PDA

View Full Version : Can't remove programs

untern8
03-28-2008, 04:13 PM
This computer has been used by many different locations from what I am told. It was acquired by my company not too long ago as a simple workstation without many bells and whistles.

I'm hoping to uninstall some programs that were left on under a previous administrator's credentials. I don't have a password for OfficeScan (enterprise edition), can't uninstall Summation blaze LG gold (but it keeps asking for install discs that we don't have), and spysweeper won't allow me to delete files in the quarantine.

Please help!

HJT log looks like this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:46 PM, on 3/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ManageSoft\Launcher\ndserv.exe
C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\ManageSoft\Schedule Agent\ndtask.exe
C:\WINNT\TEMP\BU3E7D.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\maxifciu.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Acroprint\Attendance Rx\AttendanceRx.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.EXE
C:\WINNT\System32\cleanmgr.exe
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rkpt.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINNT\system32\tuvVPijh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [Upromise0] "C:\Program Files\Upromise_RemindU\Upromise0.exe"
O4 - HKLM\..\Run: [SchedulingAgent_nDG] "C:\Program Files\ManageSoft\Schedule Agent\ndschedag.exe" -o RunNDStartup=True -o Startup=True
O4 - HKLM\..\Run: [utgj] C:\WINNT\utgj.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [maxifciu] C:\WINNT\system32\maxifciu.exe
O4 - HKLM\..\Run: [PC-Antispyware] "C:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKLM\..\Policies\Explorer\Run: [j6bXyjKcO8] C:\WINNT\system32\winver.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS[/url]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=67633[/url]
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - [url]http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205411822644[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205411793822[/url]
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rkpt.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rkpt.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rkpt.com
O20 - Winlogon Notify: tuvVPijh - C:\WINNT\SYSTEM32\tuvVPijh.dll
O20 - Winlogon Notify: winuwv32 - C:\WINNT\SYSTEM32\winuwv32.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ManageSoft installation agent (ndGlobalLauncher) - ManageSoft Corp - C:\Program Files\ManageSoft\Launcher\ndserv.exe
O23 - Service: ManageSoft managed device (ndinit) - ManageSoft Corp - C:\Program Files\ManageSoft\Schedule Agent\ndinit.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - [url]http://www.insightbb.com/images/nav/webmail.gif[/url]

--
End of file - 8853 bytes
classicsoftware
03-29-2008, 12:00 AM
Please read the instructions here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) and post back with a combofix log and a new HJT Log.
mjc
03-29-2008, 02:42 AM
The best thing to do with a used computer...wipe the drive and do a fresh install of the OS and all apps.
untern8
04-01-2008, 09:18 AM
ComboFix 08-03-30.5 - bulldog 04/01/2008 7:59:15.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\FunWebProducts
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
C:\WINNT\system32\efcBqoOe.dll
C:\WINNT\system32\f3PSSavr.scr
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\tuvVPijh.dll
C:\WINNT\system32\winuwv32.dll
C:\WINNT\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://rkpsrdc003420
.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-28 18:37 . 08-03-28 18:37 376,606 ---h----- C:\WINNT\ShellIconCache
2008-03-28 18:25 . 03-06-19 12:05 1,015,859 --a------ C:\WINNT\system32\MFC42.1
2008-03-28 18:25 . 07-12-10 12:39 575,488 --a------ C:\WINNT\system32\WININET.1
2008-03-28 18:25 . 00-07-26 08:00 565,760 --a------ C:\WINNT\system32\MSVCP50.1
2008-03-28 18:25 . 03-06-19 12:05 286,773 --a------ C:\WINNT\system32\MSVCRT.1
2008-03-28 18:12 . 00-07-26 08:00 438 --a------ C:\WINNT\system32\autoexec.nt
2008-03-28 14:45 . 08-03-28 14:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 14:21 . 08-03-28 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC-Cleaner
2008-03-28 14:20 . 08-03-31 07:41 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-28 13:06 . 08-03-28 13:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
2008-03-28 12:22 . 07-05-11 03:41 524,560 -----c--- C:\WINNT\system32\dllcache\kodakimg.exe
2008-03-28 12:22 . 07-08-17 02:48 448,272 -----c--- C:\WINNT\system32\dllcache\oieng400.dll
2008-03-28 12:22 . 07-05-11 03:42 73,488 -----c--- C:\WINNT\system32\dllcache\kodakprv.exe
2008-03-28 12:22 . 07-08-17 02:48 39,184 -----c--- C:\WINNT\system32\dllcache\jpeg2x32.dll
2008-03-28 11:03 . 08-03-28 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-28 10:54 . 08-03-28 18:37 <DIR> d-------- C:\Program Files\PC-Antispyware
2008-03-28 09:00 . 07-05-28 03:56 6,258,688 --a------ C:\WINNT\system32\sp3res.dll
2008-03-28 09:00 . 07-05-28 03:56 6,258,688 --a--c--- C:\WINNT\system32\dllcache\sp3res.dll
2008-03-28 09:00 . 07-06-25 02:25 53,008 --a--c--- C:\WINNT\system32\dllcache\agentdpv.dll
2008-03-28 08:57 . 07-04-23 02:22 939,280 --a------ C:\WINNT\system32\ntdsa.dll
2008-03-28 08:57 . 07-04-23 02:22 939,280 --a--c--- C:\WINNT\system32\dllcache\ntdsa.dll
2008-03-28 08:32 . 07-04-05 03:17 2,854,400 --a------ C:\WINNT\system32\msi.dll
2008-03-28 08:32 . 07-04-05 03:17 2,854,400 -----c--- C:\WINNT\system32\dllcache\msi.dll
2008-03-28 08:21 . 07-10-16 07:34 513,808 --a------ C:\WINNT\system32\LSASRV.DLL
2008-03-27 12:33 . 08-03-27 13:45 <DIR> d-------- C:\f69767954c0b14435fc70dc7594e6c
2008-03-27 12:08 . 08-03-27 12:08 98,304 --a------ C:\WINNT\system32\maxifciu.exe
2008-03-27 11:58 . 08-03-27 11:58 <DIR> d-------- C:\WINNT\winsxs
2008-03-27 11:57 . 08-03-27 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-03-27 11:57 . 07-08-17 21:29 118,272 --a------ C:\WINNT\system32\hpz3l4x6.dll
2008-03-27 11:57 . 98-12-22 14:38 3,144 --a--c--- C:\WINNT\system32\dllcache\srgb.icm
2008-03-27 11:56 . 03-06-19 12:05 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2008-03-27 11:56 . 03-06-19 12:05 12,592 --a--c--- C:\WINNT\system32\dllcache\usbscan.sys
2008-03-27 11:50 . 07-07-10 05:01 258,048 --a------ C:\WINNT\system32\hpzids01.dll
2008-03-27 11:50 . 07-07-10 04:23 49,920 --a------ C:\WINNT\system32\drivers\HPZid412.sys
2008-03-27 11:50 . 07-07-10 04:23 21,568 --a------ C:\WINNT\system32\drivers\HPZius12.sys
2008-03-27 11:50 . 07-07-10 04:23 16,496 --a------ C:\WINNT\system32\drivers\HPZipr12.sys
2008-03-27 11:49 . 08-03-27 11:50 <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2008-03-27 11:49 . 08-03-27 11:49 <DIR> d-------- C:\WINNT\marco
2008-03-27 11:49 . 07-07-10 04:23 892,928 --a------ C:\WINNT\system32\hpwtiop2.dll
2008-03-27 11:49 . 07-07-10 04:23 364,544 --a------ C:\WINNT\system32\hppldcoi.dll
2008-03-27 11:49 . 07-07-10 04:23 309,760 --a------ C:\WINNT\system32\difxapi.dll
2008-03-27 11:49 . 07-07-10 04:23 294,912 --a------ C:\WINNT\system32\hpovst11.dll
2008-03-27 11:49 . 07-07-10 04:23 233,472 --a------ C:\WINNT\system32\hpwtusd1.dll
2008-03-27 11:48 . 08-03-27 12:06 136,053 --a------ C:\WINNT\hpwins10.dat
2008-03-27 11:46 . 07-07-10 05:01 1,269,760 --a------ C:\WINNT\hpzshl01.exe
2008-03-27 11:46 . 07-07-10 05:01 1,126,400 --a------ C:\WINNT\hpzmsi01.exe
2008-03-27 11:46 . 07-09-17 04:48 10,376 --a------ C:\WINNT\hpwscr10.dat
2008-03-27 11:46 . 07-09-17 04:45 1,042 --a------ C:\WINNT\hpwmdl10.dat
2008-03-27 10:34 . 08-03-27 10:35 <DIR> d-------- C:\temp\FixEngine
2008-03-17 14:49 . 08-03-17 14:49 524,288 --a------ C:\WINNT\opuc.dll
2008-03-13 12:32 . 08-03-13 12:32 26,112 --a------ C:\WINNT\system32\winuwh32.dll
2008-03-13 08:38 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-03-13 08:38 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-03-13 08:38 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-03-13 08:38 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-28 20:39 --------- d-----w C:\Program Files\ManageSoft
2008-03-27 14:34 --------- d-----w C:\Program Files\HP
2008-02-04 22:23 693,792 ----a-w C:\WINNT\system32\OGACheckControl.DLL
2007-03-06 21:07 34,632 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-02-05 17:05 271 ---h--w C:\Program Files\desktop.ini
2002-02-05 17:05 21,952 ---h--w C:\Program Files\folder.htt
2000-07-26 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [07-06-14 02:58 68856]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 313472]
"PC-Cleaner"="C:\Program Files\PC-Cleaner\PC-Cleaner.exe" [08-03-31 07:41 1351680]
untern8
04-01-2008, 09:18 AM
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [00-09-21 15:34 126976]
"OfficeScanNT Monitor"="C:\OfficeScan NT\pccntmon.exe" [05-03-15 17:55 335872]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [99-06-25 02:00 45056]
"Upromise0"="C:\Program Files\Upromise_RemindU\Upromise0.exe" [ ]
"utgj"="C:\WINNT\utgj.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-09-12 09:26 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-12-05 10:59 155648]
"SpySweeperEnterprise"="C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" [06-01-04 13:59 1327616]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [02-12-17 13:14 131157]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [02-12-17 12:28 684032]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"maxifciu"="C:\WINNT\system32\maxifciu.exe" [08-03-27 12:08 98304]
"PC-Antispyware"="C:\Program Files\PC-Antispyware\PC-Antispyware.exe" [08-03-28 18:37 10674176]
"MSDisp32"="C:\WINNT\system32\drvwar.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]
"j6bXyjKcO8"= C:\WINNT\system32\winver.exe

R0 IntelATA;Intel Ultra ATA Controller;C:\WINNT\system32\DRIVERS\IntelAta.sys [01-03-23 01:00 ]
R1 CCDevice;CCDevice;C:\WINNT\system32\drivers\CCDevi ce.sys [00-06-23 07:50 ]
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys [02-12-17 12:29 ]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\msikbd2k.sys [00-06-06 14:51 ]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [00-09-13 17:18 ]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [03-06-19 12:05 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [01-10-03 07:58 ]
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINNT\system32\DRIVERS\pcx500.sys [01-05-14 09:01 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-04-01 08:09:08
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\C:\WINNT\TEMP\mc23.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\System32\cisvc.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\mnmsrvc.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\TEMP\IUE3B1.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
************************************************** ************************
.
Completion time: 2008-04-01 8:15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 12:14:51
Pre-Run: 14,856,499,200 bytes free
Post-Run: 15,767,580,672 bytes free
untern8
04-01-2008, 09:19 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:48 AM, on 4/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\IUE3B1.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\maxifciu.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rkpt.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [Upromise0] "C:\Program Files\Upromise_RemindU\Upromise0.exe"
O4 - HKLM\..\Run: [utgj] C:\WINNT\utgj.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [maxifciu] C:\WINNT\system32\maxifciu.exe
O4 - HKLM\..\Run: [PC-Antispyware] "C:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINNT\system32\drvwar.dll,startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKLM\..\Policies\Explorer\Run: [j6bXyjKcO8] C:\WINNT\system32\winver.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - [url]http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS[/url]
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=67633[/url]
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [url]http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab[/url]
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - [url]http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205411822644[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205411793822[/url]
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rkpt.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rkpt.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rkpt.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - [url]http://www.insightbb.com/images/nav/webmail.gif[/url]

--
End of file - 7674 bytes
untern8
04-01-2008, 09:21 AM
This computer is actually running Windows 2000 SP4. That is why I haven't uninstalled and started over (I don't have any install discs for the OS). This is also why I didn't do the recovery console (it's not XP)...

Hoping to get rid of PC-Cleaner (says PSAPI.dll failed to load when I start the computer).
Sylvander
04-01-2008, 10:28 AM
"(I don't have any install discs for the OS). This is also why I didn't do the recovery console"
1. Get System Information for Windows [SIW] (www3.sympatico.ca/gtopala/about_siw.html).
The PORTABLE [the one I like] and/or installable version.
Run that and go to Software->Operating System and read/note/record the Product Key for your installed Win2000 OS. [See screenshot]
Use that With any future re-installation of Win2000.

2. Get someone to give you a copy of the Win2000 installation files.
I believe that isn't illegal [open to correction though]; it Is possession of the Product Key that's important.
If you hold them on some accessible partition [other than C: ideally] on an internal HDD...
You can use some suitable program/OS to run the appropriate installation file from there.
e.g.
DOS would be used to run WINNT.EXE
[It would need to be on a FAT[32](not NTFS) partition for plain DOS (without NTFS4DOS drivers) to access it]
Windows run from a "live" CD or from a dual boot installation used to run [B]WINNT32.EXE

3. How to install the Windows Recovery Console (http://support.microsoft.com/kb/216417) [to your HDD C: partition].
It's not essential that the installation files be on an optical disk; they can be anywhere, provided you point to the correct location of winnt32.exe and use the /cmdcons switch.
Once this is done a setting will be added to your boot.ini file so that at each Startup you will be present the option to boot TO the Recovery Console that has been installed to the C:\cmdcons folder.
untern8
04-04-2008, 08:19 AM
If I reinstall the OS, I lose the MS Office applications that I have installed. I don't have install discs for those either and can't afford to lose them. I'd rather just dump the crap that is on here...

classicsoftware - do you have any tips?
classicsoftware
04-04-2008, 02:24 PM
If you don't have the credentials. then you need to backup the system by making an image backup.

Then just delete the files from the program files folder. You might have to use the registry editor to remove traces of the program.

Does that make sense....
untern8
04-04-2008, 02:37 PM
No, I do not follow...

Did you find anything that we can fix with combofix?
classicsoftware
04-05-2008, 10:33 PM
No, I do not follow...

Did you find anything that we can fix with combofix?

It doesn't matter. Combofix fixes things itself. The question is why can't you uninstall these programs?
FTT
04-06-2008, 10:02 PM
If you don't have MS Office, just use Open Office (http://www.openoffice.org/)
untern8
04-09-2008, 04:24 PM
I have been able to access office programs - just had to recreate the desktop shortcut. I have been able to uninstall the programs, but occasionally get a warning message that tries to get me to install PC-antispyware and can't get that to stop.

I was able to remove webroot spysweeper without a password by using a cleaner located here:

http://download.webroot.com/SSECleanup251.exe

you can also e-mail their tech support at esupport@webroot.com

I now have a different problem and will start a new thread...