View Full Version : Trouble; TheMatrixHasYou, winbrume, paytime, secure32, etc
My computer has been infected and I have been uanable to fix it. I can clean up much of it, but it seems as once I start IExplorer a lot of unwanted files are installed again. I would be very greatful for a solution for this.
Thanks,
Howie
Some of the unwanted files on the computer:
TheMatrixHasYou.exe
winbrume.dll
secure32.html
winstall.exe
ibm00001.exe
ibm00002.dll
paytime.exe
fmc.exe
tool1.exe
tool2.exe
tool4.exe
tool5.exe
ms1.exe
0mcamcap.exe
vcyaudtb.exe
runfile[1].exe
rsysinit.exe
krab04[1].exe
2235.exe
u9d30[1].exe
btuzfltj.exe
ombvrigs.exe
3333[1].exe
88cbae71.exe
88cbae71.exe
country.exe
kl1.exe
khndwtso.exe
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:05:25, on 03.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\netbtd.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tfunckey.exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tpwricon.exe
C:\WINNT\system32\internat.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
c:\tool2.exe
c:\Program Files\paytime.exe
c:\tool1.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\0mcamcap.exe
c:\Program Files\paytime.exe
C:\Software\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINNT\SYSTEM32\winbrume.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - HKLM\..\Run: [88cbae71.exe] C:\WINNT\system32\88cbae71.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
-------------------------
CalamityJane
2006-05-06, 16:23
Wow, what a mess. :sick: For starters you've had some very bad infections...this one in particular you need to be aware that your computer may have been compromised by an outside intruder.
Ibm00001.exe is associated with one of the many Torpig trojan variants
http://www.sophos.com/virusinfo/analyses/search-results/?search=Ibm00001&action=search
You need to take any and all precautions to protect any accounts, passwords, any sensitive data on that PC, as Torpig is a remote access trojan, allowing an intruder to access the computer and often contains a keylogger and/or password stealer.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx
Let's start the cleanup with this:
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU)
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
click "save"
IN "filename" enter log.txt
click exit to exit the BFU program.
Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...
Thank you for your reply.
I did as you described, but the script only ran for a second and said complete. Seems as it didn't do much. After executing it I got a general program error, may be because of the virus. I also ran it it safe mode and then got no program error.
The log file was the same each time:
-----
BFU v1.00.9
Windows 2000 SP4 (WinNT 5.00.2195 SP4)
Script started at 22:58:56, on 07.05.2006
Script completed.
-----
If this is not how the log is supposed to look, there may be a problem with the virus. I get messages from the virus as soon as I start the PC.
Thanks,
Howie
CalamityJane
2006-05-08, 00:32
Ok, can you please scan and post a fresh HijackThis log?
Here is an updated HijackThis log;
Logfile of HijackThis v1.99.1
Scan saved at 00:57:11, on 08.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\netbtd.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tdevdetect.exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\phucmxse.exe
C:\WINNT\system32\kernels8.exe
C:\WINNT\system32\spoolsvv.exe
C:\WINNT\system32\intell321.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\dlh9jkdq2.exe
C:\WINNT\system32\dlh9jkdq7.exe
C:\WINNT\system32\maxd641.exe
C:\WINNT\system32\drwtsn32.exe
C:\Software\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\phucmxse.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINNT\system32\spoolsvv.exe
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\wzzhc.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINNT\sysldr32.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels8.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\wzzhc.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\xqyxyzyfbx.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O20 - Winlogon Notify: SensSrv - C:\WINNT\SYSTEM32\senssrv.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_16.dll
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
:spider: :spider: :spider:
CalamityJane
2006-05-10, 03:06
Please run through all the steps here:
http://forums.spybot.info/showthread.php?t=4015
You also need to get an online AV scan and let them fix or delete any problems found. Here are 3 free ones to choose from:
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm
When done, please post back with the requested logs :)
:sick: Thank you for the reply.
I ran;
- SmitRem that was installed by mistake instead of SmithfraudFix
- Ewido
Then I started over again with the right Smithfraudfix:
- SmithfraudFix
- Ewido
- Spybot
- HijackThis
The logs are below.
Thanks,
Howie
================================================================================
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows 2000 [Version 5.00.2195]
The current date is: to 11.05.2006
The current time is: 0:27:22.62
Running from
C:\Software\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F}"="OutPost FireWall"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINNT\system32\dcom_16.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
svcp.csv
winsub.xml
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
warnhp.html
desktop.html
~~~ Drive root ~~~
secure32.html
winstall.exe
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Error 0x5 : Access is denied.
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"
"{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F}"="OutPost FireWall"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINNT\system32\dcom_16.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleext.dll
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!! :( Starting replacement procedure.
~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~
~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~
~~~~ Checking dllcache\wininet.dll for infection ~~~~
~~~~ dllcache\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from dllcache ~~~
================================================================================
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 09:49:11, 11.05.2006
+ Report-Checksum: 9B2F5034
+ Scan result:
[156] C:\WINNT\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINNT\SYSTEM32\netbtd.exe -> Backdoor.SdBot.aoz : Cleaned with backup
C:\WINNT\SYSTEM32\88cbae71.exe -> Downloader.Small.csn : Cleaned with backup
C:\WINNT\SYSTEM32\dcom_15.dll -> Proxy.Xmiler.a : Cleaned with backup
C:\WINNT\SYSTEM32\ib14.dll -> Logger.VB.mz : Cleaned with backup
C:\WINNT\SYSTEM32\uvr.dll -> Proxy.Agent.df : Cleaned with backup
C:\WINNT\SYSTEM32\0mcamcap.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\SYSTEM32\winbrume.dll -> Adware.BHO : Cleaned with backup
C:\WINNT\SYSTEM32\maxd641.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINNT\SYSTEM32\vxgamet1.exe -> Downloader.Agent.hy : Cleaned with backup
C:\WINNT\SYSTEM32\vxgamet2.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame1.exe -> Backdoor.Bech : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame2.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame3.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\vxgamet4.exe -> Trojan.Spabot.x : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame4.exe -> Downloader.Small.ctk : Cleaned with backup
C:\WINNT\SYSTEM32\vxgame6.exe -> Downloader.Small.cug : Cleaned with backup
C:\WINNT\SYSTEM32\spoolsvv.exe -> Trojan.Spabot.x : Cleaned with backup
C:\WINNT\SYSTEM32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINNT\SYSTEM32\child.dll -> Downloader.Small.bug : Cleaned with backup
C:\WINNT\SYSTEM32\brmfrsmq.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\SYSTEM32\53a8b3b9.exe -> Downloader.Small.csn : Cleaned with backup
C:\WINNT\SYSTEM32\msvcrl.dll -> Worm.Locksky.ao : Cleaned with backup
C:\WINNT\SYSTEM32\sachostp.exe -> Trojan.Small.bh : Cleaned with backup
C:\WINNT\SYSTEM32\sachostc.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\sachosts.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINNT\SYSTEM32\dlh9jkdq2.exe -> Not-A-Virus.Hoax.Win32.Renos.ch : Cleaned with backup
C:\WINNT\SYSTEM32\dlh9jkdq6.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\dlh9jkdq7.exe -> Trojan.Small : Cleaned with backup
C:\WINNT\SYSTEM32\qvxgamet3.exe -> Hijacker.BHO.d : Cleaned with backup
C:\WINNT\SYSTEM32\qvxgamet4.exe -> Proxy.Wopla.r : Cleaned with backup
C:\WINNT\SYSTEM32\intell321.exe -> Trojan.Small.ev : Cleaned with backup
C:\WINNT\SYSTEM32\mknurplcjlv.exe -> Worm.Bobic.ak : Cleaned with backup
C:\WINNT\file1.exe -> Dropper.Agent.ail : Cleaned with backup
C:\WINNT\comdlj32.dll -> Proxy.Agent.ji : Cleaned with backup
C:\WINNT\sysldr32.exe -> Downloader.Small.cpo : Cleaned with backup
C:\WINNT\sachostx.exe -> Worm.Locksky.ao : Cleaned with backup
C:\WINNT\uninstDsk.exe -> Trojan.Small.ev : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Application Data\88cbae71.exe -> Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Application Data\53a8b3b9.exe -> Downloader.Small.csn : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00013.dll -> Trojan.Sinowal.k : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00014.dll -> Trojan.Sinowal.i : Cleaned with backup
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\Program Files\phucmxse.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry0.dll -> Adware.Spysheriff : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry1.dll -> Adware.Spysheriff : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry2.dll -> Adware.Spysheriff : Cleaned with backup
C:\Program Files\BraveSentry\BraveSentry3.dll -> Adware.Spysheriff : Cleaned with backup
C:\Software\hijackthis\backups\backup-20060504-001258-722.dll -> Adware.BHO : Cleaned with backup
C:\kl1.exe -> Trojan.Sinowal.n : Cleaned with backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\tool1.exe -> Downloader.Small.csn : Cleaned with backup
C:\tool4.exe -> Adware.BHO : Cleaned with backup
C:\tool5.exe -> Hijacker.Small.kr : Cleaned with backup
C:\mxgra.exe -> Trojan.Sinowal.d : Cleaned with backup
C:\vathyiqv.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\xrsj.exe -> Trojan.Sinowal.k : Cleaned with backup
C:\ejtuxpna.exe -> Downloader.Small.csn : Cleaned with backup
C:\ygbfwsx.exe -> Downloader.Small.ctf : Cleaned with backup
C:\yrkok.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
::Report End
================================================================================
SmitFraudFix v2.42
Scan done at 23:09:33.52, to 11.05.2006
Run from C:\Software\smithfraudfix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End
the rest of the log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 22:42:37, 11.05.2006
+ Report-Checksum: FEFB7C8D
+ Scan result:
[156] C:\Documents and Settings\All Users\Documents\Settings\2006.dll -> Trojan.Agent.oh : Error during cleaning
::Report End
================================================================================
--- Search result list ---
Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Windows Security Center.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-05-02 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-05-02 Includes\Cookies.sbi (*)
2006-05-02 Includes\Dialer.sbi (*)
2006-05-02 Includes\Hijackers.sbi (*)
2006-05-02 Includes\Keyloggers.sbi (*)
2006-05-02 Includes\Malware.sbi (*)
2006-05-02 Includes\Revision.sbi (*)
2006-05-02 Includes\Security.sbi (*)
2006-05-02 Includes\Spybots.sbi (*)
2006-05-02 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-02 Includes\PUPS.sbi (*)
--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB820888
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB822831
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824141
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824146
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB825119
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828028
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB829558
/ Windows 2000 / SP5: Windows 2000 Hotfix (SP5) Q818043
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
--- Startup entries list ---
Located: HK_LM:Run, ACUMon
command: "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
file: C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
size: 364544
MD5: 612495556c82e4c85c920d6a8b78964b
Located: HK_LM:Run, iTunesHelper
command: "C:\Software\quickt\iTunesHelper.exe"
file: C:\Software\quickt\iTunesHelper.exe
size: 278528
MD5: a8cf3f60099eaa123db72611ce7be271
Located: HK_LM:Run, LJSMSUMkPSPKK\
command: C:\WINNT\system32\qbmmqjsqvcpwik.exe
file: C:\WINNT\system32\qbmmqjsqvcpwik.exe
size: 32364
MD5: 2cfe52ac93a0c9f739d5319508b67c39
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINNT\system32\NeroCheck.exe
file: C:\WINNT\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, Norman ZANDA
command: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
file: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
size: 90112
MD5: ed56e42cfd7d53af4453c4253eaa17b0
Located: HK_LM:Run, S3TRAY
command: S3tray.exe
file: C:\WINNT\system32\S3tray.exe
size: 57856
MD5: 7c2766120401f41345c12eeed426d892
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, SysTray
command: C:\Program Files\phucmxse.exe
file:
Located: HK_LM:Run, Tpwrtray
command: TPWRTRAY.EXE
file: C:\WINNT\system32\TPWRTRAY.EXE
size: 65536
MD5: 586f9abd320c40746bf43f3ee7a29cec
Located: HK_LM:Run, Z_[SVYYRSOI^W_`N
command: C:\WINNT\system32\onxjalddnczhip.exe
file:
Located: HK_LM:RunServices, LJSMSUMkPSPKK\
command: C:\WINNT\system32\qbmmqjsqvcpwik.exe
file: C:\WINNT\system32\qbmmqjsqvcpwik.exe
size: 32364
MD5: 2cfe52ac93a0c9f739d5319508b67c39
Located: HK_LM:RunServices, SystemTools
command: C:\WINNT\system32\kernels8.exe
file:
Located: HK_LM:RunServices, Z_[SVYYRSOI^W_`N
command: C:\WINNT\system32\onxjalddnczhip.exe
file:
Located: HK_CU:Run, PhotoShow Deluxe Media Manager
command: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
file: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
size: 212992
MD5: 917bafa5fc295611a401692f56da7829
Located: HK_CU:Run, Windows update loader
command: C:\Windows\xpupdate.exe
file:
Located: Startup (common), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 82026
MD5: 21189b8f2d747b6981a54d5c5d554c8e
Located: Startup (common), Picture Package Menu.lnk
command: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
file: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: f15fcbb20fe82674f48a60a37e5ba45a
Located: Startup (common), TSBxLogon.lnk
command: C:\WINNT\system32\TMESBS2.exe
file: C:\WINNT\system32\TMESBS2.exe
size: 53248
MD5: e6229dc0fb3f68856fa62f93f7610601
Located: System.ini, 2006reg
command: C:\Documents and Settings\All Users\Documents\Settings\2006.dll
file: C:\Documents and Settings\All Users\Documents\Settings\2006.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???
Located: System.ini, AutorunsDisabled
command:
file:
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 18.01.2006 21:04:26
Date (last access): 11.05.2006
Date (last write): 16.04.2001 16:39:02
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINNT\Downloaded Program Files\yinst.inf
Codebase: http://download.yahoo.com/dl/installs/yinst0401.cab
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 26.01.2004 18:40:04
Date (last access): 11.05.2006
Date (last write): 26.01.2004 18:40:04
Filesize: 133120
Attributes: archive
MD5: E1FBF33D995C89583A36F461EC2879FF
CRC32: 1592E04B
Version: 2004.1.26.1
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 11.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2046990741
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Java Runtime Environment 1.4.2
classification: Legitimate
known filename: %ProgramFiles%\Java\j2re1.4.2_01\bin\NPJPI142_04.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 11.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40
{D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control)
DPF name:
CLSID name: Aurigma Image Uploader 3.0 Control
Installer: C:\WINNT\Downloaded Program Files\ImageUploader3.inf
Codebase: http://www.eurofoto.no/activex/ImageUploader3.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: ImageUploader3.ocx
Short name: IMAGEU~1.OCX
Date (created): 05.09.2005 16:11:34
Date (last access): 11.05.2006
Date (last write): 05.09.2005 16:11:34
Filesize: 1896448
Attributes: archive
MD5: D1C3ED13BA9A16F65EFF6F2154358238
CRC32: 489AAD45
Version: 3.5.98.1
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name: FLASH8.OCX
Date (created): 27.08.2005 13:38:56
Date (last access): 11.05.2006
Date (last write): 27.08.2005 13:38:56
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 108 ( 8) \SystemRoot\System32\smss.exe
PID: 136 ( 108) \??\C:\WINNT\system32\csrss.exe
PID: 156 ( 108) \??\C:\WINNT\system32\winlogon.exe
PID: 184 ( 156) C:\WINNT\system32\services.exe
size: 89360
MD5: CFED2D28F5B8A24127E9E06043070643
PID: 196 ( 156) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 271229760CCED993E9E7CAB1C7274134
PID: 324 ( 184) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 376 ( 184) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 480 ( 488) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 508 ( 480) C:\Software\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 468 ( 480) C:\Software\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System
PID: 292 ( 156) iexplore.exe
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11.05.2006 23:02:57
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
:sick:
Rest of the log:
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Irda [IrDA]
GUID: {3972523D-2AF1-11D1-B655-00805F3642CC}
Filename: %SystemRoot%\system32\msafd.dll
Description: Infrared protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Irda [IrDA]
Protocol 1: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 4: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\SOFTWARE\AD-AWA~1\UNWISE.EXE C:\SOFTWARE\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com
(AddressBook)
Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: D:\Acrobat 5\
uninstall cmd: C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html
AntiVir/XP (AntiVir/XP)
uninstall cmd: C:\Software\antivir\AVUNINST.EXE
publisher: H+BEDV Datentechnik GmbH
comments: -
contact: Support Forum
help link: http://www.free-av.de/forum
(Branding)
CDBurnerXP Pro (CDBurnerXP Pro )
uninstall cmd: C:\WINNT\iun6002.exe "C:\Software\cdburnerpro\irunin.ini"
Cisco Aironet Installation Wizard (CiscoInstallWizard)
uninstall cmd: C:\WINNT\Cisco\DInstall\IWSetup.exe /cp
(Connection Manager)
(DirectAnimation)
(DirectDrawEx)
DVDExpress (DVD Express A/V Pak)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"
(DXM_Runtime)
ewido anti-malware (ewidoantimalware)
install location: C:\Software\ewido anti-malware
uninstall cmd: C:\Software\ewido anti-malware\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net
(expinst)
(Fontcore)
HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Software\hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.
HP Photo Printing Software (HP Photo Printing Software)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
HP PSC 1400 series (HP PSC 1400 series_Driver)
uninstall cmd: rundll32 hpzcon12.dll,VendorJettison HP PSC 1400 series
hp psc 900 series - 2 (hp psc 900 series 1088493051)
uninstall cmd: C:\WINNT\system32\hpocon07.exe /u 1088493051 /d "hp psc 900 series"
(ICW)
Microsoft Internet Explorer 6 SP1 (IE40)
uninstall cmd: rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
(IE4Data)
(IE5BAKEX)
(IEData)
(IEREADME)
Internet Explorer Q832894 (ieupdate)
uninstall cmd: C:\WINNT\ieuninst.exe C:\WINNT\INF\Q832894.inf
(InstallShield Uninstall Information)
iTunes 6.0.2.23 (InstallShield_{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
QuickTime 7.0.4 (InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
Windows 2000 Hotfix - KB329115 20031024.155236 (KB329115)
uninstall cmd: C:\WINNT\$NtUninstallKB329115$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=329115
Windows 2000 Hotfix - KB820888 20030604.152521 (KB820888)
uninstall cmd: C:\WINNT\$NtUninstallKB820888$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=820888
Windows 2000 Hotfix - KB822831 20030611.114034 (KB822831)
uninstall cmd: C:\WINNT\$NtUninstallKB822831$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=822831
Windows 2000 Hotfix - KB823182 20030618.121409 (KB823182)
uninstall cmd: C:\WINNT\$NtUninstallKB823182$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823182
Windows 2000 Hotfix - KB823559 20030627.135515 (KB823559)
uninstall cmd: C:\WINNT\$NtUninstallKB823559$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823559
Windows 2000 Hotfix - KB824105 20030716.151320 (KB824105)
uninstall cmd: C:\WINNT\$NtUninstallKB824105$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824105
Windows 2000 Hotfix - KB824141 20030805.151423 (KB824141)
uninstall cmd: C:\WINNT\$NtUninstallKB824141$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824141
Windows 2000 Hotfix - KB824146 20030823.144456 (KB824146)
uninstall cmd: C:\WINNT\$NtUninstallKB824146$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824146
Windows 2000 Hotfix - KB825119 20030827.151123 (KB825119)
uninstall cmd: C:\WINNT\$NtUninstallKB825119$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=825119
Windows 2000 Hotfix - KB826232 20031007.160553 (KB826232)
uninstall cmd: C:\WINNT\$NtUninstallKB826232$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=826232
Windows 2000 Hotfix - KB828028 20040122.114409 (KB828028)
uninstall cmd: C:\WINNT\$NtUninstallKB828028$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828028
Windows 2000 Hotfix - KB828035 20031023.142138 (KB828035)
uninstall cmd: C:\WINNT\$NtUninstallKB828035$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828035
Windows 2000 Hotfix - KB828749 20031023.124056 (KB828749)
uninstall cmd: C:\WINNT\$NtUninstallKB828749$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828749
Windows 2000 Hotfix - KB829558 20030929.142857 (KB829558)
uninstall cmd: C:\WINNT\$NtUninstallKB829558$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=829558
:sick:
Rest of the log:
(Microsoft NetShow Player 2.0)
(MobileOptionPack)
(MPlayer2)
(MsJavaVM)
(Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Software\nero\nero\uninstall\UNNERO.exe /UNINSTALL
Nero PhotoShow Express 3.0 (Nero PhotoShow Express)
version (major): 3
install location: C:\Software\nero\Nero PhotoShow\Nero PhotoShow Express.exe
uninstall cmd: "C:\Software\nero\Nero PhotoShow\data\Xtras\Uninstall.exe"
publisher: Simple Star, Inc.
help link: http://www.simplestar.com/support
Nero Suite (NeroMultiInstaller!UninstallKey)
uninstall cmd: C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
(NeroVision!UninstallKey)
uninstall cmd: C:\WINNT\UNNeroVision.exe /UNINSTALL
(NetMeeting)
National Instruments Software (NI Uninstaller)
uninstall cmd: "C:\Software\NationalInstruments\shared\NIUninstaller\uninst.exe"
help link: http://www.ni.com/support/
(NMPUninstallKey)
uninstall cmd: C:\WINNT\UNNMP.exe /UNINSTALL
Outlook Express Update Q330994 (oeupdate)
uninstall cmd: C:\WINNT\Q330994.exe C:\WINNT\INF\Q330994.inf
op (op)
uninstall cmd: C:\SOFTWARE\op\UNINST\unwise.exe C:\SOFTWARE\op\UNINST\INSTALL.LOG
Opera (Opera)
uninstall cmd: C:\SOFTWARE\op\UNINST\UNWISE.EXE C:\SOFTWARE\op\UNINST\Install.log
(OutlookExpress)
Paint Shop Pro 5.0 Evaluation (Paint Shop Pro 5.0 Evaluation)
uninstall cmd: C:\SOFTWARE\PAINTS~1\UNWISE.EXE C:\SOFTWARE\PAINTS~1\INSTALL.LOG
Windows 2000 Hotfix (SP5) Q818043 20030501.174006 (Q818043)
uninstall cmd: C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=818043
Windows Media Player Hotfix [See Q828026 for more information] (Q828026)
uninstall cmd: C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828026
S3 Gamma Utility (S3 Gamma)
uninstall cmd: s3uninst.exe GammaUninstall.NT 5 s3savmx.inf
S3DuoView+ Utility (S3DUOVUE)
uninstall cmd: s3uninst.exe S3DuovueUninstall.NT 5 s3savmx.inf
(SchedulingAgent)
Macromedia Flash Player 8 8 (ShockwaveFlash)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\swflash.inf,DefaultUninstall,5
publisher: Macromedia
help link: http://www.macromedia.com/go/flashplayer_support/
Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Software\Spybot - Search & Destroy\
uninstall cmd: "C:\Software\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
TOSHIBA Display Power Save (TDPSV)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TDPSV\Uninst.isu"
TextPad 4 (TextPad 4)
uninstall cmd: C:\WINNT\IsUninst.exe -fc:\software\texpad\Uninst.isu
Toshiba Mobile Extension V1.00.03.00 (TME)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME\uninst.dll"
Toshiba Internal Modem User's Guide (Toshiba Modem Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstUOM.isu
Toshiba User's Manual (Toshiba Online Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstModem.isu
TOSHIBA Power Extension2 (TOSHIBA Power Extension2)
uninstall cmd: TPWRDEL.EXE
TOSHIBA Utilities (TOSHIBA Utilities)
uninstall cmd: tutildel.exe
Total Commander (Remove or Repair) (Totalcmd)
uninstall cmd: c:\System\Tc603\tcuninst.exe
WinZip (WinZip)
uninstall cmd: "C:\Software\WinZip8\WINZIP32.EXE" /uninstall
Systemoppdatering for Windows Media Player (9 Series) (WMP7)
uninstall cmd: C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
XoftSpy (XoftSpy)
uninstall cmd: C:\Software\XoftSpy\uninstall.exe
Yahoo! Toolbar (Yahoo! Companion)
uninstall cmd: rundll32.exe C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\YCOMP5~1.DLL,DllCommand ui
Yahoo! Internet Mail (Yahoo! Internet Mail)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger Explorer Bar (Yahoo! Messenger Explorer Bar)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
Microsoft Office 2000 SR-1 Premium 9.00.3821 ({00000409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 240290
install date: 20040405
install source: D:\
uninstall cmd: MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt
NI LabVIEW Advanced Analysis 7.0 Evaluation 7.0 ({09CBDFA4-59FF-4143-B7B5-DFD8E6431886})
version: 117440512
version (major): 7
estimated size: 50419
install date: 20040616
install source: D:\components\lvadvanalysis\
publisher: National Instruments
Picture Package 1.00.000 ({1E2F8AE3-3437-44E6-BB75-E95751D6B83F})
version: 16777216
install location: C:\Program Files\Sony Corporation\Picture Package
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
YAMAHA DS-XG WDM ({3E0B8A20-B239-11D3-9850-00C04F7AC096})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E0B8A20-B239-11D3-9850-00C04F7AC096}\setup.exe" maintenance
Microsoft Windows Journal Viewer 1.5.2315.3 ({43DCF766-6838-4F9A-8C91-D92DA586DFA7})
version: 17107211
version (major): 1
version (minor): 5
estimated size: 6962
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
publisher: Microsoft
comments: A viewer for Windows Journal documents.
contact: Microsoft
NI Uninstaller 1.1.1f1 1.11.20 ({4BEC2867-0BF7-4A87-B459-003E3F20AFB1})
version: 17498132
version (major): 1
version (minor): 11
estimated size: 1068
install date: 20040616
install source: D:\components\mu\
publisher: National Instruments
Macromedia Flash Player 7.0.14.0 ({4ecaf021-478c-40c1-b777-3368a15f9966})
version: 117440526
version (major): 7
estimated size: 2
install date: 20060103
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\{4FFADF71-9FD0-41C5-A690-D2E39D8C29FA}\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\
uninstall cmd: MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
publisher: Macromedia, Inc.
iTunes 6.0.2.23 ({501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
NI LabVIEW Run-Time Engine 7.1 7.1.157 ({518930BE-7875-4547-B026-20B92F695781})
version: 117506205
version (major): 7
version (minor): 1
estimated size: 67584
install date: 20040722
install source: C:\Wfa\Programs\RTEngine71\
publisher: National Instruments
({5B239A98-4222-4D8C-AF38-1A8EC07F956B})
Sony USB Driver ({5C29CB8B-AC1E-4114-8D68-9CD080140D4A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
({5D0930A0-1033-433A-8BB9-602665550DD0})
({6041B9C1-775E-4C6A-AECE-70C39CAED90A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6041B9C1-775E-4C6A-AECE-70C39CAED90A}\SETUP.EXE"
NI LabVIEW Picture Control Toolkit 7.0 Evaluation 7.0 ({6B786922-F93C-4C99-B6CA-66DD0C4B88CA})
version: 117440512
version (major): 7
estimated size: 5061
install date: 20040616
install source: D:\components\lvpicture\
publisher: National Instruments
WebFldrs 9.00.3501 ({6F716D8C-398F-11D3-85E1-005004838609})
version: 150998445
version (major): 9
estimated size: 2644
install date: 20000308
install source: C:\WINNT\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows
Java 2 Runtime Environment, SE v1.4.2_04 1.4.2_04 ({7148F0A8-6813-11D6-A77B-00B0D0142040})
version (major): 1
version (minor): 4
estimated size: 110144
install date: 20040617
install source: C:\Documents and Settings\Bruker\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142040}\
uninstall cmd: MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
publisher: Sun Microsystems, Inc.
comments: http://www.java.com
contact: http://www.java.com
help link: http://www.java.com
help telephone: http://www.java.com
readme: Readme.txt
NI LVBrokerAux70 1.0.03013 ({735AF21E-5436-4780-88F7-B5508F043A40})
version: 16780229
version (major): 1
estimated size: 178
install date: 20040616
install source: D:\components\lvbrokeraux70\
publisher: National Instruments
NI LabVIEW Run-Time Engine 7.0 7.0 ({73D3BADE-EC2F-4A5C-8F80-CB68AB704FF3})
version: 117440512
version (major): 7
estimated size: 30522
install date: 20040616
install source: D:\components\lvruntimeeng\
publisher: National Instruments
HP Share-to-Web ({748F4870-8350-11D3-B0BF-080009FB4A19})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" %MAIN -l9
Norman Internet Control ({74C8BF56-6618-49AA-98BA-862223900CBF})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Software\Norman2\NVC\BIN\DelNVC5.exe"
QuickTime 7.0.4 ({929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
({B6CB604F-CC59-480B-90FB-C15E80FB81A2})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6CB604F-CC59-480B-90FB-C15E80FB81A2}\Setup.exe"
Sony Ericsson PC Suite 1.0.16 ({C037D08B-4883-491D-9329-DC5ACA90F797})
version: 16777232
version (major): 1
estimated size: 117233
install date: 20060103
install location: C:\Program Files\Sony Ericsson\Mobile\
install source: C:\WINNT\Downloaded Installations\{66D8C376-87FE-4A10-A39A-2D775C361BDC}\
uninstall cmd: MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}
publisher: Sony Ericsson
contact: Sony Ericsson Technical Support
help link: http://www.sonyericsson.com
help telephone: 1-555-555-4505
NI LabVIEW Full 7.0 Evaluation 7.0 ({C1B6247F-F7D2-4246-A23D-93ADB787D2D3})
version: 117440512
version (major): 7
estimated size: 38567
install date: 20040616
install source: D:\components\lvcorefull\
publisher: National Instruments
({C75C9B85-4D7B-4E8B-8BDB-60C737610C2D})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C75C9B85-4D7B-4E8B-8BDB-60C737610C2D}\Setup.exe"
Microsoft .NET Framework 1.1 1.1.4322 ({CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1})
version: 16847074
version (major): 1
version (minor): 1
estimated size: 40392
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
publisher: Microsoft
readme: file://C:\WINNT\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm
1.00.0000 ({CBE9E8B5-95B3-4E24-A5CA-55503502DFCB})
version: 16777216
version (major): 1
estimated size: 235922
install date: 20040629
install source: D:\Setup\
uninstall cmd: MsiExec.exe /X{CBE9E8B5-95B3-4E24-A5CA-55503502DFCB}
publisher: Hewlett-Packard
comments:
contact:
help link: http://www.officejetsupport.com
help telephone:
readme:
NI LabVIEW 7.0 Evaluation 7.0.0.140 ({CD93514F-7048-4DE7-BC20-8A867CD75C9A})
version: 117440512
version (major): 7
estimated size: 194579
install date: 20040616
install source: D:\components\lvcore\
publisher: National Instruments
({E01ADB17-4514-401F-ADE2-815946A651D6})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E01ADB17-4514-401F-ADE2-815946A651D6}\Setup.exe"
NI LVBroker 1.0.03013 ({E7BAFF4D-D4B0-4508-A370-743D49EFC28F})
version: 16780229
version (major): 1
estimated size: 78
install date: 20040616
install source: D:\components\lvbroker\
publisher: National Instruments
NI LabVIEW Service Locator 1.0 1.0.0 ({EC60B018-251A-47E7-A838-CECB70AE46EF})
version: 16777216
version (major): 1
estimated size: 86
install date: 20040616
install source: D:\components\svcloc\
publisher: National Instruments
help link: http://www.ni.com/support/
NI LabVIEW CIN Tools 7.0 Evaluation 7.0 ({F1311DB3-6734-4B4B-8F93-962BABB2F4C6})
version: 117440512
version (major): 7
estimated size: 1621
install date: 20040616
install source: D:\components\lvcin\
publisher: National Instruments
NI Instrument IO Assistant for LabVIEW 7.0 1.0.03013 ({FD950A83-5FA5-47F2-B0B1-296023420CB1})
version: 16780229
version (major): 1
estimated size: 280
install date: 20040616
install source: D:\components\lv70iioa\
publisher: National Instruments
:spider:
Rest of the log:
Logfile of HijackThis v1.99.1
Scan saved at 23:16:49, on 11.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\WINNT\System32\Tdevdetect.exe
C:\WINNT\System32\Tfunckey.exe
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tpwricon.exe
C:\Software\quickt\iTunesHelper.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe
O4 - HKLM\..\Run: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
:sick: :sick: :sick:
CalamityJane
2006-05-15, 20:58
You know this computer was completely compromised with Remote access trojans (quite a few of them). I hope you took my precautions in my first reply seriously.
After following the HijackThis instructions below, you need an antivirus scan as some of the SDbot worms on there are antvirus killers and may have damaged or disabled the one installed on your computer. Here is a free one you can download, update and use as an ondemand scanner and might do a good bit of more cleanup (be sure to get updates before scanning)
BitDefender8 Free Edition:
http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html
I would also recommend a free online AV scan at one or more of the following:
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm
.............................
Did you let Spybot fix all the items it found? You probably need scan again with that too to make sure it was able to fix all that it found.
...............................
Now, open Hijackthis and do a *scan only*. When it finishes, place a checkmark next to these entries and then press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe
O4 - HKLM\..\Run: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\wehcalohrsaxdb.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll (file missing)
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
Please download the Killbox by Option^Explicit.
http://www.geekstogo.com/modules.php?modid=5&action=download&id=4
* Save it to your desktop.
* Run Killbox.exe.
* Select "Delete on Reboot".
* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C
C:\Documents and Settings\All Users\Documents\Settings\2006.dll
C:\WINNT\system32\wehcalohrsaxdb.exe
C:\WINNT\system32\onxjalddnczhip.exe
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.
When you're all done, I'll need a fresh HijackThis log and do try to save the details of any of the AV scans. A new Spybot log would be good as well.
:confused: :sick:
Thank you for the reply.
- Ran HijackThis, saved log
the entries with wehcalohrsaxdb.exe were not there, but the following instead:
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
- Ran HijackThis, marked all including the two above, saved log
this entry was still there:
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll (file missing)
- Ran HijackThis again and checked the "2006.dll" entry, save log
the "2006.dll" was gone
- Ran Killbox
- Ran Spybot, saved log
- Ran HijackThis again after the reboot, the following appeared again:
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
The infected computer has not been connected to the internet since the infection, only to receive updates for virus programs. I use a different computer to download the software. The CA free online AV requires Microsoft IE so I have not run it yet as the viruses have seemed to come alive each time I connect with IE.
The computer still has some suspicious on it files including:
C:\krrdw.exe
C:\blon.exe
C:\wqgyqbc.exe
C:\uhskp.exe
C:\uhskp.exe
C:\kfwydip.exe
C:\fmc.exe
C:\WINNT\file3.exe
C:\WINNT\file2.exe
C:\WINNT\SYSTEM32\sachostm.exe
C:\WINNT\SYSTEM32\bbpzxh.exe
The virus may also have done other damage. When I run the Task manager, only the Processes are shown, the two other tabs with programs and resources are not there.
Thanks,
Howie
--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 21:57:26, on 15.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Software\hijackthis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
O4 - HKLM\..\Run: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKLM\..\RunServices: [LJSMSUMkPSPKK\] C:\WINNT\system32\bbpzxh.exe
O4 - HKLM\..\RunServices: [Z_[SVYYRSOI^W_`N] C:\WINNT\system32\onxjalddnczhip.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O21 - SSODL: bQJrUvVutjY - {116B130D-BBC1-B9A7-FE99-BAAA524B8C58} - C:\WINNT\system32\uvr.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:08:03, on 15.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Software\quickt\iTunesHelper.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Documents\Settings\2006.dll (file missing)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:14:11, on 15.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
C:\Software\Norman2\NVC\BIN\Zanda.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\Software\quickt\iTunesHelper.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Software\Norman2\NVC\BIN\Zanda.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\SOFTWARE\NORMAN2\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\SOFTWARE\NORMAN2\Nvc\BIN\NVCSCHED.EXE
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
--------------------------------------------------
Log continues:
--- Search result list ---
Windows Security Center.AntiVirusOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Windows Security Center.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Windows Security Center.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-05-02 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-05-02 Includes\Cookies.sbi (*)
2006-05-02 Includes\Dialer.sbi (*)
2006-05-02 Includes\Hijackers.sbi (*)
2006-05-02 Includes\Keyloggers.sbi (*)
2006-05-02 Includes\Malware.sbi (*)
2006-05-02 Includes\Revision.sbi (*)
2006-05-02 Includes\Security.sbi (*)
2006-05-02 Includes\Spybots.sbi (*)
2006-05-02 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-05-02 Includes\PUPS.sbi (*)
--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB329115
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB820888
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB822831
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824141
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824146
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB825119
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828028
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB829558
/ Windows 2000 / SP5: Windows 2000 Hotfix (SP5) Q818043
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
--- Startup entries list ---
Located: HK_LM:Run, ACUMon
command: "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
file: C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
size: 364544
MD5: 612495556c82e4c85c920d6a8b78964b
Located: HK_LM:Run, iTunesHelper
command: "C:\Software\quickt\iTunesHelper.exe"
file: C:\Software\quickt\iTunesHelper.exe
size: 278528
MD5: a8cf3f60099eaa123db72611ce7be271
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINNT\system32\NeroCheck.exe
file: C:\WINNT\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, Norman ZANDA
command: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
file: C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
size: 90112
MD5: ed56e42cfd7d53af4453c4253eaa17b0
Located: HK_LM:Run, S3TRAY
command: S3tray.exe
file: C:\WINNT\system32\S3tray.exe
size: 57856
MD5: 7c2766120401f41345c12eeed426d892
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, Tpwrtray
command: TPWRTRAY.EXE
file: C:\WINNT\system32\TPWRTRAY.EXE
size: 65536
MD5: 586f9abd320c40746bf43f3ee7a29cec
Located: HK_CU:Run, PhotoShow Deluxe Media Manager
command: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
file: C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
size: 212992
MD5: 917bafa5fc295611a401692f56da7829
Located: Startup (common), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 82026
MD5: 21189b8f2d747b6981a54d5c5d554c8e
Located: Startup (common), Picture Package Menu.lnk
command: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
file: C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: f15fcbb20fe82674f48a60a37e5ba45a
Located: Startup (common), TMExLogon.lnk
command: C:\Program Files\TOSHIBA\TME\TMESRV.EXE
file: C:\Program Files\TOSHIBA\TME\TMESRV.EXE
size: 64000
MD5: 79ae37395205daee97f1b7888bc07f77
Located: Startup (common), TSBxLogon.lnk
command: C:\WINNT\system32\TMESBS2.exe
file: C:\WINNT\system32\TMESBS2.exe
size: 53248
MD5: e6229dc0fb3f68856fa62f93f7610601
Located: System.ini, AutorunsDisabled
command:
file:
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 18.01.2006 21:04:26
Date (last access): 15.05.2006
Date (last write): 16.04.2001 16:39:02
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1
--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\WINNT\Downloaded Program Files\yinst.inf
Codebase: http://download.yahoo.com/dl/installs/yinst0401.cab
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\Downloaded Program Files\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 26.01.2004 18:40:04
Date (last access): 15.05.2006
Date (last write): 26.01.2004 18:40:04
Filesize: 133120
Attributes: archive
MD5: E1FBF33D995C89583A36F461EC2879FF
CRC32: 1592E04B
Version: 2004.1.26.1
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 11.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40
{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2046990741
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_04
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Java Runtime Environment 1.4.2
classification: Legitimate
known filename: %ProgramFiles%\Java\j2re1.4.2_01\bin\NPJPI142_04.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\j2re1.4.2_04\bin\
Long name: NPJPI142_04.dll
Short name: NPJPI1~1.DLL
Date (created): 22.02.2068 23:44:46
Date (last access): 15.05.2006
Date (last write): 22.02.2004 23:44:42
Filesize: 65650
Attributes: archive
MD5: 2BCA54CB6A12A5EFBF922C0C1856F30D
CRC32: 3D4A4E94
Version: 1.4.2.40
{D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control)
DPF name:
CLSID name: Aurigma Image Uploader 3.0 Control
Installer: C:\WINNT\Downloaded Program Files\ImageUploader3.inf
Codebase: http://www.eurofoto.no/activex/ImageUploader3.cab
Path: C:\WINNT\Downloaded Program Files\
Long name: ImageUploader3.ocx
Short name: IMAGEU~1.OCX
Date (created): 05.09.2005 16:11:34
Date (last access): 11.05.2006
Date (last write): 05.09.2005 16:11:34
Filesize: 1896448
Attributes: archive
MD5: D1C3ED13BA9A16F65EFF6F2154358238
CRC32: 489AAD45
Version: 3.5.98.1
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name: FLASH8.OCX
Date (created): 27.08.2005 13:38:56
Date (last access): 11.05.2006
Date (last write): 27.08.2005 13:38:56
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 156 ( 8) \SystemRoot\System32\smss.exe
PID: 180 ( 156) \??\C:\WINNT\system32\csrss.exe
PID: 200 ( 156) \??\C:\WINNT\system32\winlogon.exe
PID: 228 ( 200) C:\WINNT\system32\services.exe
size: 89360
MD5: CFED2D28F5B8A24127E9E06043070643
PID: 240 ( 200) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 271229760CCED993E9E7CAB1C7274134
PID: 388 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 452 ( 228) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 504 ( 228) C:\WINNT\system32\spoolsv.exe
size: 45328
MD5: 987DAF317B917CFC973DE8364D62A76C
PID: 528 ( 228) C:\Software\antivir\AVWUPSRV.EXE
size: 36864
MD5: DD57D2F0C9C0D9E98B6ACE6799E67626
PID: 544 ( 228) C:\WINNT\System32\cisvc.exe
size: 5392
MD5: 2830A2C82270F387265DFA658656EB99
PID: 564 ( 228) C:\Software\ewido anti-malware\ewidoctrl.exe
size: 13888
MD5: 26830B750372AB1BF29C95DEEBEB802F
PID: 616 ( 228) C:\WINNT\system32\hidserv.exe
size: 19728
MD5: 58CD2730E2BAC2E58D32D65B2B042020
PID: 640 ( 228) C:\WINNT\system32\niSvcLoc.exe
size: 49152
MD5: 96D71A62EF92FDC09409F45D541E9F8E
PID: 656 ( 228) C:\SOFTWARE\NORMAN2\Nvc\BIN\NPFSVICE.EXE
size: 65536
MD5: DD45DA5C722DCEAE4A63226607C245D3
PID: 672 ( 228) C:\Software\Norman2\NVC\BIN\Zanda.exe
size: 282624
MD5: 64715BAA0D7281CE3FAF346199C6EA70
PID: 724 ( 228) C:\WINNT\system32\MSTask.exe
size: 119568
MD5: 00D8C428B2D6DFFCABEB859BC69F632B
PID: 752 ( 228) C:\WINNT\system32\stisvc.exe
size: 61712
MD5: B75235626B950FF821146555C612F814
PID: 800 ( 228) C:\WINNT\SYSTEM32\THOTKEY.EXE
size: 28672
MD5: 494701127D3E961D55D5F9C4F5105261
PID: 824 ( 228) C:\WINNT\System32\Tmesbs2.exe
size: 53248
MD5: E6229DC0FB3F68856FA62F93F7610601
PID: 844 ( 228) C:\Program Files\TOSHIBA\TME\Tmesrv.exe
size: 64000
MD5: 79AE37395205DAEE97F1B7888BC07F77
PID: 876 ( 228) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 924 ( 228) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 988 ( 968) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1076 ( 988) C:\WINNT\system32\S3tray.exe
size: 57856
MD5: 7C2766120401F41345C12EEED426D892
PID: 1084 ( 988) C:\WINNT\system32\TPWRTRAY.EXE
size: 65536
MD5: 586F9ABD320C40746BF43F3EE7A29CEC
PID: 1092 ( 988) C:\SOFTWARE\NORMAN2\Nvc\BIN\ZLH.EXE
size: 90112
MD5: ED56E42CFD7D53AF4453C4253EAA17B0
PID: 1100 ( 988) C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
size: 364544
MD5: 612495556C82E4C85C920D6A8B78964B
PID: 992 ( 988) C:\Software\quickt\iTunesHelper.exe
size: 278528
MD5: A8CF3F60099EAA123DB72611CE7BE271
PID: 1116 ( 988) C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
size: 212992
MD5: 917BAFA5FC295611A401692F56DA7829
PID: 1148 (1084) C:\WINNT\System32\Tdevdetect.exe
size: 53248
MD5: 013BF48FB149235CE1A2EBA9058983B5
PID: 1152 ( 988) C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
size: 151552
MD5: F15FCBB20FE82674F48A60A37E5BA45A
PID: 1160 (1084) C:\WINNT\System32\Tfunckey.exe
size: 147456
MD5: D4DBB6B88C83B2F4A6FCEBDE778B5D2A
PID: 1172 (1084) C:\WINNT\System32\Tpwricon.exe
size: 39936
MD5: 3C820B34D93084DE925351DB2B523FB3
PID: 1196 ( 988) C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 82026
MD5: 21189B8F2D747B6981A54D5C5D554C8E
PID: 1208 ( 988) C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
size: 32881
MD5: D7B9BE63C406103EE1405FE473AC0697
PID: 1288 ( 228) C:\Program Files\iPod\bin\iPodService.exe
size: 323584
MD5: EDA049739349F0E837D4F55E8879D665
PID: 608 ( 988) C:\Software\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 8 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 15.05.2006 22:29:24
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
The log continues:
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Irda [IrDA]
GUID: {3972523D-2AF1-11D1-B655-00805F3642CC}
Filename: %SystemRoot%\system32\msafd.dll
Description: Infrared protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Irda [IrDA]
Protocol 1: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 4: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2B45DAB-B957-41C1-9679-7436DB0BB03B}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{23CEADFF-0F83-4655-8600-C54520302702}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4943086B-B1E2-41AB-820A-90A01A87426E}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{70A45175-E4B6-42B2-84E2-4885F05E6D19}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE826DE2-667D-47EA-8D63-116B69520B47}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{406F021E-93A3-4D34-AE82-2346D9DE57BF}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6456A99E-055A-4D8D-81C4-9A0202184F1F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{095E3418-6515-4A13-A8F7-413020E17DFB}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{93336D74-403A-456B-B8E5-CC7902CF7564}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7633015-602B-4E80-98B8-07508BC8692E}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\SOFTWARE\AD-AWA~1\UNWISE.EXE C:\SOFTWARE\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com
(AddressBook)
Adobe Acrobat 5.0 5.0 (Adobe Acrobat 5.0)
version (major): 5
install location: C:\Program Files\Adobe\Acrobat 5.0
install source: D:\Acrobat 5\
uninstall cmd: C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/prodindex/acrobat/main.html
AntiVir/XP (AntiVir/XP)
uninstall cmd: C:\Software\antivir\AVUNINST.EXE
publisher: H+BEDV Datentechnik GmbH
comments: -
contact: Support Forum
help link: http://www.free-av.de/forum
(Branding)
CDBurnerXP Pro (CDBurnerXP Pro )
uninstall cmd: C:\WINNT\iun6002.exe "C:\Software\cdburnerpro\irunin.ini"
Cisco Aironet Installation Wizard (CiscoInstallWizard)
uninstall cmd: C:\WINNT\Cisco\DInstall\IWSetup.exe /cp
(Connection Manager)
(DirectAnimation)
(DirectDrawEx)
DVDExpress (DVD Express A/V Pak)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Mediamatics\DVDExpress\Uninst.isu" -c"C:\Program Files\Mediamatics\DVDExpress\mydll.dll"
(DXM_Runtime)
ewido anti-malware (ewidoantimalware)
install location: C:\Software\ewido anti-malware
uninstall cmd: C:\Software\ewido anti-malware\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net
(expinst)
(Fontcore)
HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Software\hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.
HP Photo Printing Software (HP Photo Printing Software)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\Photo Printing\Uninstall.isu" -c"C:\Program Files\Hewlett-Packard\Photo Printing\hpiunPC.dll
HP PSC 1400 series (HP PSC 1400 series_Driver)
uninstall cmd: rundll32 hpzcon12.dll,VendorJettison HP PSC 1400 series
hp psc 900 series - 2 (hp psc 900 series 1088493051)
uninstall cmd: C:\WINNT\system32\hpocon07.exe /u 1088493051 /d "hp psc 900 series"
(ICW)
Microsoft Internet Explorer 6 SP1 (IE40)
uninstall cmd: rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
(IE4Data)
(IE5BAKEX)
(IEData)
(IEREADME)
Internet Explorer Q832894 (ieupdate)
uninstall cmd: C:\WINNT\ieuninst.exe C:\WINNT\INF\Q832894.inf
(InstallShield Uninstall Information)
iTunes 6.0.2.23 (InstallShield_{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
QuickTime 7.0.4 (InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
Windows 2000 Hotfix - KB329115 20031024.155236 (KB329115)
uninstall cmd: C:\WINNT\$NtUninstallKB329115$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=329115
Windows 2000 Hotfix - KB820888 20030604.152521 (KB820888)
uninstall cmd: C:\WINNT\$NtUninstallKB820888$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=820888
Windows 2000 Hotfix - KB822831 20030611.114034 (KB822831)
uninstall cmd: C:\WINNT\$NtUninstallKB822831$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=822831
Windows 2000 Hotfix - KB823182 20030618.121409 (KB823182)
uninstall cmd: C:\WINNT\$NtUninstallKB823182$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823182
Windows 2000 Hotfix - KB823559 20030627.135515 (KB823559)
uninstall cmd: C:\WINNT\$NtUninstallKB823559$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823559
Windows 2000 Hotfix - KB824105 20030716.151320 (KB824105)
uninstall cmd: C:\WINNT\$NtUninstallKB824105$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824105
Windows 2000 Hotfix - KB824141 20030805.151423 (KB824141)
uninstall cmd: C:\WINNT\$NtUninstallKB824141$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824141
Windows 2000 Hotfix - KB824146 20030823.144456 (KB824146)
uninstall cmd: C:\WINNT\$NtUninstallKB824146$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=824146
Windows 2000 Hotfix - KB825119 20030827.151123 (KB825119)
uninstall cmd: C:\WINNT\$NtUninstallKB825119$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=825119
Windows 2000 Hotfix - KB826232 20031007.160553 (KB826232)
uninstall cmd: C:\WINNT\$NtUninstallKB826232$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=826232
Windows 2000 Hotfix - KB828028 20040122.114409 (KB828028)
uninstall cmd: C:\WINNT\$NtUninstallKB828028$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828028
Windows 2000 Hotfix - KB828035 20031023.142138 (KB828035)
uninstall cmd: C:\WINNT\$NtUninstallKB828035$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828035
Windows 2000 Hotfix - KB828749 20031023.124056 (KB828749)
uninstall cmd: C:\WINNT\$NtUninstallKB828749$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828749
Windows 2000 Hotfix - KB829558 20030929.142857 (KB829558)
uninstall cmd: C:\WINNT\$NtUninstallKB829558$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=829558
(Microsoft NetShow Player 2.0)
(MobileOptionPack)
(MPlayer2)
(MsJavaVM)
(Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Software\nero\nero\uninstall\UNNERO.exe /UNINSTALL
Nero PhotoShow Express 3.0 (Nero PhotoShow Express)
version (major): 3
install location: C:\Software\nero\Nero PhotoShow\Nero PhotoShow Express.exe
uninstall cmd: "C:\Software\nero\Nero PhotoShow\data\Xtras\Uninstall.exe"
publisher: Simple Star, Inc.
help link: http://www.simplestar.com/support
Nero Suite (NeroMultiInstaller!UninstallKey)
uninstall cmd: C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
(NeroVision!UninstallKey)
uninstall cmd: C:\WINNT\UNNeroVision.exe /UNINSTALL
(NetMeeting)
National Instruments Software (NI Uninstaller)
uninstall cmd: "C:\Software\NationalInstruments\shared\NIUninstaller\uninst.exe"
help link: http://www.ni.com/support/
(NMPUninstallKey)
uninstall cmd: C:\WINNT\UNNMP.exe /UNINSTALL
Outlook Express Update Q330994 (oeupdate)
uninstall cmd: C:\WINNT\Q330994.exe C:\WINNT\INF\Q330994.inf
op (op)
uninstall cmd: C:\SOFTWARE\op\UNINST\unwise.exe C:\SOFTWARE\op\UNINST\INSTALL.LOG
Opera (Opera)
uninstall cmd: C:\SOFTWARE\op\UNINST\UNWISE.EXE C:\SOFTWARE\op\UNINST\Install.log
(OutlookExpress)
Paint Shop Pro 5.0 Evaluation (Paint Shop Pro 5.0 Evaluation)
uninstall cmd: C:\SOFTWARE\PAINTS~1\UNWISE.EXE C:\SOFTWARE\PAINTS~1\INSTALL.LOG
Windows 2000 Hotfix (SP5) Q818043 20030501.174006 (Q818043)
uninstall cmd: C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=818043
Windows Media Player Hotfix [See Q828026 for more information] (Q828026)
uninstall cmd: C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=828026
S3 Gamma Utility (S3 Gamma)
uninstall cmd: s3uninst.exe GammaUninstall.NT 5 s3savmx.inf
S3DuoView+ Utility (S3DUOVUE)
uninstall cmd: s3uninst.exe S3DuovueUninstall.NT 5 s3savmx.inf
(SchedulingAgent)
Macromedia Flash Player 8 8 (ShockwaveFlash)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\swflash.inf,DefaultUninstall,5
publisher: Macromedia
help link: http://www.macromedia.com/go/flashplayer_support/
The log continues:
Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Software\Spybot - Search & Destroy\
uninstall cmd: "C:\Software\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
TOSHIBA Display Power Save (TDPSV)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TDPSV\Uninst.isu"
TextPad 4 (TextPad 4)
uninstall cmd: C:\WINNT\IsUninst.exe -fc:\software\texpad\Uninst.isu
Toshiba Mobile Extension V1.00.03.00 (TME)
uninstall cmd: C:\WINNT\IsUninst.exe -f"C:\Program Files\TOSHIBA\TME\Uninst.isu" -c"C:\Program Files\TOSHIBA\TME\uninst.dll"
Toshiba Internal Modem User's Guide (Toshiba Modem Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstUOM.isu
Toshiba User's Manual (Toshiba Online Manual)
uninstall cmd: C:\WINNT\IsUninst.exe -fC:\Toshiba\Manuals\UnInstModem.isu
TOSHIBA Power Extension2 (TOSHIBA Power Extension2)
uninstall cmd: TPWRDEL.EXE
TOSHIBA Utilities (TOSHIBA Utilities)
uninstall cmd: tutildel.exe
Total Commander (Remove or Repair) (Totalcmd)
uninstall cmd: c:\System\Tc603\tcuninst.exe
WinZip (WinZip)
uninstall cmd: "C:\Software\WinZip8\WINZIP32.EXE" /uninstall
Systemoppdatering for Windows Media Player (9 Series) (WMP7)
uninstall cmd: C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
XoftSpy (XoftSpy)
uninstall cmd: C:\Software\XoftSpy\uninstall.exe
Yahoo! Toolbar (Yahoo! Companion)
uninstall cmd: rundll32.exe C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\YCOMP5~1.DLL,DllCommand ui
Yahoo! Internet Mail (Yahoo! Internet Mail)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger Explorer Bar (Yahoo! Messenger Explorer Bar)
uninstall cmd: C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~1.DLL
Microsoft Office 2000 SR-1 Premium 9.00.3821 ({00000409-78E1-11D2-B60F-006097C998E7})
version: 150998765
version (major): 9
estimated size: 240290
install date: 20040405
install source: D:\
uninstall cmd: MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\Office\ofread9.txt
NI LabVIEW Advanced Analysis 7.0 Evaluation 7.0 ({09CBDFA4-59FF-4143-B7B5-DFD8E6431886})
version: 117440512
version (major): 7
estimated size: 50419
install date: 20040616
install source: D:\components\lvadvanalysis\
publisher: National Instruments
Picture Package 1.00.000 ({1E2F8AE3-3437-44E6-BB75-E95751D6B83F})
version: 16777216
install location: C:\Program Files\Sony Corporation\Picture Package
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
YAMAHA DS-XG WDM ({3E0B8A20-B239-11D3-9850-00C04F7AC096})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E0B8A20-B239-11D3-9850-00C04F7AC096}\setup.exe" maintenance
Microsoft Windows Journal Viewer 1.5.2315.3 ({43DCF766-6838-4F9A-8C91-D92DA586DFA7})
version: 17107211
version (major): 1
version (minor): 5
estimated size: 6962
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
publisher: Microsoft
comments: A viewer for Windows Journal documents.
contact: Microsoft
NI Uninstaller 1.1.1f1 1.11.20 ({4BEC2867-0BF7-4A87-B459-003E3F20AFB1})
version: 17498132
version (major): 1
version (minor): 11
estimated size: 1068
install date: 20040616
install source: D:\components\mu\
publisher: National Instruments
Macromedia Flash Player 7.0.14.0 ({4ecaf021-478c-40c1-b777-3368a15f9966})
version: 117440526
version (major): 7
estimated size: 2
install date: 20060103
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\{4FFADF71-9FD0-41C5-A690-D2E39D8C29FA}\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\
uninstall cmd: MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
publisher: Macromedia, Inc.
iTunes 6.0.2.23 ({501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5})
version: 100663298
version (major): 6
estimated size: 34088
install date: 20060103
install location: C:\Software\quickt\
install source: C:\WINNT\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
NI LabVIEW Run-Time Engine 7.1 7.1.157 ({518930BE-7875-4547-B026-20B92F695781})
version: 117506205
version (major): 7
version (minor): 1
estimated size: 67584
install date: 20040722
install source: C:\Wfa\Programs\RTEngine71\
publisher: National Instruments
({5B239A98-4222-4D8C-AF38-1A8EC07F956B})
Sony USB Driver ({5C29CB8B-AC1E-4114-8D68-9CD080140D4A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
({5D0930A0-1033-433A-8BB9-602665550DD0})
({6041B9C1-775E-4C6A-AECE-70C39CAED90A})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6041B9C1-775E-4C6A-AECE-70C39CAED90A}\SETUP.EXE"
NI LabVIEW Picture Control Toolkit 7.0 Evaluation 7.0 ({6B786922-F93C-4C99-B6CA-66DD0C4B88CA})
version: 117440512
version (major): 7
estimated size: 5061
install date: 20040616
install source: D:\components\lvpicture\
publisher: National Instruments
WebFldrs 9.00.3501 ({6F716D8C-398F-11D3-85E1-005004838609})
version: 150998445
version (major): 9
estimated size: 2644
install date: 20000308
install source: C:\WINNT\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows
Java 2 Runtime Environment, SE v1.4.2_04 1.4.2_04 ({7148F0A8-6813-11D6-A77B-00B0D0142040})
version (major): 1
version (minor): 4
estimated size: 110144
install date: 20040617
install source: C:\Documents and Settings\Bruker\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142040}\
uninstall cmd: MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
publisher: Sun Microsystems, Inc.
comments: http://www.java.com
contact: http://www.java.com
help link: http://www.java.com
help telephone: http://www.java.com
readme: Readme.txt
NI LVBrokerAux70 1.0.03013 ({735AF21E-5436-4780-88F7-B5508F043A40})
version: 16780229
version (major): 1
estimated size: 178
install date: 20040616
install source: D:\components\lvbrokeraux70\
publisher: National Instruments
NI LabVIEW Run-Time Engine 7.0 7.0 ({73D3BADE-EC2F-4A5C-8F80-CB68AB704FF3})
version: 117440512
version (major): 7
estimated size: 30522
install date: 20040616
install source: D:\components\lvruntimeeng\
publisher: National Instruments
HP Share-to-Web ({748F4870-8350-11D3-B0BF-080009FB4A19})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" %MAIN -l9
Norman Internet Control ({74C8BF56-6618-49AA-98BA-862223900CBF})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Software\Norman2\NVC\BIN\DelNVC5.exe"
QuickTime 7.0.4 ({929408E6-D265-4174-805F-81D1D914E2A4})
version: 117440516
version (major): 7
estimated size: 68179
install date: 20060103
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\_is6F\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273
({B6CB604F-CC59-480B-90FB-C15E80FB81A2})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6CB604F-CC59-480B-90FB-C15E80FB81A2}\Setup.exe"
Sony Ericsson PC Suite 1.0.16 ({C037D08B-4883-491D-9329-DC5ACA90F797})
version: 16777232
version (major): 1
estimated size: 117233
install date: 20060103
install location: C:\Program Files\Sony Ericsson\Mobile\
install source: C:\WINNT\Downloaded Installations\{66D8C376-87FE-4A10-A39A-2D775C361BDC}\
uninstall cmd: MsiExec.exe /I{C037D08B-4883-491D-9329-DC5ACA90F797}
publisher: Sony Ericsson
contact: Sony Ericsson Technical Support
help link: http://www.sonyericsson.com
help telephone: 1-555-555-4505
NI LabVIEW Full 7.0 Evaluation 7.0 ({C1B6247F-F7D2-4246-A23D-93ADB787D2D3})
version: 117440512
version (major): 7
estimated size: 38567
install date: 20040616
install source: D:\components\lvcorefull\
publisher: National Instruments
({C75C9B85-4D7B-4E8B-8BDB-60C737610C2D})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C75C9B85-4D7B-4E8B-8BDB-60C737610C2D}\Setup.exe"
Microsoft .NET Framework 1.1 1.1.4322 ({CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1})
version: 16847074
version (major): 1
version (minor): 1
estimated size: 40392
install date: 20040212
install source: C:\DOCUME~1\Bruker\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
publisher: Microsoft
readme: file://C:\WINNT\Microsoft.NET\Framework\v1.1.4322\1033\RepairRedist.htm
1.00.0000 ({CBE9E8B5-95B3-4E24-A5CA-55503502DFCB})
version: 16777216
version (major): 1
estimated size: 235922
install date: 20040629
install source: D:\Setup\
uninstall cmd: MsiExec.exe /X{CBE9E8B5-95B3-4E24-A5CA-55503502DFCB}
publisher: Hewlett-Packard
comments:
contact:
help link: http://www.officejetsupport.com
help telephone:
readme:
NI LabVIEW 7.0 Evaluation 7.0.0.140 ({CD93514F-7048-4DE7-BC20-8A867CD75C9A})
version: 117440512
version (major): 7
estimated size: 194579
install date: 20040616
install source: D:\components\lvcore\
publisher: National Instruments
({E01ADB17-4514-401F-ADE2-815946A651D6})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E01ADB17-4514-401F-ADE2-815946A651D6}\Setup.exe"
NI LVBroker 1.0.03013 ({E7BAFF4D-D4B0-4508-A370-743D49EFC28F})
version: 16780229
version (major): 1
estimated size: 78
install date: 20040616
install source: D:\components\lvbroker\
publisher: National Instruments
NI LabVIEW Service Locator 1.0 1.0.0 ({EC60B018-251A-47E7-A838-CECB70AE46EF})
version: 16777216
version (major): 1
estimated size: 86
install date: 20040616
install source: D:\components\svcloc\
publisher: National Instruments
help link: http://www.ni.com/support/
NI LabVIEW CIN Tools 7.0 Evaluation 7.0 ({F1311DB3-6734-4B4B-8F93-962BABB2F4C6})
version: 117440512
version (major): 7
estimated size: 1621
install date: 20040616
install source: D:\components\lvcin\
publisher: National Instruments
NI Instrument IO Assistant for LabVIEW 7.0 1.0.03013 ({FD950A83-5FA5-47F2-B0B1-296023420CB1})
version: 16780229
version (major): 1
estimated size: 280
install date: 20040616
install source: D:\components\lv70iioa\
publisher: National Instruments
--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 00:17:58, on 16.05.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Software\antivir\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\Software\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\niSvcLoc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\Tmesbs2.exe
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
C:\WINNT\System32\Tdevdetect.exe
C:\Software\quickt\iTunesHelper.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Software\hijackthis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
O4 - HKLM\..\Run: [iTunesHelper] "C:\Software\quickt\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\Software\nero\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - Global Startup: TSBxLogon.lnk = C:\WINNT\system32\TMESBS2.exe
O4 - Global Startup: TMExLogon.lnk = C:\Program Files\TOSHIBA\TME\TMESRV.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Software\antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Software\antivir\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Software\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Software\NationalInstruments\shared\License Manager\Bin\lmgrd.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\SOFTWARE\NORMAN2\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINNT\system32\niSvcLoc.exe
O23 - Service: Network DRV (NTDRV) - Unknown owner - C:\WINNT\system32\netdrvr.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: tmesbs2 (Tmesbs) - Toshiba Corporation - C:\WINNT\System32\Tmesbs2.exe
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
-- end of logs
CalamityJane
2006-05-19, 02:43
Please download, install, and update the free version of Ewido AntiMalware:
http://www.ewido.net/en/download/
[1]From the main ewido screen, click on update in the left menu, then click the Start update button.
[2]After the update finishes (the status bar at the bottom will display "Update successful")
Close the program after updating (don't scan with it yet, we'll do that in SAFE MODE)
Copy the following instructions to have handy as you will need to be offline, in SAFE MODE and with IE closed so you will not be able to view this page during the process.
Reboot your PC into SAFE MODE
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Next, run a scan with Ewido.
[3]Click on the Scanner button in the left menu, then click on the Complete System Scan button. This scan can take quite a while to run, so please be patient
[4]If Ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[5]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Copy and paste the results from that scan back here please for review :)
*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update Ewido using the *update* button :)
This topic is closed, if you need it re-opened please send me or your helper a pm and provide a link to the thread.
Thank you CalamityJane.