Browser hijack !

[kutuputu]

Hello to all, i'm new here, keep up the good work.

When i'm in google or other search engine, click on link redirect me to another sites, like :
Robogold.biz, aicse.com etc...

I run a scan with avg antivirus, nothing. scan with : spycounter-nothing. spy sweeper-nothing. spy-bot - detect dns change and fixed but it's come again, i run also ATFcleaner also. i run avg antispyware, but it's a demo and want clean nothing, and also don't find nothing.

what to do

I run hijack in safe mode, and avg antivirus, here is the log of hijack after scaning with all software :

Logfile of HijackThis v1.99.1
Scan saved at 12:59:35, on 24/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} (LauncherV1 Class) - http://chat-basic.nana.co.il/Cabs/launcher.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - D:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe

[Angelfire777]

Hi, welcome to Safer Networking Forums!

i run avg antispyware, but it's a demo and want clean nothing, and also don't find nothing.

Although AVG Antispyware is only a demo, it does clean for free for all the infected items it can find. The only downside of having a demo version is that after a few days, you will lose the realtime monitoring feature.

Next time, please post a HijackThis log taken from normal mode.
__________

*Did you install a program called WinPcap?

*I see you are running 2 antivirus applications at the same time. Please uninstall your other antivirus and only keep 1. Not only will 2 or more AV's slow down your pc's performance but it reduces your overall system security at the same time. However, if you paid for those programs, I recommend that you disable one of them and only have one with realtime monitoring on. Use Add/Remove Programs in the Control Panel to uninstall the Antivirus that you don't want to keep.


*We need to temporarily disable Spybot's TeaTimer, it may stop our fix.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

*You need To disable CounterSpy temporarily, it can stop our fix. Please Re-enable it after your system is clean.To disable CounterSpy:

• Right Click on the CounterSpy Icon located in your system tray.
• With your mouse, hover over Active Protection Status (This should be enabled)
• A menu will slide out, then right click on Disable Active Protection

*We need to temporarily disable Spyware Terminator, it can stop our fix.

Open Spyware Terminator then Click on the "Real-time Protection" tab, leave the "Use Real-time Protection" checkbox empty and click on the "Save Changes" button.

Exit Spyware Terminator.
____________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co.il/irc/main/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.67


Did you use Spybot to add the following policies? If not, please fix them.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


*You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again. After your computer restarts, a notepad report will immediately open, please post all the contents of that report.

Finally, please post a fresh HijackThis log, along with the contents of the report.

[kutuputu]

Thank so much for your help !

I don't install software called "winpcad".
I disable "spybot, teat timer", and "spyterminatro", but process still remain in memory called : "sp_rsser.exe".
I Disable av.

I do scan and all above in normal mode like u said. here is the logs :

Logfile of HijackThis v1.99.1
Scan saved at 11:22:47, on 25/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\WINDOWS\System32\taskmgr.exe
D:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Windows Management Service - Unknown owner - D:\WINDOWS\System32\dmcpy.exe



Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Misc files
Cannot execute D:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute D:\FIXWAREOUT\FINDT\LOCATE.COM
Other suspects
Directory of D:\WINDOWS\system32
{7F962C6D-B350-443A-88EF-E2811E0605BB}.exe

THANKS AGAIN.

[Angelfire777]

Hi,

You ran an old version of fixwareout..Can you please delete your current copy then download a new one using one of the mirrors I posted then run it again then post the log..

[kutuputu]

Thanks for your help.


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
Service: "Windows Management Service" = D:\WINDOWS\System32\dmcpy.exe

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}3C76E8DAEA75-65DA-2974-BCDA-0F5966EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}442585860F5C-B319-4454-7DF4-B5A30F5C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}8FFB6638834D-E15A-A474-3AD8-2CCE4E4E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}6E9EFD90C022-7D28-13E4-642D-DA7C82FB{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}DDB0A98D82F3-6EEA-B364-D329-7E0C59BE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}596D4D27FB1A-5E9B-A614-99EC-1967C429{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}0DA1E7E8392B-531B-79A4-028D-88918829{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ypcmd" Deleted
....
»»»»» Misc files.
D:\WINDOWS\system32\{7F962C6D-B350-443A-88EF-E2811E0605BB}.exe Deleted
D:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
D:\WINDOWS\Temp\dmcpy.ren 57873 08/28/2002



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"THGuard"="\"D:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

[Angelfire777]

Please post a fresh HijackThis log

[kutuputu]

Here is the new log, in normal mode.

I've also problem when i'm in some secure sites and insert username and password, i get "page can't displayed" error. is this related to this malware problem ?

Here is the log :

Logfile of HijackThis v1.99.1
Scan saved at 13:35:50, on 25/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\WINDOWS\system32\spoolsv.exe
D:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

[Angelfire777]

I've also problem when i'm in some secure sites and insert username and password, i get "page can't displayed" error. is this related to this malware problem ?

No, it is not but it is possible that there are other infections present in you machine..
__________________

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

WinPcap

Reboot.
__________________

*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

*Download ATF Cleaner by Atribune

Do not use it yet.
__________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
__________________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Using Windows Explorer, find and delete these files:

D:\WINDOWS\Temp\dmcpy.ren

*Delete the following folder:

C:\Program Files\WinPcap

Empty your Recycle bin.
___________________

*Important: Make sure all your browsers are closed before running ATF Cleaner..

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose:Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

• Launch AVG AntiSpyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
• Close AVG AntiSpyware.
• Reboot to normal mode.

Download ComboScan to your Desktop.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your next reply.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

On your next reply, please include a fresh HijackThis log, AVG antispyware log and the contents of comboscan.txt and supplementary.txt

[kutuputu]

Hello, and thank you again for your support.

The logs are too long so i posted in 3 thread.

Some notes :

i can't change state to inactive resident shield - "demo version", guess i used ewido for 30 days.

i can't update so i download manually ful database, but when i run it on safe mode the line "last updat" - is never.

The service on hijack 023-"rpcapd"...keep on showing, he is not erase.

Still i don't apply for spywareterminator, and teatimer, they still disabled.

Here is the logs for hijackthis :

Logfile of HijackThis v1.99.1
Scan saved at 11:07:53, on 27/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Kerio\Personal Firewall\persfw.exe
D:\WINDOWS\system32\slmdmsr.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\NOTEPAD.EXE
D:\WINDOWS\NOTEPAD.EXE
d:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.google.co.il
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\program files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - D:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - D:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - D:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://activex.webcam.nl/AxisCamControl.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} -
O16 - DPF: {CBF2C04B-50B5-4C7B-8D49-ACB62582F8E6} -
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AC4698E-6425-43FB-8D02-7F66BEB37964}: NameServer = 85.255.115.58 85.255.112.67
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe

[kutuputu]

Here is the log for avg antispyware and Supplementary :

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:45:09 27/02/2007

+ Scan result:

Here is the log for supplementary :

ComboScan v20070221.16 run by s on 2007-02-27 at 10:56:51
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------

-- System Information -----------------------------------------------------
Unable to create WMI object; error code: 0x8007042C

-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\s\Application Data
CLASSPATH=D:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=S-V72WZ5LUCG5KB
ComSpec=D:\WINDOWS\system32\cmd.exe
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\s
LOGONSERVER=\\S-V72WZ5LUCG5KB
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\PROGRA~1\Multi;D:\Program Files\Common Files\Ulead Systems\MPEG;D:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\;D:\Program Files\Microsoft SQL Server\80\Tools\Binn\;;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;D:\Program Files\Pinnacle\Shared Files;D:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=D:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\s\LOCALS~1\Temp
TMP=D:\DOCUME~1\s\LOCALS~1\Temp
USERDOMAIN=S-V72WZ5LUCG5KB
USERNAME=s
USERPROFILE=D:\Documents and Settings\s
windir=D:\WINDOWS


-- User Profiles ----------------------------------------------------------------

s (admin)
Administrator.S-V72WZ5LUCG5KB (admin)

-- Add/Remove Programs --------------------------------------------------
--> "D:\Program Files\Creative\CTSetup\CTSetup.exe"
--> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6504C153-A24C-4C10-A5B6-FE5CEF9141D9}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
עסקית --> D:\WINDOWS\iun6002.exe "D:\Program Files\iskit\irunin.ini"
Acoustica Mixcraft --> D:\PROGRA~1\Acoustica Mixcraft\UNWISE.EXE D:\PROGRA~1\Acoustica Mixcraft\INSTALL.LOG
Adobe GoLive CS2 English --> msiexec /i {46548E80-0409-0000-7E8A-45000F855001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> D:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fD:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AnalogX SayIt --> D:\Program Files\AnalogX\SayIt\sayitu.exe
Arcade Balls v1.21 --> "D:\Program Files\Arcade Balls\unins000.exe"
Arcade! Classic Arcade Pack 5.0 --> D:\Program Files\Arcade!\uninst.exe
ArcSoft PhotoImpression --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E142615E-5ED8-4511-9BF0-0284BFA25766}\Setup.exe" -l0x9 -uninst
ArcSoft VideoImpression 1.6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ED10343F-D30A-4200-9B00-665FC45F52B4}\Setup.exe" -l0x9 -uninst
Art Plus Download Assistant --> "D:\Program Files\Common Files\Art Plus Uninstall\apuinst3.exe" "D:\Program Files\Common Files\Art Plus Uninstall\APDlAssist.ui3"
Audacity 1.3.2 (Unicode) --> "D:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
AVG 7.5 --> D:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BaktiNet v1.0c --> D:\PROGRA~1\BaktiNet\UNWISE.EXE D:\PROGRA~1\BaktiNet\INSTALL.LOG
Broderbund Media Manager --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{26346FB6-4F69-453D-95CE-B6BA3A5382F8}\setup.exe" -l0x9 AddRem
BSPlayer --> "c:\Program Files\Webteh\BSplayer\uninstall.exe"
CamStudio --> D:\Program Files\CamStudio\uninstall.exe
Canon Camera Support Core Library --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon Internet Library for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F81FBFC-9A37-431F-9050-14B55485DF5A}
Canon MovieEdit Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1 --> D:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "D:\Program Files\CCleaner\uninst.exe"
Chronotron Plug-in for Winamp/WMP 9 (remove only) --> "D:\Program Files\Chronotron Inc\Chronotron\uninst-chronotron.exe"
CIF USB CAMERA --> D:\WINDOWS\CleanDev.exe D:\WINDOWS\DC3110.txt
Corel Painter Essentials 3 --> MsiExec.exe /I{0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
Cubemaster Gold v4.3 --> D:\WINDOWS\iun6002.exe "D:\Program Files\Cubemaster Gold\irunin.ini"
Decks v1.20 --> c:\decks\Uninstal.exe
DeepBurner v1.8.0.224 --> "D:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "D:\Program Files\Astonsoft\DeepBurner\install.log"
DiamondCS APM --> d:\APM\uninstal.exe
Direct Show Ogg Vorbis Filter (remove only) --> "D:\WINDOWS\System32\OggDSuninst.exe"
DVD Photo Slideshow Pro 7.50 --> D:\Program Files\DVD Photo Slideshow Professional\uninst.exe
EasyCleaner --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
ExtractNow --> "c:\Program Files\ExtractNow\unins000.exe"
Faber Toys --> "D:\Program Files\Faber Toys\unins000.exe"
Fatman Adventures --> "D:\Program Files\Another Day\Fatman Adventures\unins000.exe"
Flash Saving Plugin --> "D:\Program Files\UnH Solutions\Flash Saving Plugin\unins000.exe"
FlaX --> D:\Program Files\Goldshell\fxuninst.exe
Free History Eraser --> "D:\Program Files\Free History Eraser\unins000.exe"
HijackThis 1.99.1 --> D:\HijackThis.exe /uninstall
Hypersonic 1.1.1 --> C:\PROGRA~1\STEINB~1\VSTPLU~1\HYPERS~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\HYPERS~1\INSTALL.LOG
IconPackager --> D:\PROGRA~1\Stardock\Object Desktop\IconPackager\iconpackager.exe /uninstallwise
ICQ 5.1 --> c:\Program Files\ICQLite\ICQLiteUninstall.EXE
ICQ Toolbar --> regsvr32 /u /s "C:\program files\ICQToolbar\toolbaru.dll"
InstallRTC --> MsiExec.exe /X{200F584F-848D-4B6B-B1A1-C74D735F18A4}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
JavaScript Utility Suite v1.0 --> "D:\Program Files\JavaScript Utility Suite\unins000.exe"
jetAudio Basic --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly
JetPhoto Studio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{228D34A5-D186-495E-9DED-70A6CAB68B02}\setup.exe" -l0x9 -removeonly
jv16 PowerTools 1.4.1 --> "D:\Program Files\jv16 PowerTools\unins000.exe"
K-Lite Mega Codec Pack 1.37 --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
Kerio Personal Firewall 2.1.4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{51C8741C-4A91-42A6-B6A2-CB891F7398A1}\Setup.exe" -removeall
Lexmark X1100 Series --> D:\WINDOWS\System32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LimeWire 4.12.6 --> "D:\Program Files\LimeWire\uninstall.exe"
Live 6.0.3 --> D:\PROGRA~1\Ableton\Live 6.0.3\Install\UNWISE.EXE D:\PROGRA~1\Ableton\Live 6.0.3\Install\INSTALL.LOG
LQfix 2.1 --> "D:\WINDOWS\LQfix\unins000.exe"
Macromedia Director MX 2004 --> D:\PROGRA~1\Macromedia\Director MX 2004\UNWISE.EXE D:\PROGRA~1\Macromedia\Director MX 2004\install.log
Macromedia Dreamweaver MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX 2004 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash Player 8 --> D:\WINDOWS\System32\Macromed\Flash\UninstFl.exe
Mario Forever v 2.16 ! --> C:\Buziol Games\Mario Forever\UnMario.exe
Microsoft Office 2000 Professional --> MsiExec.exe /I{000104E7-78E1-11D2-B60F-006097C998E7}
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{9084040D-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{9011040D-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{9085040D-6000-11D3-8CFE-0150048383C9}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection D:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Midnite Motel 1.0 --> "D:\Program Files\MidniteMotel\unins000.exe"
Movie Maker Background Music Files --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmmusic.inf,DefaultUninstall
Movie Maker Sound Effects --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Movie Maker Title Images --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\mmtitle.inf,DefaultUninstall
Mp3divider v0.9.1.8 --> "D:\Program Files\Mp3divider\uninstall.exe"
MSN Messenger 7.5 --> MsiExec.exe /I{DBB48ED2-03EC-11DA-BFBD-00065BBDC0B5}
Natto-Cat --> MsiExec.exe /I{21A99D22-12D2-4F03-B97E-8BD2C9891F61}
Network Password Recovery --> D:\WINDOWS\zipinst.exe /uninst "D:\Program Files\Network Password Recovery\uninst1~.nsu"
Outlook Express Q823353 --> D:\WINDOWS\oeuninst.exe D:\WINDOWS\INF\Q823353.inf
Oversight System Sentinel Demo --> MsiExec.exe /I{18BDFC02-DFB5-4E2A-B99B-80F94D2A2E21}
PACE System Files --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{28F58CDE-6241-4B11-8232-6A5D4FB06E8B}\Setup.exe" -l0x9 FromUninstall
Pacmania 3 --> c:\Program Files\Alawar\Pacmania 3\uninstal.exe
PC Camera (6009 CIF) --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5B3028F-6845-48A6-A46E-77A716B57537}\Setup.exe" -l0x9
PhotoFiltre --> "D:\Program Files\PhotoFiltre\Uninst.exe"
PictureViewer .EXE 1.1.0.227 --> "D:\Program Files\PictureViewer .EXE\unins000.exe"
Polyphonic Wizard v4 --> D:\PROGRA~1\Coding Workshop Polyphonic Wizard\UNWISE.EXE D:\PROGRA~1\Coding Workshop Polyphonic Wizard\INSTALL.LOG
QuickTime --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\Intel 32\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RegAlyzer 1.4 --> "D:\Program Files\Safer Networking\RegAlyzer\unins000.exe"
Riva FLV Encoder 2.0 --> "D:\Program Files\Riva\Riva FLV Encoder 2.0\unins000.exe"
Save Flash 3.0 --> D:\Program Files\Save Flash\uninst.exe
Security Task Manager 1.6e --> D:\Program Files\Security Task Manager\Uninstal.exe "D:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Serif PhotoPlus 6.0 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Shockwave --> D:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE D:\WINDOWS\system32\Macromed\Shockwave 8\Install.log
Smart Link 56K Voice Modem --> D:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Snood for Windows version 3.52-W --> "D:\Program Files\Snood\unins000.exe"
Sony ACID XPress 5.0a --> MsiExec.exe /X{12F4BE69-6614-41D3-BB3B-DF7F921DF2BB}
Sothink SWF Decompiler --> "D:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
Sound Blaster PCI128 Drivers --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{509291FD-CFC8-11D6-A285-00A0CC51B2FE}\Setup.exe" -l0x9 /remove
Sports Car GT Demo --> D:\PROGRA~1\Electronic Arts\Sports Car GT Demo\UNWISE.EXE D:\PROGRA~1\Electronic Arts\Sports Car GT Demo\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator --> "D:\Program Files\Spyware Terminator\unins000.exe"
SpywareBlaster v3.5.1 --> "D:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWF To Image --> "D:\Program Files\SWF To Image\unins000.exe"
SWiSHmax --> D:\WINDOWS\unvise32.exe D:\Program Files\SWiSHmax\uninstal.log
Switch Uninstall --> D:\Program Files\NCH Swift Sound\Switch\uninst.exe
Tenant --> D:\WINDOWS\uninst.exe -f"D:\Program Files\Tenant\Tenant\DeIsL1.isu" -c"D:\Program Files\Tenant\Tenant\_ISREG32.DLL"
Terragen --> MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
The Print Shop --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB26EA24-AE01-4C86-BEBC-424D5B81E66E}\setup.exe" -l0x9 anything
TightVNC 1.2.9 --> "D:\Program Files\TightVNC\unins000.exe"
Total Recorder 6.0 --> "D:\Program Files\HighCriteria\TotalRecorder\setup.exe" U
Total Sokoban --> "C:\Program Files\SuperSoft\Total Sokoban\uninstall.exe"
Transcribe! 7.40 --> "D:\Program Files\Transcribe!\unins000.exe"
TrojanHunter 4.6 --> "D:\Program Files\TrojanHunter 4.6\unins000.exe"
TweakNow RegCleaner --> "D:\Program Files\TweakNow RegCleaner\unins000.exe"
UnderCoverXP 1.10 --> "D:\Program Files\UnderCoverXP\unins000.exe"
Vertrix 2 --> D:\Program Files\Vertrix 2\SXUNINST.EXE
Virtual DJ - Atomix Productions --> D:\PROGRA~1\VirtualDJ\UNWISE.EXE D:\PROGRA~1\VirtualDJ\INSTALL.LOG
Vmule Kazaa Lite --> MsiExec.exe /I{7AD5B901-00B5-4518-8A97-77720FA7B780}
VNC Free Edition 4.1.2 --> "D:\Program Files\RealVNC\VNC4\unins000.exe"
WavePad Uninstall --> D:\Program Files\NCH Swift Sound\WavePad\uninst.exe
Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Registry Guide 2003 --> "D:\Program Files\WinGuides\unins000.exe"
Windows XP Creativity Fun Packs - Windows Movie Maker 2 --> MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
Windows XP Winter Fun Pack for Windows Movie Maker 2 --> MsiExec.exe /I{FFC5C6DA-6BC0-47C1-9EC0-8E1A1294E4F7}
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
WinUHA 2.0 RC1 (2005.02.27) --> "D:\Program Files\WinUHA\unins000.exe"
Xara Webstyle 4 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E7C036E2-C7E4-4964-9BDA-81973341930E}\setup.exe" -l0x9
Xara3D6 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\Professional\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B3783869-5D14-4838-A042-910DF816D070}\setup.exe" -l0x9


-- End of ComboScan: finished at 2007-02-27 at 11:01:48 -------------------------