PDA

View Full Version : Trouble; TheMatrixHasYou, winbrume, paytime, secure32, etc



65538
2006-05-03, 23:23
My computer has been infected and I have been uanable to fix it. I can clean up much of it, but it seems as once I start IExplorer a lot of unwanted files are installed again. I would be very greatful for a solution for this.

Thanks,
Howie


Some of the unwanted files on the computer:

TheMatrixHasYou.exe
winbrume.dll
secure32.html
winstall.exe
ibm00001.exe
ibm00002.dll
paytime.exe
fmc.exe
tool1.exe
tool2.exe
tool4.exe
tool5.exe
ms1.exe
0mcamcap.exe
vcyaudtb.exe
runfile[1].exe
rsysinit.exe
krab04[1].exe
2235.exe
u9d30[1].exe
btuzfltj.exe
ombvrigs.exe
3333[1].exe
88cbae71.exe
88cbae71.exe
country.exe
kl1.exe
khndwtso.exe

-------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:05:25, on 03.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\netbtd.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tfunckey.exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tpwricon.exe
C:\WINNT\system32\internat.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
c:\tool2.exe
c:\Program Files\paytime.exe
c:\tool1.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\0mcamcap.exe
c:\Program Files\paytime.exe
C:\Software\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINNT\SYSTEM32\winbrume.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - HKLM\..\Run: [88cbae71.exe] C:\WINNT\system32\88cbae71.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)

-------------------------

CalamityJane
2006-05-06, 16:23
Wow, what a mess. :sick: For starters you've had some very bad infections...this one in particular you need to be aware that your computer may have been compromised by an outside intruder.

Ibm00001.exe is associated with one of the many Torpig trojan variants
http://www.sophos.com/virusinfo/analyses/search-results/?search=Ibm00001&action=search

You need to take any and all precautions to protect any accounts, passwords, any sensitive data on that PC, as Torpig is a remote access trojan, allowing an intruder to access the computer and often contains a keylogger and/or password stealer.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx


Let's start the cleanup with this:
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.

click "save"

IN "filename" enter log.txt

click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...

65538
2006-05-08, 00:21
Thank you for your reply.

I did as you described, but the script only ran for a second and said complete. Seems as it didn't do much. After executing it I got a general program error, may be because of the virus. I also ran it it safe mode and then got no program error.

The log file was the same each time:

-----
BFU v1.00.9
Windows 2000 SP4 (WinNT 5.00.2195 SP4)
Script started at 22:58:56, on 07.05.2006

Script completed.
-----

If this is not how the log is supposed to look, there may be a problem with the virus. I get messages from the virus as soon as I start the PC.

Thanks,
Howie

CalamityJane
2006-05-08, 00:32
Ok, can you please scan and post a fresh HijackThis log?

65538
2006-05-08, 02:05
Here is an updated HijackThis log;


Logfile of HijackThis v1.99.1
Scan saved at 00:57:11, on 08.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\netbtd.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tdevdetect.exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\phucmxse.exe
C:\WINNT\system32\kernels8.exe
C:\WINNT\system32\spoolsvv.exe
C:\WINNT\system32\intell321.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\dlh9jkdq2.exe
C:\WINNT\system32\dlh9jkdq7.exe
C:\WINNT\system32\maxd641.exe
C:\WINNT\system32\drwtsn32.exe
C:\Software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\phucmxse.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINNT\system32\spoolsvv.exe
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\wzzhc.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINNT\sysldr32.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\wzzhc.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\xqyxyzyfbx.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O20 - Winlogon Notify: SensSrv - C:\WINNT\SYSTEM32\senssrv.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_16.dll
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)

:spider: :spider: :spider:

CalamityJane
2006-05-10, 03:06
Please run through all the steps here:
http://forums.spybot.info/showthread.php?t=4015

You also need to get an online AV scan and let them fix or delete any problems found. Here are 3 free ones to choose from:

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm

When done, please post back with the requested logs :)

65538
2006-05-15, 03:46
:sick: Thank you for the reply.

I ran;
- SmitRem that was installed by mistake instead of SmithfraudFix
- Ewido
Then I started over again with the right Smithfraudfix:
- SmithfraudFix
- Ewido
- Spybot
- HijackThis

The logs are below.

Thanks,
Howie




================================================================================
smitRem © log file
version 2.8

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: to 11.05.2006
The current time is: 0:27:22.62

Running from
C:\Software\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F}"="OutPost FireWall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINNT\system32\dcom_16.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
svcp.csv
winsub.xml
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
warnhp.html
desktop.html
~~~ Drive root ~~~
secure32.html
winstall.exe

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Error 0x5 : Access is denied.


Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F}"="OutPost FireWall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINNT\system32\dcom_16.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!! :( Starting replacement procedure.
~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~
~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~
~~~~ Checking dllcache\wininet.dll for infection ~~~~
~~~~ dllcache\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from dllcache ~~~

================================================================================

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 09:49:11, 11.05.2006
+ Report-Checksum: 9B2F5034

+ Scan result:

[156] C:\WINNT\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINNT\SYSTEM32\netbtd.exe -> Backdoor.SdBot.aoz : Cleaned with backup
C:\WINNT\SYSTEM32\88cbae71.exe -> Downloader.Small.csn : Cleaned with backup
C:\WINNT\SYSTEM32\dcom_15.dll -> Proxy.Xmiler.a : Cleaned with backup
C:\WINNT\SYSTEM32\ib14.dll -> Logger.VB.mz : Cleaned with backup
C:\WINNT\SYSTEM32\uvr.dll -> Proxy.Agent.df : Cleaned with backup
C:\WINNT\SYSTEM32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\SYSTEM32\winbrume.dll -> Adware.BHO : Cleaned with backup
C:\WINNT\SYSTEM32\maxd641.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINNT\SYSTEM32\vxgamet1.exe -> Downloader.Agent.hy : Cleaned with backup
C:\WINNT\SYSTEM32\vxgamet2.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame1.exe -> Backdoor.Bech : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame2.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame3.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\vxgamet4.exe -> Trojan.Spabot.x : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame4.exe -> Downloader.Small.ctk : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame6.exe -> Downloader.Small.cug : Cleaned with backup
C:\WINNT\SYSTEM32\spoolsvv.exe -> Trojan.Spabot.x : Cleaned with backup
C:\WINNT\SYSTEM32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINNT\SYSTEM32\child.dll -> Downloader.Small.bug : Cleaned with backup
C:\WINNT\SYSTEM32\brmfrsmq.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\SYSTEM32\53a8b3b9.exe -> Downloader.Small.csn : Cleaned with backup
C:\WINNT\SYSTEM32\msvcrl.dll -> Worm.Locksky.ao : Cleaned with backup
C:\WINNT\SYSTEM32\sachostp.exe -> Trojan.Small.bh : Cleaned with backup
C:\WINNT\SYSTEM32\sachostc.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\sachosts.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\SYSTEM32\dlh9jkdq2.exe -> Not-A-Virus.Hoax.Win32.Renos.ch : Cleaned with backup
C:\WINNT\SYSTEM32\dlh9jkdq6.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\dlh9jkdq7.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\qvxgamet3.exe -> Hijacker.BHO.d : Cleaned with backup
C:\WINNT\SYSTEM32\qvxgamet4.exe -> Proxy.Wopla.r : Cleaned with backup
C:\WINNT\SYSTEM32\intell321.exe -> Trojan.Small.ev : Cleaned with backup
C:\WINNT\SYSTEM32\mknurplcjlv.exe -> Worm.Bobic.ak : Cleaned with backup
C:\WINNT\file1.exe -> Dropper.Agent.ail : Cleaned with backup
C:\WINNT\comdlj32.dll -> Proxy.Agent.ji : Cleaned with backup
C:\WINNT\sysldr32.exe -> Downloader.Small.cpo : Cleaned with backup
C:\WINNT\sachostx.exe -> Worm.Locksky.ao : Cleaned with backup
C:\WINNT\uninstDsk.exe -> Trojan.Small.ev : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Application Data\88cbae71.exe -> Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Application Data\53a8b3b9.exe -> Downloader.Small.csn : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00013.dll -> Trojan.Sinowal.k : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.dll -> Trojan.Sinowal.i : Cleaned with backup
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\Program Files\phucmxse.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry0.dll -> Adware.Spysheriff : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry1.dll -> Adware.Spysheriff : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry2.dll -> Adware.Spysheriff : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry3.dll -> Adware.Spysheriff : Cleaned with backup
C:\Software\hijackthis\backups\backup-20060504-001258-722.dll -> Adware.BHO : Cleaned with backup
C:\kl1.exe -> Trojan.Sinowal.n : Cleaned with backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\tool1.exe -> Downloader.Small.csn : Cleaned with backup
C:\tool4.exe -> Adware.BHO : Cleaned with backup
C:\tool5.exe -> Hijacker.Small.kr : Cleaned with backup
C:\mxgra.exe -> Trojan.Sinowal.d : Cleaned with backup
C:\vathyiqv.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\xrsj.exe -> Trojan.Sinowal.k : Cleaned with backup
C:\ejtuxpna.exe -> Downloader.Small.csn : Cleaned with backup
C:\ygbfwsx.exe -> Downloader.Small.ctf : Cleaned with backup
C:\yrkok.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup


::Report End


================================================================================
SmitFraudFix v2.42

Scan done at 23:09:33.52, to 11.05.2006
Run from C:\Software\smithfraudfix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

65538
2006-05-15, 03:49
the rest of the log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:42:37, 11.05.2006
+ Report-Checksum: FEFB7C8D

+ Scan result:

[156] C:\Documents and Settings\All Users\Documents\Settings\2006.dll -> Trojan.Agent.oh : Error during cleaning


::Report End

================================================================================

--- Search result list ---
Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Windows Security Center.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-05-02 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-05-02 Includes\Cookies.sbi (*)
2006-05-02 Includes\Dialer.sbi (*)
2006-05-02 Includes\Hijackers.sbi (*)
2006-05-02 Includes\Keyloggers.sbi (*)
2006-05-02 Includes\Malware.sbi (*)
2006-05-02 Includes\Revision.sbi (*)
2006-05-02 Includes\Security.sbi (*)
2006-05-02 Includes\Spybots.sbi (*)
2006-05-02 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-02 Includes\PUPS.sbi (*)



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB820888
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB822831
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824141
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824146
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB825119
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828028
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB829558
/ Windows 2000 / SP5: Windows 2000 Hotfix (SP5) Q818043
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]


--- Startup entries list ---
Located: HK_LM:Run, ACUMon
command: "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
file: C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
size: 364544
MD5: 612495556c82e4c85c920d6a8b78964b

Located: HK_LM:Run, iTunesHelper
command: "C:\Software\quickt\iTunesHelper.exe"
file: C:\Software\quickt\iTunesHelper.exe
size: 278528
MD5: a8cf3f60099eaa123db72611ce7be271

Located: HK_LM:Run, LJSMSUMkPSPKK\
command: C:\WINNT\system32\qbmmqjsqvcpwik.exe
file: C:\WINNT\system32\qbmmqjsqvcpwik.exe
size: 32364
MD5: 2cfe52ac93a0c9f739d5319508b67c39

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINNT\system32\NeroCheck.exe
file: C:\WINNT\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, Norman ZANDA
command: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
file: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
size: 90112
MD5: ed56e42cfd7d53af4453c4253eaa17b0

Located: HK_LM:Run, S3TRAY
command: S3tray.exe
file: C:\WINNT\system32\S3tray.exe
size: 57856
MD5: 7c2766120401f41345c12eeed426d892

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061

Located: HK_LM:Run, SysTray
command: C:\Program Files\phucmxse.exe
file:

Located: HK_LM:Run, Tpwrtray
command: TPWRTRAY.EXE
file: C:\WINNT\system32\TPWRTRAY.EXE
size: 65536
MD5: 586f9abd320c40746bf43f3ee7a29cec

Located: HK_LM:Run, Z_[SVYYRSOI^W_`N
command: C:\WINNT\system32\onxjalddnczhip.exe
file:

Located: HK_LM:RunServices, LJSMSUMkPSPKK\
command: C:\WINNT\system32\qbmmqjsqvcpwik.exe
file: C:\WINNT\system32\qbmmqjsqvcpwik.exe
size: 32364
MD5: 2cfe52ac93a0c9f739d5319508b67c39

Located: HK_LM:RunServices, SystemTools
command: C:\WINNT\system32\kernels8.exe
file:

Located: HK_LM:RunServices, Z_[SVYYRSOI^W_`N
command: C:\WINNT\system32\onxjalddnczhip.exe
file:

Located: HK_CU:Run, PhotoShow Deluxe Media Manager
command: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
file: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
size: 212992
MD5: 917bafa5fc295611a401692f56da7829

Located: HK_CU:Run, Windows update loader
command: C:\Windows\xpupdate.exe
file:

Located: Startup (common), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 82026
MD5: 21189b8f2d747b6981a54d5c5d554c8e

Located: Startup (common), Picture Package Menu.lnk
command: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
file: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: f15fcbb20fe82674f48a60a37e5ba45a

Located: Startup (common), TSBxLogon.lnk
command: C:\WINNT\system32\TMESBS2.exe
file: C:\WINNT\system32\TMESBS2.exe
size: 53248
MD5: e6229dc0fb3f68856fa62f93f7610601

Located: System.ini, 2006reg
command: C:\Documents and Settings\All Users\Documents\Settings\2006.dll
file: C:\Documents and Settings\All Users\Documents\Settings\2006.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: System.ini, AutorunsDisabled
command:
file:

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 18.01.2006 21:04:26
Date (last access): 11.05.2006
Date (last write): 16.04.2001 16:39:02
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINNT\Downloaded Program Files\yinst.inf
Codebase: http://download.yahoo.com/dl/installs/yinst0401.cab
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 26.01.2004 18:40:04
Date (last access): 11.05.2006
Date (last write): 26.01.2004 18:40:04
Filesize: 133120
Attributes: archive
MD5: E1FBF33D995C89583A36F461EC2879FF
CRC32: 1592E04B
Version: 2004.1.26.1

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 11.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2046990741
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Java Runtime Environment 1.4.2
classification: Legitimate
known filename: %ProgramFiles%\Java\j2re1.4.2_01\bin\NPJPI142_04.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 11.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40

{D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control)
DPF name:
CLSID name: Aurigma Image Uploader 3.0 Control
Installer: C:\WINNT\Downloaded Program Files\ImageUploader3.inf
Codebase: http://www.eurofoto.no/activex/ImageUploader3.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: ImageUploader3.ocx
Short name: IMAGEU~1.OCX
Date (created): 05.09.2005 16:11:34
Date (last access): 11.05.2006
Date (last write): 05.09.2005 16:11:34
Filesize: 1896448
Attributes: archive
MD5: D1C3ED13BA9A16F65EFF6F2154358238
CRC32: 489AAD45
Version: 3.5.98.1

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name: FLASH8.OCX
Date (created): 27.08.2005 13:38:56
Date (last access): 11.05.2006
Date (last write): 27.08.2005 13:38:56
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 108 ( 8) \SystemRoot\System32\smss.exe
PID: 136 ( 108) \??\C:\WINNT\system32\csrss.exe
PID: 156 ( 108) \??\C:\WINNT\system32\winlogon.exe
PID: 184 ( 156) C:\WINNT\system32\services.exe
size: 89360
MD5: CFED2D28F5B8A24127E9E06043070643
PID: 196 ( 156) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 271229760CCED993E9E7CAB1C7274134
PID: 324 ( 184) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 376 ( 184) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 480 ( 488) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 508 ( 480) C:\Software\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 468 ( 480) C:\Software\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System
PID: 292 ( 156) iexplore.exe


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11.05.2006 23:02:57

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

:sick:

65538
2006-05-15, 03:53
Rest of the log:

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Irda [IrDA]
GUID: {3972523D-2AF1-11D1-B655-00805F3642CC}
Filename: %SystemRoot%\system32\msafd.dll
Description: Infrared protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Irda [IrDA]

Protocol 1: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 4: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS



--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\SOFTWARE\AD-AWA~1\UNWISE.EXE C:\SOFTWARE\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AddressBook)

Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: D:\Acrobat 5\
uninstall cmd: C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html

AntiVir/XP (AntiVir/XP)
uninstall cmd: C:\Software\antivir\AVUNINST.EXE
publisher: H+BEDV Datentechnik GmbH
comments: -
contact: Support Forum
help link: http://www.free-av.de/forum

(Branding)

CDBurnerXP Pro (CDBurnerXP Pro )
uninstall cmd: C:\WINNT\iun6002.exe "C:\Software\cdburnerpro\irunin.ini"

Cisco Aironet Installation Wizard (CiscoInstallWizard)
uninstall cmd: C:\WINNT\Cisco\DInstall\IWSetup.exe /cp

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

DVDExpress (DVD Express A/V Pak)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"

(DXM_Runtime)

ewido anti-malware (ewidoantimalware)
install location: C:\Software\ewido anti-malware
uninstall cmd: C:\Software\ewido anti-malware\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net

(expinst)

(Fontcore)

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Software\hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

HP Photo Printing Software (HP Photo Printing Software)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll

HP PSC 1400 series (HP PSC 1400 series_Driver)
uninstall cmd: rundll32 hpzcon12.dll,VendorJettison HP PSC 1400 series

hp psc 900 series - 2 (hp psc 900 series 1088493051)
uninstall cmd: C:\WINNT\system32\hpocon07.exe /u 1088493051 /d "hp psc 900 series"

(ICW)

Microsoft Internet Explorer 6 SP1 (IE40)
uninstall cmd: rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u

(IE4Data)

(IE5BAKEX)

(IEData)

(IEREADME)

Internet Explorer Q832894 (ieupdate)
uninstall cmd: C:\WINNT\ieuninst.exe C:\WINNT\INF\Q832894.inf

(InstallShield Uninstall Information)

iTunes 6.0.2.23 (InstallShield_{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

QuickTime 7.0.4 (InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Windows 2000 Hotfix - KB329115 20031024.155236 (KB329115)
uninstall cmd: C:\WINNT\$NtUninstallKB329115$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=329115

Windows 2000 Hotfix - KB820888 20030604.152521 (KB820888)
uninstall cmd: C:\WINNT\$NtUninstallKB820888$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=820888

Windows 2000 Hotfix - KB822831 20030611.114034 (KB822831)
uninstall cmd: C:\WINNT\$NtUninstallKB822831$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=822831

Windows 2000 Hotfix - KB823182 20030618.121409 (KB823182)
uninstall cmd: C:\WINNT\$NtUninstallKB823182$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823182

Windows 2000 Hotfix - KB823559 20030627.135515 (KB823559)
uninstall cmd: C:\WINNT\$NtUninstallKB823559$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823559

Windows 2000 Hotfix - KB824105 20030716.151320 (KB824105)
uninstall cmd: C:\WINNT\$NtUninstallKB824105$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824105

Windows 2000 Hotfix - KB824141 20030805.151423 (KB824141)
uninstall cmd: C:\WINNT\$NtUninstallKB824141$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824141

Windows 2000 Hotfix - KB824146 20030823.144456 (KB824146)
uninstall cmd: C:\WINNT\$NtUninstallKB824146$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824146

Windows 2000 Hotfix - KB825119 20030827.151123 (KB825119)
uninstall cmd: C:\WINNT\$NtUninstallKB825119$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=825119

Windows 2000 Hotfix - KB826232 20031007.160553 (KB826232)
uninstall cmd: C:\WINNT\$NtUninstallKB826232$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=826232

Windows 2000 Hotfix - KB828028 20040122.114409 (KB828028)
uninstall cmd: C:\WINNT\$NtUninstallKB828028$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828028

Windows 2000 Hotfix - KB828035 20031023.142138 (KB828035)
uninstall cmd: C:\WINNT\$NtUninstallKB828035$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828035

Windows 2000 Hotfix - KB828749 20031023.124056 (KB828749)
uninstall cmd: C:\WINNT\$NtUninstallKB828749$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828749

Windows 2000 Hotfix - KB829558 20030929.142857 (KB829558)
uninstall cmd: C:\WINNT\$NtUninstallKB829558$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=829558

:sick:

65538
2006-05-15, 03:55
Rest of the log:


(Microsoft NetShow Player 2.0)

(MobileOptionPack)

(MPlayer2)

(MsJavaVM)

(Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Software\nero\nero\uninstall\UNNERO.exe /UNINSTALL

Nero PhotoShow Express 3.0 (Nero PhotoShow Express)
version (major): 3
install location: C:\Software\nero\Nero PhotoShow\Nero PhotoShow Express.exe
uninstall cmd: "C:\Software\nero\Nero PhotoShow\data\Xtras\Uninstall.exe"
publisher: Simple Star, Inc.
help link: http://www.simplestar.com/support

Nero Suite (NeroMultiInstaller!UninstallKey)
uninstall cmd: C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""

(NeroVision!UninstallKey)
uninstall cmd: C:\WINNT\UNNeroVision.exe /UNINSTALL

(NetMeeting)

National Instruments Software (NI Uninstaller)
uninstall cmd: "C:\Software\NationalInstruments\shared\NIUninstaller\uninst.exe"
help link: http://www.ni.com/support/

(NMPUninstallKey)
uninstall cmd: C:\WINNT\UNNMP.exe /UNINSTALL

Outlook Express Update Q330994 (oeupdate)
uninstall cmd: C:\WINNT\Q330994.exe C:\WINNT\INF\Q330994.inf

op (op)
uninstall cmd: C:\SOFTWARE\op\UNINST\unwise.exe C:\SOFTWARE\op\UNINST\INSTALL.LOG

Opera (Opera)
uninstall cmd: C:\SOFTWARE\op\UNINST\UNWISE.EXE C:\SOFTWARE\op\UNINST\Install.log

(OutlookExpress)

Paint Shop Pro 5.0 Evaluation (Paint Shop Pro 5.0 Evaluation)
uninstall cmd: C:\SOFTWARE\PAINTS~1\UNWISE.EXE C:\SOFTWARE\PAINTS~1\INSTALL.LOG

Windows 2000 Hotfix (SP5) Q818043 20030501.174006 (Q818043)
uninstall cmd: C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=818043

Windows Media Player Hotfix [See Q828026 for more information] (Q828026)
uninstall cmd: C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828026

S3 Gamma Utility (S3 Gamma)
uninstall cmd: s3uninst.exe GammaUninstall.NT 5 s3savmx.inf

S3DuoView+ Utility (S3DUOVUE)
uninstall cmd: s3uninst.exe S3DuovueUninstall.NT 5 s3savmx.inf

(SchedulingAgent)

Macromedia Flash Player 8 8 (ShockwaveFlash)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\swflash.inf,DefaultUninstall,5
publisher: Macromedia
help link: http://www.macromedia.com/go/flashplayer_support/

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Software\Spybot - Search & Destroy\
uninstall cmd: "C:\Software\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

TOSHIBA Display Power Save (TDPSV)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TDPSV\Uninst.isu"

TextPad 4 (TextPad 4)
uninstall cmd: C:\WINNT\IsUninst.exe -fc:\software\texpad\Uninst.isu

Toshiba Mobile Extension V1.00.03.00 (TME)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME\uninst.dll"

Toshiba Internal Modem User's Guide (Toshiba Modem Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstUOM.isu

Toshiba User's Manual (Toshiba Online Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstModem.isu

TOSHIBA Power Extension2 (TOSHIBA Power Extension2)
uninstall cmd: TPWRDEL.EXE

TOSHIBA Utilities (TOSHIBA Utilities)
uninstall cmd: tutildel.exe

Total Commander (Remove or Repair) (Totalcmd)
uninstall cmd: c:\System\Tc603\tcuninst.exe

WinZip (WinZip)
uninstall cmd: "C:\Software\WinZip8\WINZIP32.EXE" /uninstall

Systemoppdatering for Windows Media Player (9 Series) (WMP7)
uninstall cmd: C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall

XoftSpy (XoftSpy)
uninstall cmd: C:\Software\XoftSpy\uninstall.exe

Yahoo! Toolbar (Yahoo! Companion)
uninstall cmd: rundll32.exe C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\YCOMP5~1.DLL,DllCommand ui

Yahoo! Internet Mail (Yahoo! Internet Mail)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Yahoo! Messenger Explorer Bar (Yahoo! Messenger Explorer Bar)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL

Microsoft Office 2000 SR-1 Premium 9.00.3821 ({00000409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 240290
install date: 20040405
install source: D:\
uninstall cmd: MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt

NI LabVIEW Advanced Analysis 7.0 Evaluation 7.0 ({09CBDFA4-59FF-4143-B7B5-DFD8E6431886})
version: 117440512
version (major): 7
estimated size: 50419
install date: 20040616
install source: D:\components\lvadvanalysis\
publisher: National Instruments

Picture Package 1.00.000 ({1E2F8AE3-3437-44E6-BB75-E95751D6B83F})
version: 16777216
install location: C:\Program Files\Sony Corporation\Picture Package
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL

YAMAHA DS-XG WDM ({3E0B8A20-B239-11D3-9850-00C04F7AC096})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E0B8A20-B239-11D3-9850-00C04F7AC096}\setup.exe" maintenance

Microsoft Windows Journal Viewer 1.5.2315.3 ({43DCF766-6838-4F9A-8C91-D92DA586DFA7})
version: 17107211
version (major): 1
version (minor): 5
estimated size: 6962
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
publisher: Microsoft
comments: A viewer for Windows Journal documents.
contact: Microsoft

NI Uninstaller 1.1.1f1 1.11.20 ({4BEC2867-0BF7-4A87-B459-003E3F20AFB1})
version: 17498132
version (major): 1
version (minor): 11
estimated size: 1068
install date: 20040616
install source: D:\components\mu\
publisher: National Instruments

Macromedia Flash Player 7.0.14.0 ({4ecaf021-478c-40c1-b777-3368a15f9966})
version: 117440526
version (major): 7
estimated size: 2
install date: 20060103
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\{4FFADF71-9FD0-41C5-A690-D2E39D8C29FA}\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\
uninstall cmd: MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
publisher: Macromedia, Inc.

iTunes 6.0.2.23 ({501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

NI LabVIEW Run-Time Engine 7.1 7.1.157 ({518930BE-7875-4547-B026-20B92F695781})
version: 117506205
version (major): 7
version (minor): 1
estimated size: 67584
install date: 20040722
install source: C:\Wfa\Programs\RTEngine71\
publisher: National Instruments

({5B239A98-4222-4D8C-AF38-1A8EC07F956B})

Sony USB Driver ({5C29CB8B-AC1E-4114-8D68-9CD080140D4A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL

({5D0930A0-1033-433A-8BB9-602665550DD0})

({6041B9C1-775E-4C6A-AECE-70C39CAED90A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6041B9C1-775E-4C6A-AECE-70C39CAED90A}\SETUP.EXE"

NI LabVIEW Picture Control Toolkit 7.0 Evaluation 7.0 ({6B786922-F93C-4C99-B6CA-66DD0C4B88CA})
version: 117440512
version (major): 7
estimated size: 5061
install date: 20040616
install source: D:\components\lvpicture\
publisher: National Instruments

WebFldrs 9.00.3501 ({6F716D8C-398F-11D3-85E1-005004838609})
version: 150998445
version (major): 9
estimated size: 2644
install date: 20000308
install source: C:\WINNT\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Java 2 Runtime Environment, SE v1.4.2_04 1.4.2_04 ({7148F0A8-6813-11D6-A77B-00B0D0142040})
version (major): 1
version (minor): 4
estimated size: 110144
install date: 20040617
install source: C:\Documents and Settings\Bruker\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142040}\
uninstall cmd: MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
publisher: Sun Microsystems, Inc.
comments: http://www.java.com
contact: http://www.java.com
help link: http://www.java.com
help telephone: http://www.java.com
readme: Readme.txt

NI LVBrokerAux70 1.0.03013 ({735AF21E-5436-4780-88F7-B5508F043A40})
version: 16780229
version (major): 1
estimated size: 178
install date: 20040616
install source: D:\components\lvbrokeraux70\
publisher: National Instruments

NI LabVIEW Run-Time Engine 7.0 7.0 ({73D3BADE-EC2F-4A5C-8F80-CB68AB704FF3})
version: 117440512
version (major): 7
estimated size: 30522
install date: 20040616
install source: D:\components\lvruntimeeng\
publisher: National Instruments

HP Share-to-Web ({748F4870-8350-11D3-B0BF-080009FB4A19})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" %MAIN -l9

Norman Internet Control ({74C8BF56-6618-49AA-98BA-862223900CBF})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Software\Norman2\NVC\BIN\DelNVC5.exe"

QuickTime 7.0.4 ({929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

({B6CB604F-CC59-480B-90FB-C15E80FB81A2})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6CB604F-CC59-480B-90FB-C15E80FB81A2}\Setup.exe"

Sony Ericsson PC Suite 1.0.16 ({C037D08B-4883-491D-9329-DC5ACA90F797})
version: 16777232
version (major): 1
estimated size: 117233
install date: 20060103
install location: C:\Program Files\Sony Ericsson\Mobile\
install source: C:\WINNT\Downloaded Installations\{66D8C376-87FE-4A10-A39A-2D775C361BDC}\
uninstall cmd: MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}
publisher: Sony Ericsson
contact: Sony Ericsson Technical Support
help link: http://www.sonyericsson.com
help telephone: 1-555-555-4505

NI LabVIEW Full 7.0 Evaluation 7.0 ({C1B6247F-F7D2-4246-A23D-93ADB787D2D3})
version: 117440512
version (major): 7
estimated size: 38567
install date: 20040616
install source: D:\components\lvcorefull\
publisher: National Instruments

({C75C9B85-4D7B-4E8B-8BDB-60C737610C2D})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C75C9B85-4D7B-4E8B-8BDB-60C737610C2D}\Setup.exe"

Microsoft .NET Framework 1.1 1.1.4322 ({CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1})
version: 16847074
version (major): 1
version (minor): 1
estimated size: 40392
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
publisher: Microsoft
readme: file://C:\WINNT\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm

1.00.0000 ({CBE9E8B5-95B3-4E24-A5CA-55503502DFCB})
version: 16777216
version (major): 1
estimated size: 235922
install date: 20040629
install source: D:\Setup\
uninstall cmd: MsiExec.exe /X{CBE9E8B5-95B3-4E24-A5CA-55503502DFCB}
publisher: Hewlett-Packard
comments:
contact:
help link: http://www.officejetsupport.com
help telephone:
readme:

NI LabVIEW 7.0 Evaluation 7.0.0.140 ({CD93514F-7048-4DE7-BC20-8A867CD75C9A})
version: 117440512
version (major): 7
estimated size: 194579
install date: 20040616
install source: D:\components\lvcore\
publisher: National Instruments

({E01ADB17-4514-401F-ADE2-815946A651D6})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E01ADB17-4514-401F-ADE2-815946A651D6}\Setup.exe"

NI LVBroker 1.0.03013 ({E7BAFF4D-D4B0-4508-A370-743D49EFC28F})
version: 16780229
version (major): 1
estimated size: 78
install date: 20040616
install source: D:\components\lvbroker\
publisher: National Instruments

NI LabVIEW Service Locator 1.0 1.0.0 ({EC60B018-251A-47E7-A838-CECB70AE46EF})
version: 16777216
version (major): 1
estimated size: 86
install date: 20040616
install source: D:\components\svcloc\
publisher: National Instruments
help link: http://www.ni.com/support/

NI LabVIEW CIN Tools 7.0 Evaluation 7.0 ({F1311DB3-6734-4B4B-8F93-962BABB2F4C6})
version: 117440512
version (major): 7
estimated size: 1621
install date: 20040616
install source: D:\components\lvcin\
publisher: National Instruments

NI Instrument IO Assistant for LabVIEW 7.0 1.0.03013 ({FD950A83-5FA5-47F2-B0B1-296023420CB1})
version: 16780229
version (major): 1
estimated size: 280
install date: 20040616
install source: D:\components\lv70iioa\
publisher: National Instruments


:spider:

65538
2006-05-15, 03:56
Rest of the log:


Logfile of HijackThis v1.99.1
Scan saved at 23:16:49, on 11.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\WINNT\System32\Tdevdetect.exe
C:\WINNT\System32\Tfunckey.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tpwricon.exe
C:\Software\quickt\iTunesHelper.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe
O4 - HKLM\..\Run: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
:sick: :sick: :sick:

CalamityJane
2006-05-15, 20:58
You know this computer was completely compromised with Remote access trojans (quite a few of them). I hope you took my precautions in my first reply seriously.

After following the HijackThis instructions below, you need an antivirus scan as some of the SDbot worms on there are antvirus killers and may have damaged or disabled the one installed on your computer. Here is a free one you can download, update and use as an ondemand scanner and might do a good bit of more cleanup (be sure to get updates before scanning)
BitDefender8 Free Edition:
http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html

I would also recommend a free online AV scan at one or more of the following:
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm
.............................
Did you let Spybot fix all the items it found? You probably need scan again with that too to make sure it was able to fix all that it found.
...............................
Now, open Hijackthis and do a *scan only*. When it finishes, place a checkmark next to these entries and then press *fix checked*

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe

O4 - HKLM\..\Run: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe

O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe

O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll

O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll (file missing)

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)

O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)

Please download the Killbox by Option^Explicit.
http://www.geekstogo.com/modules.php?modid=5&action=download&id=4

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Documents and Settings\All Users\Documents\Settings\2006.dll
C:\WINNT\system32\wehcalohrsaxdb.exe
C:\WINNT\system32\onxjalddnczhip.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

When you're all done, I'll need a fresh HijackThis log and do try to save the details of any of the AV scans. A new Spybot log would be good as well.

65538
2006-05-16, 02:00
:confused: :sick:

Thank you for the reply.

- Ran HijackThis, saved log
the entries with wehcalohrsaxdb.exe were not there, but the following instead:
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe

- Ran HijackThis, marked all including the two above, saved log
this entry was still there:
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll (file missing)

- Ran HijackThis again and checked the "2006.dll" entry, save log
the "2006.dll" was gone

- Ran Killbox
- Ran Spybot, saved log

- Ran HijackThis again after the reboot, the following appeared again:
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)

The infected computer has not been connected to the internet since the infection, only to receive updates for virus programs. I use a different computer to download the software. The CA free online AV requires Microsoft IE so I have not run it yet as the viruses have seemed to come alive each time I connect with IE.

The computer still has some suspicious on it files including:
C:\krrdw.exe
C:\blon.exe
C:\wqgyqbc.exe
C:\uhskp.exe
C:\uhskp.exe
C:\kfwydip.exe
C:\fmc.exe
C:\WINNT\file3.exe
C:\WINNT\file2.exe
C:\WINNT\SYSTEM32\sachostm.exe
C:\WINNT\SYSTEM32\bbpzxh.exe

The virus may also have done other damage. When I run the Task manager, only the Processes are shown, the two other tabs with programs and resources are not there.

Thanks,
Howie



--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 21:57:26, on 15.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Software\hijackthis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
O4 - HKLM\..\Run: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)

--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:08:03, on 15.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Software\quickt\iTunesHelper.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll (file missing)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)

--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:14:11, on 15.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Software\quickt\iTunesHelper.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)

--------------------------------------------------

65538
2006-05-16, 02:03
Log continues:

--- Search result list ---
Windows Security Center.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Windows Security Center.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Windows Security Center.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-05-02 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-05-02 Includes\Cookies.sbi (*)
2006-05-02 Includes\Dialer.sbi (*)
2006-05-02 Includes\Hijackers.sbi (*)
2006-05-02 Includes\Keyloggers.sbi (*)
2006-05-02 Includes\Malware.sbi (*)
2006-05-02 Includes\Revision.sbi (*)
2006-05-02 Includes\Security.sbi (*)
2006-05-02 Includes\Spybots.sbi (*)
2006-05-02 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-02 Includes\PUPS.sbi (*)



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB820888
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB822831
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824141
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824146
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB825119
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828028
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB829558
/ Windows 2000 / SP5: Windows 2000 Hotfix (SP5) Q818043
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]


--- Startup entries list ---
Located: HK_LM:Run, ACUMon
command: "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
file: C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
size: 364544
MD5: 612495556c82e4c85c920d6a8b78964b

Located: HK_LM:Run, iTunesHelper
command: "C:\Software\quickt\iTunesHelper.exe"
file: C:\Software\quickt\iTunesHelper.exe
size: 278528
MD5: a8cf3f60099eaa123db72611ce7be271

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINNT\system32\NeroCheck.exe
file: C:\WINNT\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, Norman ZANDA
command: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
file: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
size: 90112
MD5: ed56e42cfd7d53af4453c4253eaa17b0

Located: HK_LM:Run, S3TRAY
command: S3tray.exe
file: C:\WINNT\system32\S3tray.exe
size: 57856
MD5: 7c2766120401f41345c12eeed426d892

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061

Located: HK_LM:Run, Tpwrtray
command: TPWRTRAY.EXE
file: C:\WINNT\system32\TPWRTRAY.EXE
size: 65536
MD5: 586f9abd320c40746bf43f3ee7a29cec

Located: HK_CU:Run, PhotoShow Deluxe Media Manager
command: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
file: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
size: 212992
MD5: 917bafa5fc295611a401692f56da7829

Located: Startup (common), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 82026
MD5: 21189b8f2d747b6981a54d5c5d554c8e

Located: Startup (common), Picture Package Menu.lnk
command: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
file: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: f15fcbb20fe82674f48a60a37e5ba45a

Located: Startup (common), TMExLogon.lnk
command: C:\Program Files\TOSHIBA\TME\TMESRV.EXE
file: C:\Program Files\TOSHIBA\TME\TMESRV.EXE
size: 64000
MD5: 79ae37395205daee97f1b7888bc07f77

Located: Startup (common), TSBxLogon.lnk
command: C:\WINNT\system32\TMESBS2.exe
file: C:\WINNT\system32\TMESBS2.exe
size: 53248
MD5: e6229dc0fb3f68856fa62f93f7610601

Located: System.ini, AutorunsDisabled
command:
file:

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 18.01.2006 21:04:26
Date (last access): 15.05.2006
Date (last write): 16.04.2001 16:39:02
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINNT\Downloaded Program Files\yinst.inf
Codebase: http://download.yahoo.com/dl/installs/yinst0401.cab
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 26.01.2004 18:40:04
Date (last access): 15.05.2006
Date (last write): 26.01.2004 18:40:04
Filesize: 133120
Attributes: archive
MD5: E1FBF33D995C89583A36F461EC2879FF
CRC32: 1592E04B
Version: 2004.1.26.1

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 11.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2046990741
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Java Runtime Environment 1.4.2
classification: Legitimate
known filename: %ProgramFiles%\Java\j2re1.4.2_01\bin\NPJPI142_04.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 15.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40

{D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control)
DPF name:
CLSID name: Aurigma Image Uploader 3.0 Control
Installer: C:\WINNT\Downloaded Program Files\ImageUploader3.inf
Codebase: http://www.eurofoto.no/activex/ImageUploader3.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: ImageUploader3.ocx
Short name: IMAGEU~1.OCX
Date (created): 05.09.2005 16:11:34
Date (last access): 11.05.2006
Date (last write): 05.09.2005 16:11:34
Filesize: 1896448
Attributes: archive
MD5: D1C3ED13BA9A16F65EFF6F2154358238
CRC32: 489AAD45
Version: 3.5.98.1

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name: FLASH8.OCX
Date (created): 27.08.2005 13:38:56
Date (last access): 11.05.2006
Date (last write): 27.08.2005 13:38:56
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 156 ( 8) \SystemRoot\System32\smss.exe
PID: 180 ( 156) \??\C:\WINNT\system32\csrss.exe
PID: 200 ( 156) \??\C:\WINNT\system32\winlogon.exe
PID: 228 ( 200) C:\WINNT\system32\services.exe
size: 89360
MD5: CFED2D28F5B8A24127E9E06043070643
PID: 240 ( 200) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 271229760CCED993E9E7CAB1C7274134
PID: 388 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 452 ( 228) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 504 ( 228) C:\WINNT\system32\spoolsv.exe
size: 45328
MD5: 987DAF317B917CFC973DE8364D62A76C
PID: 528 ( 228) C:\Software\antivir\AVWUPSRV.EXE
size: 36864
MD5: DD57D2F0C9C0D9E98B6ACE6799E67626
PID: 544 ( 228) C:\WINNT\System32\cisvc.exe
size: 5392
MD5: 2830A2C82270F387265DFA658656EB99
PID: 564 ( 228) C:\Software\ewido anti-malware\ewidoctrl.exe
size: 13888
MD5: 26830B750372AB1BF29C95DEEBEB802F
PID: 616 ( 228) C:\WINNT\system32\hidserv.exe
size: 19728
MD5: 58CD2730E2BAC2E58D32D65B2B042020
PID: 640 ( 228) C:\WINNT\system32\niSvcLoc.exe
size: 49152
MD5: 96D71A62EF92FDC09409F45D541E9F8E
PID: 656 ( 228) C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
size: 65536
MD5: DD45DA5C722DCEAE4A63226607C245D3
PID: 672 ( 228) C:\Software\Norman2\NVC\BIN\Zanda.exe
size: 282624
MD5: 64715BAA0D7281CE3FAF346199C6EA70
PID: 724 ( 228) C:\WINNT\system32\MSTask.exe
size: 119568
MD5: 00D8C428B2D6DFFCABEB859BC69F632B
PID: 752 ( 228) C:\WINNT\system32\stisvc.exe
size: 61712
MD5: B75235626B950FF821146555C612F814
PID: 800 ( 228) C:\WINNT\SYSTEM32\THOTKEY.EXE
size: 28672
MD5: 494701127D3E961D55D5F9C4F5105261
PID: 824 ( 228) C:\WINNT\System32\Tmesbs2.exe
size: 53248
MD5: E6229DC0FB3F68856FA62F93F7610601
PID: 844 ( 228) C:\Program Files\TOSHIBA\TME\Tmesrv.exe
size: 64000
MD5: 79AE37395205DAEE97F1B7888BC07F77
PID: 876 ( 228) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 924 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 988 ( 968) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1076 ( 988) C:\WINNT\system32\S3tray.exe
size: 57856
MD5: 7C2766120401F41345C12EEED426D892
PID: 1084 ( 988) C:\WINNT\system32\TPWRTRAY.EXE
size: 65536
MD5: 586F9ABD320C40746BF43F3EE7A29CEC
PID: 1092 ( 988) C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
size: 90112
MD5: ED56E42CFD7D53AF4453C4253EAA17B0
PID: 1100 ( 988) C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
size: 364544
MD5: 612495556C82E4C85C920D6A8B78964B
PID: 992 ( 988) C:\Software\quickt\iTunesHelper.exe
size: 278528
MD5: A8CF3F60099EAA123DB72611CE7BE271
PID: 1116 ( 988) C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
size: 212992
MD5: 917BAFA5FC295611A401692F56DA7829
PID: 1148 (1084) C:\WINNT\System32\Tdevdetect.exe
size: 53248
MD5: 013BF48FB149235CE1A2EBA9058983B5
PID: 1152 ( 988) C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: F15FCBB20FE82674F48A60A37E5BA45A
PID: 1160 (1084) C:\WINNT\System32\Tfunckey.exe
size: 147456
MD5: D4DBB6B88C83B2F4A6FCEBDE778B5D2A
PID: 1172 (1084) C:\WINNT\System32\Tpwricon.exe
size: 39936
MD5: 3C820B34D93084DE925351DB2B523FB3
PID: 1196 ( 988) C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 82026
MD5: 21189B8F2D747B6981A54D5C5D554C8E
PID: 1208 ( 988) C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
size: 32881
MD5: D7B9BE63C406103EE1405FE473AC0697
PID: 1288 ( 228) C:\Program Files\iPod\bin\iPodService.exe
size: 323584
MD5: EDA049739349F0E837D4F55E8879D665
PID: 608 ( 988) C:\Software\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 15.05.2006 22:29:24

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

65538
2006-05-16, 02:05
The log continues:

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Irda [IrDA]
GUID: {3972523D-2AF1-11D1-B655-00805F3642CC}
Filename: %SystemRoot%\system32\msafd.dll
Description: Infrared protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Irda [IrDA]

Protocol 1: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 4: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS



--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\SOFTWARE\AD-AWA~1\UNWISE.EXE C:\SOFTWARE\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AddressBook)

Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: D:\Acrobat 5\
uninstall cmd: C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html

AntiVir/XP (AntiVir/XP)
uninstall cmd: C:\Software\antivir\AVUNINST.EXE
publisher: H+BEDV Datentechnik GmbH
comments: -
contact: Support Forum
help link: http://www.free-av.de/forum

(Branding)

CDBurnerXP Pro (CDBurnerXP Pro )
uninstall cmd: C:\WINNT\iun6002.exe "C:\Software\cdburnerpro\irunin.ini"

Cisco Aironet Installation Wizard (CiscoInstallWizard)
uninstall cmd: C:\WINNT\Cisco\DInstall\IWSetup.exe /cp

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

DVDExpress (DVD Express A/V Pak)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"

(DXM_Runtime)

ewido anti-malware (ewidoantimalware)
install location: C:\Software\ewido anti-malware
uninstall cmd: C:\Software\ewido anti-malware\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net

(expinst)

(Fontcore)

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Software\hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

HP Photo Printing Software (HP Photo Printing Software)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll

HP PSC 1400 series (HP PSC 1400 series_Driver)
uninstall cmd: rundll32 hpzcon12.dll,VendorJettison HP PSC 1400 series

hp psc 900 series - 2 (hp psc 900 series 1088493051)
uninstall cmd: C:\WINNT\system32\hpocon07.exe /u 1088493051 /d "hp psc 900 series"

(ICW)

Microsoft Internet Explorer 6 SP1 (IE40)
uninstall cmd: rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u

(IE4Data)

(IE5BAKEX)

(IEData)

(IEREADME)

Internet Explorer Q832894 (ieupdate)
uninstall cmd: C:\WINNT\ieuninst.exe C:\WINNT\INF\Q832894.inf

(InstallShield Uninstall Information)

iTunes 6.0.2.23 (InstallShield_{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

QuickTime 7.0.4 (InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Windows 2000 Hotfix - KB329115 20031024.155236 (KB329115)
uninstall cmd: C:\WINNT\$NtUninstallKB329115$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=329115

Windows 2000 Hotfix - KB820888 20030604.152521 (KB820888)
uninstall cmd: C:\WINNT\$NtUninstallKB820888$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=820888

Windows 2000 Hotfix - KB822831 20030611.114034 (KB822831)
uninstall cmd: C:\WINNT\$NtUninstallKB822831$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=822831

Windows 2000 Hotfix - KB823182 20030618.121409 (KB823182)
uninstall cmd: C:\WINNT\$NtUninstallKB823182$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823182

Windows 2000 Hotfix - KB823559 20030627.135515 (KB823559)
uninstall cmd: C:\WINNT\$NtUninstallKB823559$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823559

Windows 2000 Hotfix - KB824105 20030716.151320 (KB824105)
uninstall cmd: C:\WINNT\$NtUninstallKB824105$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824105

Windows 2000 Hotfix - KB824141 20030805.151423 (KB824141)
uninstall cmd: C:\WINNT\$NtUninstallKB824141$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824141

Windows 2000 Hotfix - KB824146 20030823.144456 (KB824146)
uninstall cmd: C:\WINNT\$NtUninstallKB824146$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824146

Windows 2000 Hotfix - KB825119 20030827.151123 (KB825119)
uninstall cmd: C:\WINNT\$NtUninstallKB825119$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=825119

Windows 2000 Hotfix - KB826232 20031007.160553 (KB826232)
uninstall cmd: C:\WINNT\$NtUninstallKB826232$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=826232

Windows 2000 Hotfix - KB828028 20040122.114409 (KB828028)
uninstall cmd: C:\WINNT\$NtUninstallKB828028$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828028

Windows 2000 Hotfix - KB828035 20031023.142138 (KB828035)
uninstall cmd: C:\WINNT\$NtUninstallKB828035$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828035

Windows 2000 Hotfix - KB828749 20031023.124056 (KB828749)
uninstall cmd: C:\WINNT\$NtUninstallKB828749$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828749

Windows 2000 Hotfix - KB829558 20030929.142857 (KB829558)
uninstall cmd: C:\WINNT\$NtUninstallKB829558$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=829558

(Microsoft NetShow Player 2.0)

(MobileOptionPack)

(MPlayer2)

(MsJavaVM)

(Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Software\nero\nero\uninstall\UNNERO.exe /UNINSTALL

Nero PhotoShow Express 3.0 (Nero PhotoShow Express)
version (major): 3
install location: C:\Software\nero\Nero PhotoShow\Nero PhotoShow Express.exe
uninstall cmd: "C:\Software\nero\Nero PhotoShow\data\Xtras\Uninstall.exe"
publisher: Simple Star, Inc.
help link: http://www.simplestar.com/support

Nero Suite (NeroMultiInstaller!UninstallKey)
uninstall cmd: C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""

(NeroVision!UninstallKey)
uninstall cmd: C:\WINNT\UNNeroVision.exe /UNINSTALL

(NetMeeting)

National Instruments Software (NI Uninstaller)
uninstall cmd: "C:\Software\NationalInstruments\shared\NIUninstaller\uninst.exe"
help link: http://www.ni.com/support/

(NMPUninstallKey)
uninstall cmd: C:\WINNT\UNNMP.exe /UNINSTALL

Outlook Express Update Q330994 (oeupdate)
uninstall cmd: C:\WINNT\Q330994.exe C:\WINNT\INF\Q330994.inf

op (op)
uninstall cmd: C:\SOFTWARE\op\UNINST\unwise.exe C:\SOFTWARE\op\UNINST\INSTALL.LOG

Opera (Opera)
uninstall cmd: C:\SOFTWARE\op\UNINST\UNWISE.EXE C:\SOFTWARE\op\UNINST\Install.log

(OutlookExpress)

Paint Shop Pro 5.0 Evaluation (Paint Shop Pro 5.0 Evaluation)
uninstall cmd: C:\SOFTWARE\PAINTS~1\UNWISE.EXE C:\SOFTWARE\PAINTS~1\INSTALL.LOG

Windows 2000 Hotfix (SP5) Q818043 20030501.174006 (Q818043)
uninstall cmd: C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=818043

Windows Media Player Hotfix [See Q828026 for more information] (Q828026)
uninstall cmd: C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828026

S3 Gamma Utility (S3 Gamma)
uninstall cmd: s3uninst.exe GammaUninstall.NT 5 s3savmx.inf

S3DuoView+ Utility (S3DUOVUE)
uninstall cmd: s3uninst.exe S3DuovueUninstall.NT 5 s3savmx.inf

(SchedulingAgent)

Macromedia Flash Player 8 8 (ShockwaveFlash)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\swflash.inf,DefaultUninstall,5
publisher: Macromedia
help link: http://www.macromedia.com/go/flashplayer_support/

65538
2006-05-16, 02:06
The log continues:


Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Software\Spybot - Search & Destroy\
uninstall cmd: "C:\Software\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

TOSHIBA Display Power Save (TDPSV)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TDPSV\Uninst.isu"

TextPad 4 (TextPad 4)
uninstall cmd: C:\WINNT\IsUninst.exe -fc:\software\texpad\Uninst.isu

Toshiba Mobile Extension V1.00.03.00 (TME)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME\uninst.dll"

Toshiba Internal Modem User's Guide (Toshiba Modem Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstUOM.isu

Toshiba User's Manual (Toshiba Online Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstModem.isu

TOSHIBA Power Extension2 (TOSHIBA Power Extension2)
uninstall cmd: TPWRDEL.EXE

TOSHIBA Utilities (TOSHIBA Utilities)
uninstall cmd: tutildel.exe

Total Commander (Remove or Repair) (Totalcmd)
uninstall cmd: c:\System\Tc603\tcuninst.exe

WinZip (WinZip)
uninstall cmd: "C:\Software\WinZip8\WINZIP32.EXE" /uninstall

Systemoppdatering for Windows Media Player (9 Series) (WMP7)
uninstall cmd: C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall

XoftSpy (XoftSpy)
uninstall cmd: C:\Software\XoftSpy\uninstall.exe

Yahoo! Toolbar (Yahoo! Companion)
uninstall cmd: rundll32.exe C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\YCOMP5~1.DLL,DllCommand ui

Yahoo! Internet Mail (Yahoo! Internet Mail)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Yahoo! Messenger Explorer Bar (Yahoo! Messenger Explorer Bar)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL

Microsoft Office 2000 SR-1 Premium 9.00.3821 ({00000409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 240290
install date: 20040405
install source: D:\
uninstall cmd: MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt

NI LabVIEW Advanced Analysis 7.0 Evaluation 7.0 ({09CBDFA4-59FF-4143-B7B5-DFD8E6431886})
version: 117440512
version (major): 7
estimated size: 50419
install date: 20040616
install source: D:\components\lvadvanalysis\
publisher: National Instruments

Picture Package 1.00.000 ({1E2F8AE3-3437-44E6-BB75-E95751D6B83F})
version: 16777216
install location: C:\Program Files\Sony Corporation\Picture Package
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL

YAMAHA DS-XG WDM ({3E0B8A20-B239-11D3-9850-00C04F7AC096})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E0B8A20-B239-11D3-9850-00C04F7AC096}\setup.exe" maintenance

Microsoft Windows Journal Viewer 1.5.2315.3 ({43DCF766-6838-4F9A-8C91-D92DA586DFA7})
version: 17107211
version (major): 1
version (minor): 5
estimated size: 6962
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
publisher: Microsoft
comments: A viewer for Windows Journal documents.
contact: Microsoft

NI Uninstaller 1.1.1f1 1.11.20 ({4BEC2867-0BF7-4A87-B459-003E3F20AFB1})
version: 17498132
version (major): 1
version (minor): 11
estimated size: 1068
install date: 20040616
install source: D:\components\mu\
publisher: National Instruments

Macromedia Flash Player 7.0.14.0 ({4ecaf021-478c-40c1-b777-3368a15f9966})
version: 117440526
version (major): 7
estimated size: 2
install date: 20060103
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\{4FFADF71-9FD0-41C5-A690-D2E39D8C29FA}\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\
uninstall cmd: MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
publisher: Macromedia, Inc.

iTunes 6.0.2.23 ({501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

NI LabVIEW Run-Time Engine 7.1 7.1.157 ({518930BE-7875-4547-B026-20B92F695781})
version: 117506205
version (major): 7
version (minor): 1
estimated size: 67584
install date: 20040722
install source: C:\Wfa\Programs\RTEngine71\
publisher: National Instruments

({5B239A98-4222-4D8C-AF38-1A8EC07F956B})

Sony USB Driver ({5C29CB8B-AC1E-4114-8D68-9CD080140D4A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL

({5D0930A0-1033-433A-8BB9-602665550DD0})

({6041B9C1-775E-4C6A-AECE-70C39CAED90A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6041B9C1-775E-4C6A-AECE-70C39CAED90A}\SETUP.EXE"

NI LabVIEW Picture Control Toolkit 7.0 Evaluation 7.0 ({6B786922-F93C-4C99-B6CA-66DD0C4B88CA})
version: 117440512
version (major): 7
estimated size: 5061
install date: 20040616
install source: D:\components\lvpicture\
publisher: National Instruments

WebFldrs 9.00.3501 ({6F716D8C-398F-11D3-85E1-005004838609})
version: 150998445
version (major): 9
estimated size: 2644
install date: 20000308
install source: C:\WINNT\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Java 2 Runtime Environment, SE v1.4.2_04 1.4.2_04 ({7148F0A8-6813-11D6-A77B-00B0D0142040})
version (major): 1
version (minor): 4
estimated size: 110144
install date: 20040617
install source: C:\Documents and Settings\Bruker\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142040}\
uninstall cmd: MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
publisher: Sun Microsystems, Inc.
comments: http://www.java.com
contact: http://www.java.com
help link: http://www.java.com
help telephone: http://www.java.com
readme: Readme.txt

NI LVBrokerAux70 1.0.03013 ({735AF21E-5436-4780-88F7-B5508F043A40})
version: 16780229
version (major): 1
estimated size: 178
install date: 20040616
install source: D:\components\lvbrokeraux70\
publisher: National Instruments

NI LabVIEW Run-Time Engine 7.0 7.0 ({73D3BADE-EC2F-4A5C-8F80-CB68AB704FF3})
version: 117440512
version (major): 7
estimated size: 30522
install date: 20040616
install source: D:\components\lvruntimeeng\
publisher: National Instruments

HP Share-to-Web ({748F4870-8350-11D3-B0BF-080009FB4A19})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" %MAIN -l9

Norman Internet Control ({74C8BF56-6618-49AA-98BA-862223900CBF})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Software\Norman2\NVC\BIN\DelNVC5.exe"

QuickTime 7.0.4 ({929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

({B6CB604F-CC59-480B-90FB-C15E80FB81A2})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6CB604F-CC59-480B-90FB-C15E80FB81A2}\Setup.exe"

Sony Ericsson PC Suite 1.0.16 ({C037D08B-4883-491D-9329-DC5ACA90F797})
version: 16777232
version (major): 1
estimated size: 117233
install date: 20060103
install location: C:\Program Files\Sony Ericsson\Mobile\
install source: C:\WINNT\Downloaded Installations\{66D8C376-87FE-4A10-A39A-2D775C361BDC}\
uninstall cmd: MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}
publisher: Sony Ericsson
contact: Sony Ericsson Technical Support
help link: http://www.sonyericsson.com
help telephone: 1-555-555-4505

NI LabVIEW Full 7.0 Evaluation 7.0 ({C1B6247F-F7D2-4246-A23D-93ADB787D2D3})
version: 117440512
version (major): 7
estimated size: 38567
install date: 20040616
install source: D:\components\lvcorefull\
publisher: National Instruments

({C75C9B85-4D7B-4E8B-8BDB-60C737610C2D})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C75C9B85-4D7B-4E8B-8BDB-60C737610C2D}\Setup.exe"

Microsoft .NET Framework 1.1 1.1.4322 ({CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1})
version: 16847074
version (major): 1
version (minor): 1
estimated size: 40392
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
publisher: Microsoft
readme: file://C:\WINNT\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm

1.00.0000 ({CBE9E8B5-95B3-4E24-A5CA-55503502DFCB})
version: 16777216
version (major): 1
estimated size: 235922
install date: 20040629
install source: D:\Setup\
uninstall cmd: MsiExec.exe /X{CBE9E8B5-95B3-4E24-A5CA-55503502DFCB}
publisher: Hewlett-Packard
comments:
contact:
help link: http://www.officejetsupport.com
help telephone:
readme:

NI LabVIEW 7.0 Evaluation 7.0.0.140 ({CD93514F-7048-4DE7-BC20-8A867CD75C9A})
version: 117440512
version (major): 7
estimated size: 194579
install date: 20040616
install source: D:\components\lvcore\
publisher: National Instruments

({E01ADB17-4514-401F-ADE2-815946A651D6})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E01ADB17-4514-401F-ADE2-815946A651D6}\Setup.exe"

NI LVBroker 1.0.03013 ({E7BAFF4D-D4B0-4508-A370-743D49EFC28F})
version: 16780229
version (major): 1
estimated size: 78
install date: 20040616
install source: D:\components\lvbroker\
publisher: National Instruments

NI LabVIEW Service Locator 1.0 1.0.0 ({EC60B018-251A-47E7-A838-CECB70AE46EF})
version: 16777216
version (major): 1
estimated size: 86
install date: 20040616
install source: D:\components\svcloc\
publisher: National Instruments
help link: http://www.ni.com/support/

NI LabVIEW CIN Tools 7.0 Evaluation 7.0 ({F1311DB3-6734-4B4B-8F93-962BABB2F4C6})
version: 117440512
version (major): 7
estimated size: 1621
install date: 20040616
install source: D:\components\lvcin\
publisher: National Instruments

NI Instrument IO Assistant for LabVIEW 7.0 1.0.03013 ({FD950A83-5FA5-47F2-B0B1-296023420CB1})
version: 16780229
version (major): 1
estimated size: 280
install date: 20040616
install source: D:\components\lv70iioa\
publisher: National Instruments


--------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:17:58, on 16.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tdevdetect.exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Software\hijackthis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)

-- end of logs

CalamityJane
2006-05-19, 02:43
Please download, install, and update the free version of Ewido AntiMalware:
http://www.ewido.net/en/download/

[1]From the main ewido screen, click on update in the left menu, then click the Start update button.

[2]After the update finishes (the status bar at the bottom will display "Update successful")


Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE)

Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam


Next, run a scan with Ewido.

[3]Click on the Scanner button in the left menu, then click on the Complete System Scan button. This scan can take quite a while to run, so please be patient

[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Copy and paste the results from that scan back here please for review :)

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button :)

tashi
2006-05-26, 05:50
65538 how is it going?

tashi
2006-06-02, 05:44
This topic is closed, if you need it re-opened please send me or your helper a pm and provide a link to the thread.

Thank you CalamityJane.