes it VERY hard to read logs if that is turned on :) As you can see from your jumbled text above :p
 
HERE YOU GO.




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1014.48 MiB / 658.57 MiB
Pagefile Memory (total/avail): 1674.64 MiB / 1422.23 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.15 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 0.81 GiB free.
D: is CDROM (No Media)
E: is Network (NTFS)
F: is Network (NTFS)
L: is Network (NTFS)
N: is Network (NTFS)
\\.\PHYSICALDRIVE0 - HDS728040PLA320 40Y9027LEN - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.

-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\qua-optim\Application Data
CLASSPATH=C:\PVSW\BIN\PVJDBC2X.JAR;C:\PVSW\BIN\PVJDBC2.JAR
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=Q
ComSpec=C:\WINDOWS\system32\cmd.exe
CUR=11
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\q
LOGONSERVER=\\A8
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PVSW\BIN;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\Downloaded Program Files;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PMCBED="T1S|"
PMCCFG=n:\PMCSYS\
PMCDEV=1
PMCMENU=SETME
PMCWS=1
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\QUA-OP~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\QUA-OP~1\LOCALS~1\Temp
USERDNSDOMAIN=A
USERDOMAIN=A
USERNAME=q
USERPROFILE=C:\Documents and Settings\q
VSL=C:\PVSW\BIN
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------
deleted by me.

-- Add/Remove Programs ---------------------------------------------------------
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
HijackThis 1.99.1 --> G:\ronny\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Virtual PC 2004 --> MsiExec.exe /X{CCCAFDDE-ECEC-4AE4-BD97-047076BBD4A9}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Pervasive.SQL 2000i Workstation v7.94 --> C:\WINDOWS\IsUninst.exe -fC:\PVSW\DeIsL1.isu -c"C:\PVSW\W32PTKUN.DLL" -mpsql.mif
PMCSyncMate --> MsiExec.exe /I{24EEF338-24BC-4993-AED7-0172CD0E9638}
PrintKey2000 --> C:\PROGRA~1\PRINTK~1\UNWISE.EXE C:\PROGRA~1\PRINTK~1\INSTALL.LOG
RMRptBRp --> C:\WINDOWS\st6unst.exe -n "C:\PMCSoft\ST6UNST.LOG"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
VNC 4.0 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Desktop Search 3.01 --> "C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------
Event Record #/Type12356 / Warning
Event Submitted/Written: 06/03/2008 08:17:25 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, ROOT\ccm\policy\S_1_5_21_3159313733_352247347_3953735146_1003, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Event Record #/Type12355 / Warning
Event Submitted/Written: 06/03/2008 08:17:25 AM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, ROOT\ccm\policy\S_1_5_21_3159313733_352247347_3953735146_1003, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Event Record #/Type12354 / Error
Event Submitted/Written: 06/03/2008 08:10:08 AM
Event ID/Source: 3024 / Windows Search Service
Event Description:
The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.
Context: Windows Application, SystemIndex Catalog
Event Record #/Type12353 / Warning
Event Submitted/Written: 06/03/2008 08:10:08 AM
Event ID/Source: 3036 / Windows Search Service
Event Description:
The content source <outlookexpress://{s-1-5-21-701462823-513570533-11539462-18901}/{8f677785-6969-4388-9fae-58be77cf7347}/> cannot be accessed.
Context: Windows Application, SystemIndex Catalog
Details:
(0x81270005)
Event Record #/Type12345 / Warning
Event Submitted/Written: 06/02/2008 02:27:32 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, PolicyAgentInstanceProvider, has been registered in the WMI namespace, ROOT\ccm\policy\S_1_5_21_701462823_513570533_11539462_18901, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------
Event Record #/Type9203 / Warning
Event Submitted/Written: 06/02/2008 03:41:12 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Kyocera Mita KM-3035 KX for Windows NT x86 Version-3 was added or updated. Files:- KMUC31EO.DLL, KMUU31EO.DLL, KMK00610.MDX, KMFS31EO.DLL, KMRG31EO.DLL, KMRC31EO.DLL, KM3D31EO.DLL, KMPE31EO.DLL, KCMV3D.INI, KMWM31EO.DLL, KMPF31EO.DLL, KMWTEN20.HLP, KMXL31EO.DLL, KM5E31EO.DLL, KM5C31EO.DLL, KMPS31EO.DLL, KMAGFA1.FDF, KMPRE2.FDF, KM321710.DAT, KMKHEN20.CHM.
Event Record #/Type9202 / Warning
Event Submitted/Written: 06/02/2008 03:41:09 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 8000 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPLJ8000.GPD, UNIDRV.HLP, hpmopyui.ini, hpoemui.dll, HPCFONT.DLL, ttfsub.gpd, STDNAMES.GPD, hpcljx.hlp, pcl5eres.dll, UNIRES.DLL.
Event Record #/Type9099 / Warning
Event Submitted/Written: 06/02/2008 11:17:11 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 1200 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- %4.
Event Record #/Type9098 / Warning
Event Submitted/Written: 06/02/2008 11:17:11 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 8000 Series PCL for Windows NT x86 Version-3 was added or updated. Files:- %4.
Event Record #/Type9097 / Warning
Event Submitted/Written: 06/02/2008 11:17:11 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- %4.

-- End of Deckard's System Scanner: finished at 2008-06-03 08:28:03 ------------

Deckard's System Scanner v20071014.68
Run by qua-optim on 2008-06-03 08:21:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.

-- Last 2 Restore Point(s) --
2: 2008-06-03 12:21:46 UTC - RP805 - Deckard's System Scanner Restore Point
1: 2008-06-02 19:24:24 UTC - RP804 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.
System Drive C: has 0.81 GiB (less than 15%) free.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-03 08:25:49
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\qua-optim\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://03/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: net use printer.lnk = C:\printer.bat
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\Software\..\Telephony: DomainName = a
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = a
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = a
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = a
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe

--
End of file - 3464 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 WinVNC4 (VNC Server Version 4) - "c:\program files\realvnc\vnc4\winvnc4.exe" -service <Not Verified; RealVNC Ltd.; VNC Server 4.0>

-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------
2008-06-03 08:17:35 0 d-------- C:\Documents and Settings\afgadmin\Application Data\Windows Desktop Search
2008-06-03 08:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-02 14:28:08 0 d-------- C:\Documents and Settings\r\Application Data\Windows Desktop Search
2008-06-02 14:27:47 0 d-------- C:\Documents and Settings\r\Application Data\Identities
2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\Templates
2008-06-02 14:27:19 0 dr------- C:\Documents and Settings\r\Start Menu
2008-06-02 14:27:19 0 dr-h----- C:\Documents and Settings\r\SendTo
2008-06-02 14:27:19 0 dr-h----- C:\Documents and Settings\r\Recent
2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\PrintHood
2008-06-02 14:27:19 786432 --ah----- C:\Documents and Settings\r\NTUSER.DAT
2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\NetHood
2008-06-02 14:27:19 0 dr------- C:\Documents and Settings\r\My Documents
2008-06-02 14:27:19 0 d--h----- C:\Documents and Settings\r\Local Settings
2008-06-02 14:27:19 0 dr------- C:\Documents and Settings\r\Favorites
2008-06-02 14:27:19 0 d-------- C:\Documents and Settings\rDesktop
2008-06-02 14:27:19 0 d---s---- C:\Documents and Settings\r\Cookies
2008-06-02 14:27:19 0 dr-h----- C:\Documents and Settings\r\Application Data
2008-06-02 14:27:19 0 d---s---- C:\Documents and Settings\r\Application Data\Microsoft
2008-06-02 14:21:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 14:18:22 0 dr-h----- C:\Documents and Settings\q\Recent
2008-06-02 14:17:24 0 d-------- C:\Program Files\Yahoo!
2008-06-02 14:17:17 0 d-------- C:\Program Files\CCleaner
2008-06-02 14:00:46 0 d-------- C:\VundoFix Backups
2008-06-02 13:59:55 414 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-02 13:59:19 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-02 13:59:19 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-02 13:59:19 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-02 13:59:19 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; Beyond Logic; Command Line Process Utility>
2008-06-02 13:59:19 77824 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-02 13:59:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-02 13:59:17 0 d-------- C:\Documents and Settings\qua-optim\SmitfraudFix
2008-06-02 11:15:58 0 d-------- C:\WINDOWS\Prefetch
2008-06-02 11:10:02 0 d-------- C:\WINDOWS\system32\scripting
2008-06-02 11:10:02 0 d-------- C:\WINDOWS\system32\en
2008-06-02 11:10:02 0 d-------- C:\WINDOWS\system32\bits
2008-06-02 11:10:02 0 d-------- C:\WINDOWS\l2schemas
2008-06-02 11:07:34 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-02 11:04:56 0 d-------- C:\WINDOWS\network diagnostic
2008-06-02 11:02:56 0 d-------- C:\WINDOWS\system32\ReinstallBackups

-- Find3M Report ---------------------------------------------------------------
2008-06-02 11:10:17 0 d-------- C:\Program Files\Messenger
2008-06-02 11:10:02 0 d-------- C:\Program Files\Movie Maker
2008-06-02 11:07:13 0 d-------- C:\Program Files\Windows NT
2008-06-02 10:33:13 0 d-------- C:\Program Files\Common Files

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/08/2004 11:31 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/08/2004 11:27 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 05:42 AM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
C:\Documents and Settings\qua-optim\Start Menu\Programs\Startup\
net use printer.lnk - C:\printer.bat [3/23/2006 3:57:42 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Pervasive.SQL Workstation Engine.lnk - C:\PVSW\Bin\W3DBSMGR.EXE [4/12/2006 2:40:16 PM]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [6/10/2005 8:38:51 AM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"MaxGPOScriptWait"=60 (0x3c)
"RunLogonScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 03:39 PM 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AEB9D4A0-199B-4dfa-A18D-E2DD5D989EDF}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemDrive%\DOCUME~1\AFGADM~1.AFG\LOCALS~1\Temp\winmesrm.inf,RemoveReg

-- End of Deckard's System Scanner: finished at 2008-06-03 08:28:03 ------------
 
Hello Wicked23, :)

Sorry about the wait .. things have been 'hectic' around here.

Please delete:
C:\WINDOWS\system32\tmp.reg

Delete this entry with Hijackthis:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://03/

Step1 | MBAM Scan

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

Step2 | Kasperky Scan

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Logs Required In Next Post
------------------------------

MBAM Scan Log
Kasperky Scan Log
 
Hello Tech pro. Thank you for taking time to help me. Here is the log from the mbam scan it came up clean. I can't run the second because as i said the pc with issues does not have internet access and I'm also a little confused as to why i'm running all sorts of malware and virus scans. I know a virus infection could possible infect the pc via our intranet but wouldn't i see htis issue in my other pc's.

Please advised at your leisure what you would like me to try. I am looking for a kaspersky scanner that i can download.


Malwarebytes' Anti-Malware 1.14
Database version: 800

8:35:05 AM 6/5/2008
mbam-log-6-5-2008 (08-35-05).txt

Scan type: Quick Scan
Objects scanned: 39016
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
 
Follow this instead .. don't look for the Kasperky scan:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
Back
Top Bottom